41 replies to this topic

[Tom J.]

Hello,

I'm trying to clean my son's computer. It was infected with quite a few viruses and spyware. I 've gotten rid of most of them except for the virus "Adware Generic.GGW". AVG will find it and delete it but when I scan again it comes right back. The file name it refers to is C:\Windows\System32\??chost.exe.
Also, when I run Spybot it will find these same spyware (Windows Active Desktop, CoolWWWSearch.BadZoneMap, TNS-Search) it will delete them but when I rescan they come right back! I've used Sbybot, Ad-aware SE, CWShredder and Ewido.
Thanks for your help!!


Logfile of HijackThis v1.97.7
Scan saved at 5:09:38 PM, on 1/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\Brmfrmps.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\Nitrodial V2\nitrodialV2.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bright.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...ario&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://ie.redirect.h...ario&pf=desktop
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [regcmdcons] c:\hp\bin\cloaker.exe c:\hp\bin\cmdcons.cmd
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - Startup: IMStart.lnk = C:\Program Files\InterMute\IMStart.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: Nitrodial V2.lnk = C:\Program Files\Nitrodial V2\nitrodialV2.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Show All Original Images - res://C:\Program Files\Nitrodial V2\nitrodialV2.exe/250
O8 - Extra context menu item: Show Original Image - res://C:\Program Files\Nitrodial V2\nitrodialV2.exe/227
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O10 - Unknown file in Winsock LSP: c:\progra~1\nitrod~1\sliplsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\nitrod~1\sliplsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\nitrod~1\sliplsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\nitrod~1\sliplsp.dll
O16 - DPF: {11111111-1111-1111-1111-111111111732} - file://c:\progra~1\pl.exe
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1099087094687
O16 - DPF: {6C995DAA-A7AD-701D-CD4C-3BBE1D7D68C6} - http://205.252.161.238/1/gdnUS1878.exe
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://www.support.g...rvest/gwCID.CAB
O16 - DPF: {BAB3E70B-A847-4A88-ACFC-778FCCC00287} (CActSetupObj Object) - http://www.odysseusm...om/actsetup.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D4C8319A-2022-422E-8C2F-3D16E87B594B}: NameServer = 209.143.0.10 66.209.140.124

[Siggyx]

Hi and welcome to the forum.



You need an updated version of Hijackthis which you can get from HERE.

Edited by Siggyx, 13 January 2006 - 10:03 PM.

[Tom J.]

Thanks Siggyx here's my updated version.



Logfile of HijackThis v1.99.1
Scan saved at 11:10:35 PM, on 1/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\Brmfrmps.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\Nitrodial V2\nitrodialV2.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\HJT\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HJT#2\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...ario&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bright.net/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.h...ario&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [regcmdcons] c:\hp\bin\cloaker.exe c:\hp\bin\cmdcons.cmd
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - Startup: IMStart.lnk = C:\Program Files\InterMute\IMStart.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: Nitrodial V2.lnk = C:\Program Files\Nitrodial V2\nitrodialV2.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Show All Original Images - res://C:\Program Files\Nitrodial V2\nitrodialV2.exe/250
O8 - Extra context menu item: Show Original Image - res://C:\Program Files\Nitrodial V2\nitrodialV2.exe/227
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {11111111-1111-1111-1111-111111111732} - file://c:\progra~1\pl.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1099087094687
O16 - DPF: {6C995DAA-A7AD-701D-CD4C-3BBE1D7D68C6} - http://205.252.161.238/1/gdnUS1878.exe
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://www.support.g...rvest/gwCID.CAB
O16 - DPF: {BAB3E70B-A847-4A88-ACFC-778FCCC00287} (CActSetupObj Object) - http://www.odysseusm...om/actsetup.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D4C8319A-2022-422E-8C2F-3D16E87B594B}: NameServer = 209.143.0.10 66.209.140.124
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

[Siggyx]

Scan with hijackthis and put a chck beside these lines and choose FIX

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

O16 - DPF: {11111111-1111-1111-1111-111111111732} - file://c:\progra~1\pl.exe
O16 - DPF: {6C995DAA-A7AD-701D-CD4C-3BBE1D7D68C6} - http://205.252.161.238/1/gdnUS1878.exe
O16 - DPF: {BAB3E70B-A847-4A88-ACFC-778FCCC00287} (CActSetupObj Object) - http://www.odysseusm...om/actsetup.cab

Then reboot update ewido scan and post the ewido log and a new hijackthis log please.

