18 replies to this topic

[elbowpipe]

I'm running Win XP Pro (SP2) and developing some .NET web apps. One of the apps uses index.htm to popup a 'no chrome' window (login.aspx) and recently has stopped working. When I make index.htm the start page I get a brief glimpse of "about:blank" window and then nothing (IE closes). If I make login.aspx the start page I get "about:blank" window which is then replaced by login.aspx. The other matter is that even with 1152 RAM, the PC sometime runs slow. I feel sure I've been hijacked, but running ad-aware, spybot and X-Cleaner makes no difference. I use AVG Solo which is always up-to-date.

Here is my HJT log - grateful for any help:

Logfile of HijackThis v1.99.1
Scan saved at 00:19:16, on 16/02/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\msdtc.exe
C:\Program Files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.3\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\Reporting Services\ReportServer\bin\ReportingServicesService.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Mixer.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\system32\AEIWLSTA.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Eraser\eraser.exe
C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\twain_32\PV\WATCH.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
C:\Program Files\SpyCatcher\Protector.exe
C:\Program Files\TextBridge Classic 2.0\Ereg\REMIND32.EXE
C:\Program Files\OpenOffice.org1.0\program\soffice.exe
C:\Program Files\SpyCatcher\Scheduler daemon.exe
C:\PROGRA~1\POPFile\popfileib.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\WINDOWS\System32\dllhost.exe
\?\C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
C:\Documents and Settings\Duncan\Desktop\antivirus\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.client...fo/bt_side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.client...arch.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts file is located at: C:\WINDOWS\System32\drivers\etc\hosts
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Groove Networks\Groove\Bin\GrooveShellExtensions.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O2 - BHO: (no name) - {CD4C3CF0-4B15-11D1-ABED-709549C10000} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [AEIWLSTA.EXE] AEIWLSTA.EXE START
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [GhostSurfDelSatellite] "C:\Program Files\SpyCatcher\DeleteSatellite.exe"
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [X-Cleaner Freeware] "C:\PROGRA~1\X-CLEA~1\XCleaner_free.exe" -turbo -autostart -NOREBOOT
O4 - Startup: Connection Keeper.lnk = C:\Program Files\Connection Keeper\ConKeepM.exe
O4 - Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O4 - Startup: OpenOffice.org 1.0.lnk = C:\Program Files\OpenOffice.org1.0\program\quickstart.exe
O4 - Startup: Protector.lnk = C:\Program Files\SpyCatcher\Protector.exe
O4 - Startup: reminder-ScanSoft Product Registration.lnk = C:\Program Files\TextBridge Classic 2.0\Ereg\REMIND32.EXE
O4 - Startup: Run POPFile.lnk = C:\Program Files\POPFile\runpopfile.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher\Scheduler daemon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
O4 - Global Startup: Watch.lnk = C:\WINDOWS\twain_32\PV\WATCH.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll (file missing)
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=48835
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-24.cab
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - http://transfers.one...ransferCtrl.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Apache2 - Unknown owner - C:\Program Files\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: Groove Audit Service (GrooveAuditService) - Groove Networks, Inc. - C:\Program Files\Groove Networks\Groove\Bin\GrooveAuditService.exe
O23 - Service: Groove Installer Service (GrooveInstallerService) - Groove Networks, Inc. - C:\Program Files\Groove Networks\Groove\Bin\GrooveInstallerService.exe
O23 - Service: GrooveRunOnceInstaller - Groove Networks, Inc. - C:\Program Files\Groove Networks\Groove\Bin\GrooveRunOnceInstaller.exe
O23 - Service: SQL Server FullText Search (MSSQLSERVER) (msftesql) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe" -s:MSSQL.1 -f:MSSQLSERVER (file missing)
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.3\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: SQL Server (MSSQLSERVER) (MSSQLSERVER) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSQLSERVER (file missing)
O23 - Service: MySql - Unknown owner - C:/mySQL/bin/mysqld-nt.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SQL Server Agent (MSSQLSERVER) (SQLSERVERAGENT) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE" -i MSSQLSERVER (file missing)

[LDTate]

Hello elbowpipe, welcome to the forum. Sorry about the delay in responding If you still need help, Scan again with HijackThis, and copy/paste" a new log file into this thread.

