hijackthis log

Kizzmit5 · #1 (**permalink**) 15-11-2005, 04:12 AM

Hi, (jephree sent me here to check on my log before we went on)

I'm working with jephree on an issue with my windows dragging. I had scanned my system with up to date programs and nothing was found then I had an error with a link on my desktop with spybot. I then changed the name of the link and scanned again. This time this is what i got. (this is what i posted to jephree about it)

"Hi Jephree,

I thought I would scan again. I used adaware first and it came up with nothing. I tried trend micro and it didn't detect anything either. Then I then ran spybot. It said that congratulations blah blah blah and it also had an error with a link I had on my desktop. I changed the name and rescanned. This time it said I had newdot.net. Here is what I copied.

NDNuninstall6_22.exe
created march 31, 2004
modified april 12,2004

NDNuninstall6_38.exe
created november 16, 2004
modified november 16,2004

Program Directory C:\\Program Files\QuickSearch\ (empty folder)
Executable C:\\WINDOWS\NDNuninstall6_38.exe
Log File c:\debuglog.txt
User settings HKEY_USERS\S-1-5-18\Software\new.net
User settings HKEY_USERS\DEFAULT\Software\new.net

I tried to have spybot fix it and actually tried twice but each time it just stopped working or was taking longer than it felt? I could move my cursor and bring things up but the little message that comes up and says it would go away once a save spot was made just stayed there and sorta became part of the program. (does that make sense?) I didn't know if this would cause problems with my browser dragging but i thought I would see if you knew? From what I read is its hard to get rid of so maybe its a good thing I wasn't able to fix it myself? Unless its not a threat at all since the other 2 didn't find it. Thanks alot for helping me I really do appreciate it. Any help would be great

"

Window drags

both my window and browsers drag when i move one of them. I tried firefox as well and its still doing it. Thanks for any help. here is my hijackthis log.