[Tom J.]

Sorry it took me so long to reply, but here are the ewido and hijackthis logs.


---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 12:43:37 PM, 1/14/2006
+ Report-Checksum: 64E8C86B

+ Scan result:

C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@as-us.falkag[2].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@casalemedia[1].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@server.iad.liveperson[1].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@trafic[1].txt -> Spyware.Cookie.Trafic : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[2].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\C94Z0JON\mm[1].js -> Spyware.Chitika : Cleaned with backup


::Report End





Logfile of HijackThis v1.99.1
Scan saved at 12:57:16 PM, on 1/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\Nitrodial V2\nitrodialV2.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...ario&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bright.net/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.h...ario&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [regcmdcons] c:\hp\bin\cloaker.exe c:\hp\bin\cmdcons.cmd
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - Startup: IMStart.lnk = C:\Program Files\InterMute\IMStart.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: Nitrodial V2.lnk = C:\Program Files\Nitrodial V2\nitrodialV2.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Show All Original Images - res://C:\Program Files\Nitrodial V2\nitrodialV2.exe/250
O8 - Extra context menu item: Show Original Image - res://C:\Program Files\Nitrodial V2\nitrodialV2.exe/227
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1099087094687
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://www.support.g...rvest/gwCID.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{D4C8319A-2022-422E-8C2F-3D16E87B594B}: NameServer = 209.143.0.10 66.209.140.124
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

[Siggyx]

Please do an online scan with Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then start to download the latest definition files.
• Once the scanner is installed and the definitions downloaded, click Next.
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
    • Extended (If available otherwise Standard)
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK
• Now under select a target to scan select My Computer
• The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
• Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste that information in your next post.

[Tom J.]