[elbowpipe]

LDtate, thanks for getting back. HJT log below:

Logfile of HijackThis v1.99.1
Scan saved at 00:17:27, on 18/02/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Mixer.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\system32\AEIWLSTA.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Eraser\eraser.exe
C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
C:\WINDOWS\twain_32\PV\WATCH.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\msdtc.exe
C:\Program Files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe
C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
C:\Program Files\OpenOffice.org1.0\program\soffice.exe
C:\Program Files\SpyCatcher\Protector.exe
C:\Program Files\TextBridge Classic 2.0\Ereg\REMIND32.EXE
C:\Program Files\SpyCatcher\Scheduler daemon.exe
C:\Program Files\Microsoft SQL Server\MSSQL.3\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\POPFile\popfileib.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\Reporting Services\ReportServer\bin\ReportingServicesService.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\groove networks\groove\bin\Groove.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe
\?\C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Duncan\Desktop\antivirus\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.client...fo/bt_side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.client...arch.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Groove Networks\Groove\Bin\GrooveShellExtensions.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O2 - BHO: (no name) - {CD4C3CF0-4B15-11D1-ABED-709549C10000} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [AEIWLSTA.EXE] AEIWLSTA.EXE START
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [GhostSurfDelSatellite] "C:\Program Files\SpyCatcher\DeleteSatellite.exe"
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [X-Cleaner Freeware] "C:\PROGRA~1\X-CLEA~1\XCleaner_free.exe" -turbo -autostart -NOREBOOT
O4 - Startup: Connection Keeper.lnk = C:\Program Files\Connection Keeper\ConKeepM.exe
O4 - Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O4 - Startup: OpenOffice.org 1.0.lnk = C:\Program Files\OpenOffice.org1.0\program\quickstart.exe
O4 - Startup: Protector.lnk = C:\Program Files\SpyCatcher\Protector.exe
O4 - Startup: reminder-ScanSoft Product Registration.lnk = C:\Program Files\TextBridge Classic 2.0\Ereg\REMIND32.EXE
O4 - Startup: Run POPFile.lnk = C:\Program Files\POPFile\runpopfile.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher\Scheduler daemon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
O4 - Global Startup: Watch.lnk = C:\WINDOWS\twain_32\PV\WATCH.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll (file missing)
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=48835
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-24.cab
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - http://transfers.one...ransferCtrl.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Apache2 - Unknown owner - C:\Program Files\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: Groove Audit Service (GrooveAuditService) - Groove Networks, Inc. - C:\Program Files\Groove Networks\Groove\Bin\GrooveAuditService.exe
O23 - Service: Groove Installer Service (GrooveInstallerService) - Groove Networks, Inc. - C:\Program Files\Groove Networks\Groove\Bin\GrooveInstallerService.exe
O23 - Service: GrooveRunOnceInstaller - Groove Networks, Inc. - C:\Program Files\Groove Networks\Groove\Bin\GrooveRunOnceInstaller.exe
O23 - Service: SQL Server FullText Search (MSSQLSERVER) (msftesql) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe" -s:MSSQL.1 -f:MSSQLSERVER (file missing)
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.3\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: SQL Server (MSSQLSERVER) (MSSQLSERVER) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSQLSERVER (file missing)
O23 - Service: MySql - Unknown owner - C:/mySQL/bin/mysqld-nt.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SQL Server Agent (MSSQLSERVER) (SQLSERVERAGENT) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE" -i MSSQLSERVER (file missing)

[LDTate]

This is what I suggest you do.


Please do not delete anything unless instructed to.


Even if you've already run these, make SURE they're up-to-date and run per instructions.

Make sure you have the up-to-date versions of Spybot V 1.4 and Ad-aware SE Build 1.06 . All are free and available below.

Download Spybot, install and update. Then download Ad-aware, install, and update.

Spybot:

Install the program and launch it.

Go to Start > Programs >Spybot > Search & Destroy and choose Spybot S&D

Close ALL windows except Spybot S&D
Click the button to "Search for Updates" and download and install the Updates.
Next click the button "Check for Problems"
When Spybot is complete, it will be showing "RED" (RED) entries "BLACK" entries and "GREEN" (GREEN) entries in the window
Put a check mark beside the RED (RED) entries ONLY.
Choose "Fix Selected Problems" and allow Spybot to fix the RED (RED) entries.

Ad-Aware FULL SCAN:

Install the program and launch it.