Logfile of HijackThis v1.99.1
Scan saved at 7:01:01 PM, on 11/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Neda Vargas\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://neopets.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: myVersion Class - {B62502B0-FFD0-40a9-908E-9EE4FC493EBF} - C:\WINDOWS\Downloaded Program Files\VsiBar.dll
O2 - BHO: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O3 - Toolbar: Neopets - {AE8EF38E-64E0-472c-B9B4-E29643D152C1} - C:\WINDOWS\Downloaded Program Files\VsiBar.dll
O3 - Toolbar: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [Versato] C:\Program Files\Magic Wheel\MulMouse.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: BINGOOO - {1DEF565C-31E7-427F-A39C-CAF9E1E5A9F2} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: 6th Street Omaha Poker by pogo - http://game1.pogo.com/applet-6.2.4.3...-ob-assets.cab
O16 - DPF: Aces Up! by pogo - http://game1.pogo.com/applet-6.3.3.2...-ob-assets.cab
O16 - DPF: Ali Baba Slots TM by pogo - http://game1.pogo.com/applet-6.3.4.6...-ob-assets.cab
O16 - DPF: Backgammon by pogo - http://game1.pogo.com/applet-6.3.3.3...-ob-assets.cab
O16 - DPF: Big Shot Roulette TM by pogo - http://game1.pogo.com/applet-6.2.3.3...-ob-assets.cab
O16 - DPF: Blackjack by pogo - http://game1.pogo.com/applet-6.4.2.2...-ob-assets.cab
O16 - DPF: Buckaroo Blackjack TM by pogo - http://game1.pogo.com/applet-6.4.0.4...-ob-assets.cab
O16 - DPF: Canasta by pogo - http://game1.pogo.com/applet-6.3.1.3...-ob-assets.cab
O16 - DPF: Checkers by pogo - http://game1.pogo.com/applet-6.4.0.3...-ob-assets.cab
O16 - DPF: Cribbage by pogo - http://game1.pogo.com/applet-6.4.0.4...-ob-assets.cab
O16 - DPF: Dice Derby by pogo - http://game1.pogo.com/applet-6.3.4.6...-ob-assets.cab
O16 - DPF: Dominoes by pogo - http://game1.pogo.com/applet-6.2.2.5...-ob-assets.cab
O16 - DPF: Double Deuce Poker by pogo - http://game1.pogo.com/applet-6.4.0.3...-ob-assets.cab
O16 - DPF: Euchre by pogo - http://game1.pogo.com/applet-6.3.3.2...-ob-assets.cab
O16 - DPF: EZ Win Bingo by pogo - http://game1.pogo.com/applet-6.2.5.2...-ob-assets.cab
O16 - DPF: First Class Solitaire by pogo - http://game1.pogo.com/applet-6.4.0.4...-ob-assets.cab
O16 - DPF: Fortune Bingo by pogo - http://game1.pogo.com/applet-6.4.1.4...-ob-assets.cab
O16 - DPF: Greenback Bayou by pogo - http://game1.pogo.com/applet-6.2.3.3...-ob-assets.cab
O16 - DPF: Harvest Mania by pogo - http://game1.pogo.com/applet-6.2.5.2...-ob-assets.cab
O16 - DPF: Hearts by pogo - http://game1.pogo.com/applet-6.2.5.2...-ob-assets.cab
O16 - DPF: High Stakes Poker by pogo - http://game1.pogo.com/applet-6.3.2.3...-ob-assets.cab
O16 - DPF: High Stakes Pool by pogo - http://game1.pogo.com/applet-6.2.2.5...-ob-assets.cab
O16 - DPF: Jigsaw Detective by pogo - http://game1.pogo.com/applet-6.3.4.6...-ob-assets.cab
O16 - DPF: Jokers Wild Poker by pogo - http://game1.pogo.com/applet-6.4.0.3...-ob-assets.cab
O16 - DPF: Jungle Gin by pogo - http://game1.pogo.com/applet-6.3.2.3...-ob-assets.cab
O16 - DPF: Keno by pogo - http://keno.pogo.com/applet-6.0.4.37...-ob-assets.cab
O16 - DPF: Lottso by pogo - http://game1.pogo.com/applet-6.3.4.6...-ob-assets.cab
O16 - DPF: Mah Jong Garden by pogo - http://game1.pogo.com/applet-6.4.1.4...-ob-assets.cab
O16 - DPF: Multiline Slots by pogo - http://game1.pogo.com/applet-6.3.3.2...-ob-assets.cab
O16 - DPF: Pai Gow by pogo - http://game1.pogo.com/applet-6.2.1.2...-ob-assets.cab
O16 - DPF: Payday FreeCell by pogo - http://game1.pogo.com/applet-6.4.1.5...-ob-assets.cab
O16 - DPF: Penguin Blocks by pogo - http://game1.pogo.com/applet-6.4.0.4...-ob-assets.cab
O16 - DPF: Perfect Pair Solitaire by pogo - http://game1.pogo.com/applet-6.4.0.3...-ob-assets.cab
O16 - DPF: Phlinx by pogo - http://game1.pogo.com/applet-6.3.2.2...-ob-assets.cab
O16 - DPF: Pinochle by pogo - http://game1.pogo.com/applet-6.2.5.2...-ob-assets.cab
O16 - DPF: Pop Fu by pogo - http://game1.pogo.com/applet-6.3.4.4...-ob-assets.cab
O16 - DPF: PoppaZoppa by pogo - http://game1.pogo.com/applet-6.4.0.3...-ob-assets.cab
O16 - DPF: Poppit by pogo - http://game1.pogo.com/applet-6.4.1.5...-ob-assets.cab
O16 - DPF: Poppit TM by pogo - http://game5.pogo.com/applet-6.0.4.3...-ob-assets.cab
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: QWERTY by pogo - http://game1.pogo.com/applet-6.4.1.5...-ob-assets.cab
O16 - DPF: SciFi Slots by pogo - http://game1.pogo.com/applet-6.4.0.4...-ob-assets.cab
O16 - DPF: Showbiz Slots 2 by pogo - http://game1.pogo.com/applet-6.4.0.4...-ob-assets.cab
O16 - DPF: Showbiz Slots by pogo - http://game1.pogo.com/applet-6.4.0.4...-ob-assets.cab
O16 - DPF: Spades by pogo - http://game1.pogo.com/applet-6.2.1.4...-ob-assets.cab
O16 - DPF: Spider Solitaire by pogo - http://game1.pogo.com/applet-6.3.4.6...-ob-assets.cab
O16 - DPF: Squelchies by pogo - http://game1.pogo.com/applet-6.3.4.4...-ob-assets.cab
O16 - DPF: Sweet Tooth TM by pogo - http://game1.pogo.com/applet-6.4.1.4...-ob-assets.cab
O16 - DPF: Texas Hold'em Poker by pogo - http://game1.pogo.com/applet-6.3.4.4...-ob-assets.cab
O16 - DPF: The Sims Pinball by pogo - http://game1.pogo.com/applet-6.2.2.5...-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://game1.pogo.com/applet-6.4.1.5...-ob-assets.cab
O16 - DPF: Tumble Bees by pogo - http://game1.pogo.com/applet-6.3.1.2...-ob-assets.cab
O16 - DPF: Turbo 21 TM by pogo - http://game1.pogo.com/applet-6.3.3.2...-ob-assets.cab
O16 - DPF: Video Poker by pogo - http://game1.pogo.com/applet-6.4.0.3...-ob-assets.cab
O16 - DPF: Word Whomp by pogo - http://game1.pogo.com/applet-6.3.4.6...-ob-assets.cab
O16 - DPF: Word Whomp Whackdown by pogo - http://game1.pogo.com/applet-6.4.0.4...-ob-assets.cab
O16 - DPF: WordJong by pogo - http://game1.pogo.com/applet-6.2.0.3...-ob-assets.cab
O16 - DPF: World Class Solitaire by pogo - http://game1.pogo.com/applet-6.4.2.2...-ob-assets.cab
O16 - DPF: {01234567-1234-1234-1234-012345678921} - http://register.voiceglo.com/neoblue.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...ymmapi_416.dll
O16 - DPF: {AE8EF38E-64E0-472C-B9B4-E29643D152C1} (Neopets) - http://toolbar.neopets.com/getCab.aspx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/...ampx_en_dl.cab
O16 - DPF: {FF054BED-D972-4215-897E-726C3488DDBB} (sonyctl.sonycm) - http://supportcentral4.sel.sony.com/...ad/sonyctl.CAB
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VAIO Media Music Server (Application) (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (Application) (file missing)
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (Application) (VAIOMediaPlatform-PhotoServer-AppServer) - Unknown owner - C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe

Neal · #2 (**permalink**) 15-11-2005, 05:02 AM

Hi,

Spybot seems to be detecting an older version of newdotnet uninstaller. Remove that.

You can delete this folder: C:\\Program Files\QuickSearch

Lets see what some virus scans can uncover and we will go from there.

Get the stinger here:
http://vil.nai.com/vil/stinger/

Download it to another computer if need be, and bring it to the affected computer on floppy disk.

It will kill the top 53 virus files if any are found there

then,

Internet Explorer required
Run these two online virus scanners (Panda Activescan) following these instructions below:
http://www.pandasoftware.com/product..._principal.htm

Internet Explorer required
Also this excellent(BitDefender) scanner:http://www.bitdefender.com/scan8/ie.html

These scans may take a couple of hours to do, the BitDefender and Panda will both make a log if anything is found please post both of those back here for me to take a look at please.

Kizzmit5 · #3 (**permalink**) 15-11-2005, 03:52 PM

Hi Neal,

Thanks for replying so fast. I deleted the folder you mentioned. I didn't touch the newdotnet uninstaller. Sorry about that

. Is there a certain way to do it or does it stay gone? It seemed to come back after I got rid of it a long time ago.

I scanned with stinger I have a bad memory but I don't think it found anything. I did this one first and the others took so long i forgot what this one said

.