Thanks for your help Siggyx, here's my scan report. ------------------------------------------------------------------------------- KASPERSKY ON-LINE SCANNER REPORT Sunday, January 15, 2006 17:16:45 Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600) Kaspersky On-line Scanner version: 5.0.67.0 Kaspersky Anti-Virus database last update: 15/01/2006 Kaspersky Anti-Virus database records: 171497 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: A:\ C:\ D:\ E:\ F:\ Scan Statistics: Total number of scanned objects: 61948 Number of viruses found: 14 Number of infected objects: 36 Number of suspicious objects: 0 Duration of the scan process: 2775 sec Infected Object Name - Virus Name C:\Documents and Settings\Owner\Desktop\funcade_MEDIAWHIZ1_install.exe/stream/data0002/stream/data0001 Infected: not-a-virus:AdWare.Win32.BargainBuddy.l C:\Documents and Settings\Owner\Desktop\funcade_MEDIAWHIZ1_install.exe/stream/data0002/stream/data0002 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n C:\Documents and Settings\Owner\Desktop\funcade_MEDIAWHIZ1_install.exe/stream/data0002/stream/data0003 Infected: not-a-virus:AdWare.Win32.BargainBuddy.l C:\Documents and Settings\Owner\Desktop\funcade_MEDIAWHIZ1_install.exe/stream/data0002/stream/data0004 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n C:\Documents and Settings\Owner\Desktop\funcade_MEDIAWHIZ1_install.exe/stream/data0002/stream/data0005 Infected: not-a-virus:AdWare.Win32.BargainBuddy.q C:\Documents and Settings\Owner\Desktop\funcade_MEDIAWHIZ1_install.exe/stream/data0002/stream/data0007 Infected: Trojan-Clicker.Win32.VB.ex C:\Documents and Settings\Owner\Desktop\funcade_MEDIAWHIZ1_install.exe/stream/data0002/stream/data0008/stream/data0001 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n C:\Documents and Settings\Owner\Desktop\funcade_MEDIAWHIZ1_install.exe/stream/data0002/stream/data0008/stream Infected: not-a-virus:AdWare.Win32.BargainBuddy.n C:\Documents and Settings\Owner\Desktop\funcade_MEDIAWHIZ1_install.exe/stream/data0002/stream/data0008 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n C:\Documents and Settings\Owner\Desktop\funcade_MEDIAWHIZ1_install.exe/stream/data0002/stream/data0009/stream/data0002 Infected: not-a-virus:AdWare.Win32.BargainBuddy.y C:\Documents and Settings\Owner\Desktop\funcade_MEDIAWHIZ1_install.exe/stream/data0002/stream/data0009/stream/data0005 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n C:\Documents and Settings\Owner\Desktop\funcade_MEDIAWHIZ1_install.exe/stream/data0002/stream/data0009/stream/data0006 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n C:\Documents and Settings\Owner\Desktop\funcade_MEDIAWHIZ1_install.exe/stream/data0002/stream/data0009/stream/data0007 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n C:\Documents and Settings\Owner\Desktop\funcade_MEDIAWHIZ1_install.exe/stream/data0002/stream/data0009/stream Infected: not-a-virus:AdWare.Win32.BargainBuddy.n C:\Documents and Settings\Owner\Desktop\funcade_MEDIAWHIZ1_install.exe/stream/data0002/stream/data0009 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n C:\Documents and Settings\Owner\Desktop\funcade_MEDIAWHIZ1_install.exe/stream/data0002/stream/data0010/stream/data0005 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n C:\Documents and Settings\Owner\Desktop\funcade_MEDIAWHIZ1_install.exe/stream/data0002/stream/data0010/stream Infected: not-a-virus:AdWare.Win32.BargainBuddy.n C:\Documents and Settings\Owner\Desktop\funcade_MEDIAWHIZ1_install.exe/stream/data0002/stream/data0010 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n C:\Documents and Settings\Owner\Desktop\funcade_MEDIAWHIZ1_install.exe/stream/data0002/stream/data0011/stream/data0005 Infected: not-a-virus:AdWare.Win32.BargainBuddy.p C:\Documents and Settings\Owner\Desktop\funcade_MEDIAWHIZ1_install.exe/stream/data0002/stream/data0011/stream/data0006 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n C:\Documents and Settings\Owner\Desktop\funcade_MEDIAWHIZ1_install.exe/stream/data0002/stream/data0011/stream/data0007 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n C:\Documents and Settings\Owner\Desktop\funcade_MEDIAWHIZ1_install.exe/stream/data0002/stream/data0011/stream Infected: not-a-virus:AdWare.Win32.BargainBuddy.n C:\Documents and Settings\Owner\Desktop\funcade_MEDIAWHIZ1_install.exe/stream/data0002/stream/data0011 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n C:\Documents and Settings\Owner\Desktop\funcade_MEDIAWHIZ1_install.exe/stream/data0002/stream Infected: not-a-virus:AdWare.Win32.BargainBuddy.n C:\Documents and Settings\Owner\Desktop\funcade_MEDIAWHIZ1_install.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n C:\Documents and Settings\Owner\Desktop\funcade_MEDIAWHIZ1_install.exe/stream Infected: not-a-virus:AdWare.Win32.BargainBuddy.n C:\Documents and Settings\Owner\Desktop\funcade_MEDIAWHIZ1_install.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.n C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\L81ZQEK8\index[1].htm Infected: Exploit.HTML.Mht C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\MP0JQHY5\dia148[1]/[From <x>]/html Infected: Exploit.VBS.Phel.i C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\MP0JQHY5\dia148[1] Infected: Exploit.VBS.Phel.i C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\X9EBDG05\teen[1].htm Infected: Trojan-Clicker.JS.Linker.h C:\Program Files\HJT#2\backups\backup-20060114-120920-982.dll Infected: Trojan-Dropper.Win32.Agent.hn C:\WINDOWS\svrrunu.exe Infected: Trojan.Win32.Qrap C:\WINDOWS\system32\msehek.dll Infected: not-a-virus:AdWare.Win32.WebSearch.bb C:\WINDOWS\system32\msfdje.gif Infected: not-a-virus:AdWare.Win32.ClientMan C:\WINDOWS\system32\ѕνchost.exe Infected: not-a-virus:AdWare.Win32.PurityScan.dn Scan process completed.

[Siggyx]

Go to add/remove programs and look for Bargain Buddies and remove if present

Next.

Download TheKillbox from here http://www.downloads...org/KillBox.zip Save to your Desktop and double click it to open it up. In the 'Enter Full Path and Filename to Delete' box, copy and paste these entries one by one, clicking 'Find and Kill This File' after each one:

C:\WINDOWS\svrrunu.exe
C:\WINDOWS\system32\msehek.dll
C:\WINDOWS\system32\msfdje.gif

Next,

Download CCleaner from here >>>>> http://www.majorgeek...wnload4191.html

Save it to your desktop. Open CCleaner and click on "run cleaner" at the bottom right.

Reboot and a new kapersky and hijackthis log please.

[Tom J.]