1. Launch Ad-Aware SE and run the WebUpdate feature. (Click on the Globe icon > Click connect > Click OK > Click Finish.)
2. Set up the Configurations as follows:
-- Click the Gear wheel at the top of the Ad-Aware window
-- Click General > Safety & Settings: Check (Green) all three.
-- Click Tweak > Cleaning Engine > UNcheck "Always try to unload modules before deletion".
3. Click "Proceed"
4. Click "Scan Now"
5. Deselect "Search for negligible risk entries" as negligible risk entries (MRU's) are not considered to be a threat.
6. Select "Search for low-risk threats"
7. Run the scanner using the Full Scan (Perform full system scan) mode.
8. When the scan has completed, select Next.
9. In the Scanning Results window, select the "Scan Summary" tab.
10. Check the box next to each "target family" you wish to remove.
11. Click next > Click OK.

Next:

Please download the trial version of ewido anti-malware 3.5 here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.


Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.


Then please run Ewido, click on the Scanner run a full scan and let it clean everything it finds. Save the logfile from the scan.


Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.

[elbowpipe]

Will do, but meantime, should I switch off System Restore ? (concerned that malware might be restored on reboot)

[LDTate]

Will do, but meantime, should I switch off System Restore ? (concerned that malware might be restored on reboot)

NO. A bad restore point is better then no restore point. We'll get to creating a new restore point once you're PC is clean.

[elbowpipe]

LDTate,

ewido scan below:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 12:58:08, 18/02/2006
+ Report-Checksum: B8793A28

+ Scan result:

HKLM\SOFTWARE\Microsoft\VisualStudio\Analyzer\Events\{6C736D71-BCBF-11D0-8A23-00AA00B58E10} -> Adware.CoolWebSearch : Cleaned with backup
:mozilla.6:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.7:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.8:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.247realmedia : Cleaned with backup
:mozilla.9:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.10:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.11:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.12:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.33:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Adtech : Cleaned with backup
:mozilla.34:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Adtech : Cleaned with backup
:mozilla.70:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.76:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.84:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.85:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.87:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.88:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.89:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.90:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.91:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.92:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.93:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.94:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.95:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.96:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.97:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.98:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.99:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.100:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.101:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.102:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.103:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.104:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.105:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.106:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.107:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.108:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.109:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.110:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.111:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.112:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.113:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.114:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.115:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.116:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.117:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.118:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.119:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.120:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.121:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.122:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.123:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.124:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.125:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.126:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.127:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.128:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.129:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.130:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.131:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.132:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.133:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.134:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.135:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.136:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.138:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Clickzs : Cleaned with backup
:mozilla.139:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Clickzs : Cleaned with backup
:mozilla.140:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Clickzs : Cleaned with backup
:mozilla.141:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Clickzs : Cleaned with backup
:mozilla.152:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.153:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.175:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Findwhat : Cleaned with backup
:mozilla.200:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Starware : Cleaned with backup
:mozilla.201:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Starware : Cleaned with backup
:mozilla.260:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.264:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Paycounter : Cleaned with backup
:mozilla.267:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.272:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Qksrv : Cleaned with backup
:mozilla.273:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Qksrv : Cleaned with backup
:mozilla.274:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.296:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.297:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.298:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.299:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.300:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.308:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Onestat : Cleaned with backup
:mozilla.309:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Onestat : Cleaned with backup
:mozilla.310:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Onestat : Cleaned with backup
:mozilla.311:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.312:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.313:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.314:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.315:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.316:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.317:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.318:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.319:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.320:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.321:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.345:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned with backup
:mozilla.346:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Trafic : Cleaned with backup
:mozilla.348:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.358:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned with backup
:mozilla.359:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned with backup
:mozilla.360:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned with backup
:mozilla.362:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Valueclick : Cleaned with backup
:mozilla.364:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Clickzs : Cleaned with backup
:mozilla.365:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Clickzs : Cleaned with backup
:mozilla.366:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Clickzs : Cleaned with backup
:mozilla.367:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Clickzs : Cleaned with backup
:mozilla.377:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Web-stat : Cleaned with backup
:mozilla.378:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Web-stat : Cleaned with backup
:mozilla.379:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Web-stat : Cleaned with backup
:mozilla.387:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.388:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.408:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
:mozilla.434:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Web-stat : Cleaned with backup
:mozilla.435:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Web-stat : Cleaned with backup
:mozilla.443:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.444:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.445:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.446:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.447:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.453:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.454:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.460:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.461:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.462:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.463:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.464:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.474:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Counted : Cleaned with backup
:mozilla.475:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Counted : Cleaned with backup
:mozilla.476:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Counted : Cleaned with backup
:mozilla.485:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Masterstats : Cleaned with backup
:mozilla.486:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Bluestreak : Cleaned with backup
:mozilla.503:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned with backup
:mozilla.504:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned with backup
:mozilla.505:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned with backup
:mozilla.522:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Belstat : Cleaned with backup
:mozilla.523:C:\Documents and Settings\Duncan\Application Data\Mozilla\Firefox\Profiles\ti2f523b.default\cookies.txt -> TrackingCookie.Belstat : Cleaned with backup
C:\Documents and Settings\Susan\Cookies\susan@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Susan\Cookies\susan@webstat[1].txt -> TrackingCookie.Web-stat : Cleaned with backup