Here are the reports. I didn't know if you wanted the link to the last scan or the small report so i'll add it all.

here is activscan

Incident Status Location

Adware:adware/ezula No disinfected C:\WINDOWS\SYSTEM32\ezPopStub.exe
Adware:adware/delfinmedia No disinfected C:\keys.ini
Spyware:spyware/new.net No disinfected C:\WINDOWS\NDNuninstall6_22.exe
Adware:adware/savenow No disinfected Windows Registry
Spyware:Spyware/New.net No disinfected C:\Program Files\FileSubmit\Sharks, Terrors of the Deep\NNEZTA388.exe
Adware:Adware/QuickSearch No disinfected C:\Program Files\FileSubmit\Sharks, Terrors of the Deep\TBEZA127Q.exe
Spyware:Spyware/New.net No disinfected C:\Program Files\themexp\Themexp.org File\NNEZTA388.exe
Adware:Adware/QuickSearch No disinfected C:\Program Files\themexp\Themexp.org File\TBEZA127Q.exe
Adware:Adware/Exact.SearchBar No disinfected C:\WINDOWS\Downloaded Program Files\exactSetup.exe
Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall6_22.exe
Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall6_38.exe
Adware:Adware/eZula No disinfected C:\WINDOWS\system32\ezPopStub.exe
Adware:Adware/InstaFinder No disinfected C:\WINDOWS\system32\InstaFinder_inst245.exe
Here is bitdefender:

C:\Documents and Settings\Neda Vargas\Desktop\bitdefenderreport.html

BitDefender Online Scanner - Real Time Virus Report

Generated at: Tue, Nov 15, 2005 - 06:26:31

--------------------------------------------------------------------------------

Scan Info

Scanned Files
439919

Infected Files
35

Virus Detected

Application.Adware.NewDotNet.Dropper 4

Trojan.Muldrop.1869.A 2

Application.Adware.NewDotNet.B.Dropper 3

Dropped:Application.Adware.NewDotNet.A 7

Application.Spyware.WebHancer.A 1

Trojan.Dropper.Small.JH 1

Trojan.Dropper.Small.FF 2

Trojan.Adware.Whenu.A 1

Adware.Wheaterbug.A 3

BehavesLike:Trojan.Downloader 1

Trojan.Downloader.Wren.D 2

Adware.Whenu.A 1

Trojan.Dloader.HK 7

Would things like this cause my windows and IE to drag?

Neal · #4 (**permalink**) 15-11-2005, 08:45 PM

Certainly would. Print these instructions out for easy reference.

Go into add/remove program and remove:(IF FOUND)

newdotnet/new.net/uninstaller also
ezula
delfinmedia
savenow
QuickSearch
Exact.SearchBar
InstaFinder

Make sure you can see hidden files/folders
In Windows XP
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
After you're cleaned, please "rehide" them again.

Now reboot into safe mode by tapping your F8 key upon restart and safe mode screen appears, select safe mode and press enter.

Hunt for and delete these if found:

C:\WINDOWS\SYSTEM32\ezPopStub.exe < file
C:\keys.ini < file
C:\WINDOWS\NDNuninstall6_22.exe < file

C:\Program Files\FileSubmit\Sharks, Terrors of the Deep\NNEZTA388.exe
Side note on the above if you did not put sharks,terror of the deep on your computer,remove that folderIf you did just remove the file in bold

C:\Program Files\FileSubmit\Sharks, Terrors of the Deep\TBEZA127Q.exe
Same as above

C:\Program Files\themexp\Themexp.org File\NNEZTA388.exe < file
C:\Program Files\themexp\Themexp.org File\TBEZA127Q.exe < file
C:\WINDOWS\Downloaded Program Files\exactSetup.exe < file
C:\WINDOWS\system32\InstaFinder_inst245.exe < file

Reboot normal mode and do this:

Please download, install, update and scan your system with the free version of Ewido trojan scanner: www.ewido.net/en/download/

1. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".

2. When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.

3. From the main ewido screen, click on UPDATE in the left menu, then click the Start update button.

4. After the update finishes (the status bar at the bottom will display "Update successful"), click on the Scanner button in the left menu, then click on the Start button. This scan can take quite a while to run.