Followed your intructions line by line and here are my new log reports.



KASPERSKY ON-LINE SCANNER REPORT
Sunday, January 15, 2006 22:49:31
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 16/01/2006
Kaspersky Anti-Virus database records: 171507
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 56382
Number of viruses found: 11
Number of infected objects: 34
Number of suspicious objects: 0
Duration of the scan process: 2799 sec

Infected Object Name - Virus Name
C:\!KillBox\msehek.dll Infected: not-a-virus:AdWare.Win32.WebSearch.bb
C:\!KillBox\msfdje.gif Infected: not-a-virus:AdWare.Win32.ClientMan
C:\!KillBox\svrrunu.exe Infected: Trojan.Win32.Qrap
C:\Documents and Settings\Owner\Desktop\funcade_MEDIAWHIZ1_install.exe/stream/data0002/stream/data0001 Infected: not-a-virus:AdWare.Win32.BargainBuddy.l
C:\Documents and Settings\Owner\Desktop\funcade_MEDIAWHIZ1_install.exe/stream/data0002/stream/data0002 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\Documents and Settings\Owner\Desktop\funcade_MEDIAWHIZ1_install.exe/stream/data0002/stream/data0003 Infected: not-a-virus:AdWare.Win32.BargainBuddy.l
C:\Documents and Settings\Owner\Desktop\funcade_MEDIAWHIZ1_install.exe/stream/data0002/stream/data0004 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\Documents and Settings\Owner\Desktop\funcade_MEDIAWHIZ1_install.exe/stream/data0002/stream/data0005 Infected: not-a-virus:AdWare.Win32.BargainBuddy.q
C:\Documents and Settings\Owner\Desktop\funcade_MEDIAWHIZ1_install.exe/stream/data0002/stream/data0007 Infected: Trojan-Clicker.Win32.VB.ex
C:\Documents and Settings\Owner\Desktop\funcade_MEDIAWHIZ1_install.exe/stream/data0002/stream/data0008/stream/data0001 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\Documents and Settings\Owner\Desktop\funcade_MEDIAWHIZ1_install.exe/stream/data0002/stream/data0008/stream Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\Documents and Settings\Owner\Desktop\funcade_MEDIAWHIZ1_install.exe/stream/data0002/stream/data0008 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\Documents and Settings\Owner\Desktop\funcade_MEDIAWHIZ1_install.exe/stream/data0002/stream/data0009/stream/data0002 Infected: not-a-virus:AdWare.Win32.BargainBuddy.y
C:\Documents and Settings\Owner\Desktop\funcade_MEDIAWHIZ1_install.exe/stream/data0002/stream/data0009/stream/data0005 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\Documents and Settings\Owner\Desktop\funcade_MEDIAWHIZ1_install.exe/stream/data0002/stream/data0009/stream/data0006 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\Documents and Settings\Owner\Desktop\funcade_MEDIAWHIZ1_install.exe/stream/data0002/stream/data0009/stream/data0007 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\Documents and Settings\Owner\Desktop\funcade_MEDIAWHIZ1_install.exe/stream/data0002/stream/data0009/stream Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\Documents and Settings\Owner\Desktop\funcade_MEDIAWHIZ1_install.exe/stream/data0002/stream/data0009 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\Documents and Settings\Owner\Desktop\funcade_MEDIAWHIZ1_install.exe/stream/data0002/stream/data0010/stream/data0005 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\Documents and Settings\Owner\Desktop\funcade_MEDIAWHIZ1_install.exe/stream/data0002/stream/data0010/stream Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\Documents and Settings\Owner\Desktop\funcade_MEDIAWHIZ1_install.exe/stream/data0002/stream/data0010 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\Documents and Settings\Owner\Desktop\funcade_MEDIAWHIZ1_install.exe/stream/data0002/stream/data0011/stream/data0005 Infected: not-a-virus:AdWare.Win32.BargainBuddy.p
C:\Documents and Settings\Owner\Desktop\funcade_MEDIAWHIZ1_install.exe/stream/data0002/stream/data0011/stream/data0006 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\Documents and Settings\Owner\Desktop\funcade_MEDIAWHIZ1_install.exe/stream/data0002/stream/data0011/stream/data0007 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\Documents and Settings\Owner\Desktop\funcade_MEDIAWHIZ1_install.exe/stream/data0002/stream/data0011/stream Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\Documents and Settings\Owner\Desktop\funcade_MEDIAWHIZ1_install.exe/stream/data0002/stream/data0011 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\Documents and Settings\Owner\Desktop\funcade_MEDIAWHIZ1_install.exe/stream/data0002/stream Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\Documents and Settings\Owner\Desktop\funcade_MEDIAWHIZ1_install.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\Documents and Settings\Owner\Desktop\funcade_MEDIAWHIZ1_install.exe/stream Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\Documents and Settings\Owner\Desktop\funcade_MEDIAWHIZ1_install.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\Program Files\HJT#2\backups\backup-20060114-120920-982.dll Infected: Trojan-Dropper.Win32.Agent.hn
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP7\A0000178.exe Infected: Trojan.Win32.Qrap
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP7\A0000179.dll Infected: not-a-virus:AdWare.Win32.WebSearch.bb
C:\WINDOWS\system32\ѕνchost.exe Infected: not-a-virus:AdWare.Win32.PurityScan.dn