::Report End


HJT scan below:

Logfile of HijackThis v1.99.1
Scan saved at 13:03:11, on 18/02/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\msdtc.exe
C:\Program Files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft SQL Server\MSSQL.3\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\Reporting Services\ReportServer\bin\ReportingServicesService.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\Mixer.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\system32\AEIWLSTA.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Eraser\eraser.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
C:\WINDOWS\twain_32\PV\WATCH.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
C:\Program Files\SpyCatcher\Protector.exe
C:\Program Files\OpenOffice.org1.0\program\soffice.exe
C:\Program Files\TextBridge Classic 2.0\Ereg\REMIND32.EXE
C:\Program Files\SpyCatcher\Scheduler daemon.exe
C:\PROGRA~1\POPFile\popfileib.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Documents and Settings\Duncan\Desktop\antivirus\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.client...fo/bt_side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.client...arch.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Groove Networks\Groove\Bin\GrooveShellExtensions.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O2 - BHO: (no name) - {CD4C3CF0-4B15-11D1-ABED-709549C10000} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [AEIWLSTA.EXE] AEIWLSTA.EXE START
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [GhostSurfDelSatellite] "C:\Program Files\SpyCatcher\DeleteSatellite.exe"
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [X-Cleaner Freeware] "C:\PROGRA~1\X-CLEA~1\XCleaner_free.exe" -turbo -autostart -NOREBOOT
O4 - Startup: Connection Keeper.lnk = C:\Program Files\Connection Keeper\ConKeepM.exe
O4 - Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O4 - Startup: OpenOffice.org 1.0.lnk = C:\Program Files\OpenOffice.org1.0\program\quickstart.exe
O4 - Startup: Protector.lnk = C:\Program Files\SpyCatcher\Protector.exe
O4 - Startup: reminder-ScanSoft Product Registration.lnk = C:\Program Files\TextBridge Classic 2.0\Ereg\REMIND32.EXE
O4 - Startup: Run POPFile.lnk = C:\Program Files\POPFile\runpopfile.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher\Scheduler daemon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
O4 - Global Startup: Watch.lnk = C:\WINDOWS\twain_32\PV\WATCH.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll (file missing)
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=48835
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-24.cab
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - http://transfers.one...ransferCtrl.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Apache2 - Unknown owner - C:\Program Files\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: Groove Audit Service (GrooveAuditService) - Groove Networks, Inc. - C:\Program Files\Groove Networks\Groove\Bin\GrooveAuditService.exe
O23 - Service: Groove Installer Service (GrooveInstallerService) - Groove Networks, Inc. - C:\Program Files\Groove Networks\Groove\Bin\GrooveInstallerService.exe
O23 - Service: GrooveRunOnceInstaller - Groove Networks, Inc. - C:\Program Files\Groove Networks\Groove\Bin\GrooveRunOnceInstaller.exe
O23 - Service: SQL Server FullText Search (MSSQLSERVER) (msftesql) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe" -s:MSSQL.1 -f:MSSQLSERVER (file missing)
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.3\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: SQL Server (MSSQLSERVER) (MSSQLSERVER) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSQLSERVER (file missing)
O23 - Service: MySql - Unknown owner - C:/mySQL/bin/mysqld-nt.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SQL Server Agent (MSSQLSERVER) (SQLSERVERAGENT) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE" -i MSSQLSERVER (file missing)

[LDTate]

I suggest you do this:


Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Clear "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Clear "Hide protected operating system files."
Click Apply, and then click OK.


Please do not delete anything unless instructed to.