Scan process completed.




Logfile of HijackThis v1.99.1
Scan saved at 10:51:59 PM, on 1/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\WINDOWS\System32\igfxtray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Nitrodial V2\nitrodialV2.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...ario&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bright.net/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.h...ario&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [regcmdcons] c:\hp\bin\cloaker.exe c:\hp\bin\cmdcons.cmd
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - Startup: IMStart.lnk = C:\Program Files\InterMute\IMStart.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: Nitrodial V2.lnk = C:\Program Files\Nitrodial V2\nitrodialV2.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Show All Original Images - res://C:\Program Files\Nitrodial V2\nitrodialV2.exe/250
O8 - Extra context menu item: Show Original Image - res://C:\Program Files\Nitrodial V2\nitrodialV2.exe/227
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1099087094687
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://www.support.g...rvest/gwCID.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{D4C8319A-2022-422E-8C2F-3D16E87B594B}: NameServer = 209.143.0.10 66.209.140.124
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

[Siggyx]

Please download WebRoot SpySweeper from HERE >>> http://www.webroot.c...ode=af1&rc=3597 (It's a 2 week trial):
Click the Free Trial link under to "SpySweeper" to download the program.
Install it. Once the program is installed, it will open.
It will prompt you to update to the latest definitions, click Yes.
Once the definitions are installed, click Options on the left side.
Click the Sweep Options tab.
Under What to Sweep please put a check next to the following:
Sweep Memory
Sweep Registry
Sweep Cookies
Sweep All User Accounts
Enable Direct Disk Sweeping
Sweep Contents of Compressed Files
Sweep for Rootkits
Please UNCHECK Do not Sweep System Restore Folder.
Click Sweep Now on the left side.
Click the Start button.
When it's done scanning, click the Next button.
Make sure everything has a check next to it, then click the Next button.
It will remove all of the items found.
Click Session Log in the upper right corner, copy everything in that window.
Click the Summary tab and click Finish.
Paste the contents of the session log you copied into your next reply as well as a new hijackthsi log please.

[Tom J.]

Here are my Spy Sweeper and Hijackthis logs.



********
4:59 PM: | Start of Session, Monday, January 16, 2006 |
4:59 PM: Spy Sweeper started
4:59 PM: Sweep initiated using definitions version 602
5:00 PM: Starting Memory Sweep
5:02 PM: Memory Sweep Complete, Elapsed Time: 00:02:02
5:02 PM: Starting Registry Sweep
5:02 PM: Found Adware: odysseus marketing
5:02 PM: HKCR\appid\actsetup.dll\ (1 subtraces) (ID = 136317)
5:02 PM: HKLM\software\classes\appid\actsetup.dll\ (1 subtraces) (ID = 136323)
5:02 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\actsetup.dll (ID = 136328)
5:02 PM: Found Adware: purityscan
5:02 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mediaticketsinstaller.ocx\ (2 subtraces) (ID = 137986)
5:02 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\mediaticketsinstaller.ocx (ID = 139077)
5:02 PM: Found Adware: tibs dialer
5:02 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\tl7000.dll (ID = 143748)
5:02 PM: Found Adware: clientman
5:02 PM: HKCR\appid\urlcli.dll\ (1 subtraces) (ID = 701476)
5:02 PM: HKLM\software\classes\appid\urlcli.dll\ (1 subtraces) (ID = 701492)
5:02 PM: Registry Sweep Complete, Elapsed Time:00:00:11
5:02 PM: Starting Cookie Sweep
5:02 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
5:02 PM: Starting File Sweep
5:02 PM: Found Adware: syncroad
5:02 PM: c:\program files\windows syncroad (1 subtraces) (ID = -2147480177)
5:02 PM: Found Adware: exact fungamedownloads
5:02 PM: c:\program files\funcade (2 subtraces) (ID = -2147481393)
5:02 PM: c:\documents and settings\owner\start menu\programs\funcade (2 subtraces) (ID = -2147468032)
5:02 PM: Found Adware: 180search assistant/zango
5:02 PM: c:\windows\system32\fleok (ID = -2147480556)
5:03 PM: Found Trojan Horse: trojan-dropper-mecorp
5:03 PM: svrrunu.exe (ID = 81155)
5:03 PM: backup-20060114-120920-982.inf (ID = 71455)
5:06 PM: Found Adware: dealhelper
5:06 PM: keyword.xml (ID = 57646)
5:12 PM: keyword1.xml (ID = 57647)
5:12 PM: keyword2.xml (ID = 57648)
5:14 PM: backup-20060114-120920-982.dll (ID = 71452)
5:15 PM: funcade_mediawhiz1_install.exe (ID = 80509)
5:15 PM: funcade.exe (ID = 109840)
5:15 PM: sain_gdf.dat (ID = 70595)
5:18 PM: Warning: Invalid Stream
5:18 PM: Warning: Invalid Stream
5:18 PM: Warning: Invalid Stream
5:18 PM: Warning: Invalid Stream
5:18 PM: Warning: Invalid Stream
5:18 PM: Warning: Invalid Stream
5:18 PM: Warning: Invalid Stream
5:18 PM: Warning: Invalid Stream
5:18 PM: Warning: Invalid Stream
5:18 PM: Warning: Invalid Stream
5:18 PM: Warning: Invalid Stream
5:18 PM: Warning: Invalid Stream
5:18 PM: funcade.lnk (ID = 109840)
5:18 PM: funcade.lnk (ID = 109840)
5:18 PM: File Sweep Complete, Elapsed Time: 00:16:02
5:18 PM: Full Sweep has completed. Elapsed time 00:18:25
5:18 PM: Traces Found: 34
5:23 PM: Removal process initiated
5:23 PM: Quarantining All Traces: 180search assistant/zango
5:23 PM: Quarantining All Traces: purityscan
5:23 PM: Quarantining All Traces: tibs dialer
5:23 PM: Quarantining All Traces: trojan-dropper-mecorp
5:23 PM: Quarantining All Traces: clientman
5:23 PM: Quarantining All Traces: dealhelper
5:23 PM: Quarantining All Traces: exact fungamedownloads
5:23 PM: Quarantining All Traces: odysseus marketing
5:23 PM: Quarantining All Traces: syncroad
5:25 PM: Removal process completed. Elapsed time 00:01:47
********
4:41 PM: | Start of Session, Monday, January 16, 2006 |
4:41 PM: Spy Sweeper started
4:45 PM: Updating spyware definitions
4:53 PM: Your spyware definitions have been updated.
4:59 PM: | End of Session, Monday, January 16, 2006 |





Logfile of HijackThis v1.99.1
Scan saved at 5:31:54 PM, on 1/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\igfxtray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\Nitrodial V2\nitrodialV2.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HJT#2\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...ario&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bright.net/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.h...ario&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [regcmdcons] c:\hp\bin\cloaker.exe c:\hp\bin\cmdcons.cmd
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - Startup: IMStart.lnk = C:\Program Files\InterMute\IMStart.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: Nitrodial V2.lnk = C:\Program Files\Nitrodial V2\nitrodialV2.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Show All Original Images - res://C:\Program Files\Nitrodial V2\nitrodialV2.exe/250
O8 - Extra context menu item: Show Original Image - res://C:\Program Files\Nitrodial V2\nitrodialV2.exe/227
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1099087094687
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://www.support.g...rvest/gwCID.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{D4C8319A-2022-422E-8C2F-3D16E87B594B}: NameServer = 209.143.0.10 66.209.140.124
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

[Siggyx]

Do you use a proxy server?

[Tom J.]

No, I do not use a Proxy Server.

[Siggyx]

Have hijackthis fix this line R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400 Then a reboot and a new jog. How is it running?

[Tom J.]

Computer seems to be running just fine. I ran Spybot and I still get the same three spyware as I posted in the original post. Do you think these are false readings.