Run hijackthis. Hit None of the above, Click Do a System Scan Only. Put a Check in the box on the left side on these:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.client...fo/bt_side.html

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.client...arch.yahoo.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: (no name) - {CD4C3CF0-4B15-11D1-ABED-709549C10000} - (no file)

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - Startup: reminder-ScanSoft Product Registration.lnk = C:\Program Files\TextBridge Classic 2.0\Ereg\REMIND32.EXE

Close ALL windows and browsers except HijackThis and click "Fix checked"


Open C:\Windows\Prefetch\ Delete ALL files in this folder.



Do this also if these Temp Folders are part of your OS.

Also in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.


Next navigate to the C:\Documents and Settings\(EVERY LISTED PROFILE USER)\Local Settings\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


Empty the Recycle Bin

Reboot and "copy/paste" a new HijackThis log file into this thread.

Also please describe how your computer behaves at the moment.

[elbowpipe]

Unfortunately, exactly the same behaviour as described on my initial posting is happening. I'm getting 'about:blank' before login.aspx opens , and index.htm results in IE closing down (strangely, firefox prompts me for userid/password for both pages),

HJT log below:

Logfile of HijackThis v1.99.1
Scan saved at 16:42:08, on 18/02/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\msdtc.exe
C:\Program Files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.3\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\AEIWLSTA.EXE
C:\Program Files\Microsoft SQL Server\MSSQL.2\Reporting Services\ReportServer\bin\ReportingServicesService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Eraser\eraser.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\twain_32\PV\WATCH.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
C:\Program Files\OpenOffice.org1.0\program\soffice.exe
C:\Program Files\SpyCatcher\Protector.exe
C:\Program Files\SpyCatcher\Scheduler daemon.exe
C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\devenv.exe
C:\PROGRA~1\POPFile\popfileib.exe
C:\Program Files\Microsoft SQL Server\90\Tools\Binn\VSShell\Common7\IDE\SqlWb.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Documents and Settings\Duncan\Desktop\antivirus\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Groove Networks\Groove\Bin\GrooveShellExtensions.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [AEIWLSTA.EXE] AEIWLSTA.EXE START
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [GhostSurfDelSatellite] "C:\Program Files\SpyCatcher\DeleteSatellite.exe"
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [X-Cleaner Freeware] "C:\PROGRA~1\X-CLEA~1\XCleaner_free.exe" -turbo -autostart -NOREBOOT
O4 - Startup: Connection Keeper.lnk = C:\Program Files\Connection Keeper\ConKeepM.exe
O4 - Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O4 - Startup: OpenOffice.org 1.0.lnk = C:\Program Files\OpenOffice.org1.0\program\quickstart.exe
O4 - Startup: Protector.lnk = C:\Program Files\SpyCatcher\Protector.exe
O4 - Startup: Run POPFile.lnk = C:\Program Files\POPFile\runpopfile.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher\Scheduler daemon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
O4 - Global Startup: Watch.lnk = C:\WINDOWS\twain_32\PV\WATCH.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll (file missing)
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=48835
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-24.cab
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - http://transfers.one...ransferCtrl.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Apache2 - Unknown owner - C:\Program Files\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: Groove Audit Service (GrooveAuditService) - Groove Networks, Inc. - C:\Program Files\Groove Networks\Groove\Bin\GrooveAuditService.exe
O23 - Service: Groove Installer Service (GrooveInstallerService) - Groove Networks, Inc. - C:\Program Files\Groove Networks\Groove\Bin\GrooveInstallerService.exe
O23 - Service: GrooveRunOnceInstaller - Groove Networks, Inc. - C:\Program Files\Groove Networks\Groove\Bin\GrooveRunOnceInstaller.exe
O23 - Service: SQL Server FullText Search (MSSQLSERVER) (msftesql) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe" -s:MSSQL.1 -f:MSSQLSERVER (file missing)
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.3\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: SQL Server (MSSQLSERVER) (MSSQLSERVER) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSQLSERVER (file missing)
O23 - Service: MySql - Unknown owner - C:/mySQL/bin/mysqld-nt.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SQL Server Agent (MSSQLSERVER) (SQLSERVERAGENT) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE" -i MSSQLSERVER (file missing)

[LDTate]

Unfortunately, exactly the same behaviour as described on my initial posting is happening. I'm getting 'about:blank' before login.aspx opens , and index.htm results in IE closing down (strangely, firefox prompts me for userid/password for both pages),

Have you tried the internet with IE to see if this is a FireFox issue?

[elbowpipe]

The behaviour I describe IS with IE . Perhaps I should have clarified that this is a localhost problem while in development - I don't have any problems ordinarily when surfing the net. Could it be an IIS problem locally?

[LDTate]

We can try a couple things to see if it will fix it.

Please download hoster from the link below.

http://www.funkytoad...load/hoster.zip

Unzip Hoster.zip
Open Hoster.exe.

Then click on "Restore Original Hosts"

Close program when complete.

Empty Recycle Bin

Reboot and "copy/paste" a new log file into this thread.
Also please describe how your computer behaves at the moment.

[elbowpipe]

Sorry, no change to behaviour after using Host manager - there was only 1 line in the hosts file anyway -

localhost 127.0.0.1

Log below:

Logfile of HijackThis v1.99.1
Scan saved at 17:38:12, on 18/02/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\msdtc.exe
C:\Program Files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.3\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\Mixer.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\Reporting Services\ReportServer\bin\ReportingServicesService.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\AEIWLSTA.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Eraser\eraser.exe
C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
C:\WINDOWS\twain_32\PV\WATCH.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
C:\Program Files\OpenOffice.org1.0\program\soffice.exe
C:\Program Files\SpyCatcher\Protector.exe
C:\Program Files\SpyCatcher\Scheduler daemon.exe
C:\PROGRA~1\POPFile\popfileib.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe
C:\Documents and Settings\Duncan\Desktop\antivirus\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Groove Networks\Groove\Bin\GrooveShellExtensions.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [AEIWLSTA.EXE] AEIWLSTA.EXE START
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [GhostSurfDelSatellite] "C:\Program Files\SpyCatcher\DeleteSatellite.exe"
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [X-Cleaner Freeware] "C:\PROGRA~1\X-CLEA~1\XCleaner_free.exe" -turbo -autostart -NOREBOOT
O4 - Startup: Connection Keeper.lnk = C:\Program Files\Connection Keeper\ConKeepM.exe
O4 - Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O4 - Startup: OpenOffice.org 1.0.lnk = C:\Program Files\OpenOffice.org1.0\program\quickstart.exe
O4 - Startup: Protector.lnk = C:\Program Files\SpyCatcher\Protector.exe
O4 - Startup: Run POPFile.lnk = C:\Program Files\POPFile\runpopfile.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher\Scheduler daemon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
O4 - Global Startup: Watch.lnk = C:\WINDOWS\twain_32\PV\WATCH.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll (file missing)
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=48835
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-24.cab
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - http://transfers.one...ransferCtrl.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Apache2 - Unknown owner - C:\Program Files\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: Groove Audit Service (GrooveAuditService) - Groove Networks, Inc. - C:\Program Files\Groove Networks\Groove\Bin\GrooveAuditService.exe
O23 - Service: Groove Installer Service (GrooveInstallerService) - Groove Networks, Inc. - C:\Program Files\Groove Networks\Groove\Bin\GrooveInstallerService.exe
O23 - Service: GrooveRunOnceInstaller - Groove Networks, Inc. - C:\Program Files\Groove Networks\Groove\Bin\GrooveRunOnceInstaller.exe
O23 - Service: SQL Server FullText Search (MSSQLSERVER) (msftesql) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe" -s:MSSQL.1 -f:MSSQLSERVER (file missing)
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.3\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: SQL Server (MSSQLSERVER) (MSSQLSERVER) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSQLSERVER (file missing)
O23 - Service: MySql - Unknown owner - C:/mySQL/bin/mysqld-nt.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SQL Server Agent (MSSQLSERVER) (SQLSERVERAGENT) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE" -i MSSQLSERVER (file missing)

[LDTate]

Could it be an IIS problem locally?

It very well could be. All I can tell you is your HJT log looks clean to me.

Also what you're creating, I don't know anything about.

Might this help?
http://authors.aspal...inaspxfile.aspx

[elbowpipe]

The functionality I've described is the oldest part of a year-long project, which has been working OK up until recently. There have been no changes to either page (I keep backups of all code and checked with Winmerge), so my only explanation is that I've been hijacked. Oh, forgot to say, this functionality (popping up a login window with no address bar, file menu etc - emulating a desktop app) is shared with my business partner (we use Sourcesafe over the net) and is working on his machine. Am I correct in surmising we have reached the end of the road? I read elsewhere that about:blank is just about the most pernicious malware around. Thanks for your attempts to help out anyway.