5. If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.

6. When the scan finishes, click on "Save Report". This will create a text file. Please then paste the contents of the text file to this thread, along with a new HijackThis log.

Make sure you are set to normal startup. Click Start -> Run -> Type Msconfig -> Press Enter -> make sure Startup is set to Normal.

Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.

Kizzmit5 · #5 (**permalink**) 16-11-2005, 04:37 AM

Ok,

I went through and tried to clean it up. I didn't find anything in the add/remove so went to safe mode. I found everything but:
C:\keys.ini < file
C:\Program Files\FileSubmit\Sharks, Terrors of the Deep\NNEZTA388.exe
C:\Program Files\FileSubmit\Sharks, Terrors of the Deep\TBEZA127Q.exe
C:\Program Files\themexp\Themexp.org File\NNEZTA388.exe < file
C:\Program Files\themexp\Themexp.org File\TBEZA127Q.exe < file
(did you want me to delete the whole "FileSubmit" folder or just what was in it? I deleted the shark folder because i didn't see any of the exe files. Folder was empty. I also didn't see the theme.p files nn or tb. When I ran the last program you asked me to it said it couldn't delete the theme because of something. I'll add the error message.

here is my hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 7:19:56 PM, on 11/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Neda Vargas\Desktop\hijackthis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://neopets.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: myVersion Class - {B62502B0-FFD0-40a9-908E-9EE4FC493EBF} - C:\WINDOWS\Downloaded Program Files\VsiBar.dll
O2 - BHO: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O3 - Toolbar: Neopets - {AE8EF38E-64E0-472c-B9B4-E29643D152C1} - C:\WINDOWS\Downloaded Program Files\VsiBar.dll
O3 - Toolbar: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [Versato] C:\Program Files\Magic Wheel\MulMouse.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: BINGOOO - {1DEF565C-31E7-427F-A39C-CAF9E1E5A9F2} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: 6th Street Omaha Poker by pogo - http://game1.pogo.com/applet-6.2.4.3...-ob-assets.cab
O16 - DPF: Aces Up! by pogo - http://game1.pogo.com/applet-6.3.3.2...-ob-assets.cab
O16 - DPF: Ali Baba Slots TM by pogo - http://game1.pogo.com/applet-6.3.4.6...-ob-assets.cab
O16 - DPF: Backgammon by pogo - http://game1.pogo.com/applet-6.3.3.3...-ob-assets.cab
O16 - DPF: Big Shot Roulette TM by pogo - http://game1.pogo.com/applet-6.2.3.3...-ob-assets.cab
O16 - DPF: Blackjack by pogo - http://game1.pogo.com/applet-6.4.2.2...-ob-assets.cab
O16 - DPF: Buckaroo Blackjack TM by pogo - http://game1.pogo.com/applet-6.4.0.4...-ob-assets.cab
O16 - DPF: Canasta by pogo - http://game1.pogo.com/applet-6.3.1.3...-ob-assets.cab
O16 - DPF: Checkers by pogo - http://game1.pogo.com/applet-6.4.0.3...-ob-assets.cab
O16 - DPF: Cribbage by pogo - http://game1.pogo.com/applet-6.4.0.4...-ob-assets.cab
O16 - DPF: Dice Derby by pogo - http://game1.pogo.com/applet-6.3.4.6...-ob-assets.cab
O16 - DPF: Dominoes by pogo - http://game1.pogo.com/applet-6.2.2.5...-ob-assets.cab
O16 - DPF: Double Deuce Poker by pogo - http://game1.pogo.com/applet-6.4.0.3...-ob-assets.cab
O16 - DPF: Euchre by pogo - http://game1.pogo.com/applet-6.3.3.2...-ob-assets.cab
O16 - DPF: EZ Win Bingo by pogo - http://game1.pogo.com/applet-6.2.5.2...-ob-assets.cab
O16 - DPF: First Class Solitaire by pogo - http://game1.pogo.com/applet-6.4.0.4...-ob-assets.cab
O16 - DPF: Fortune Bingo by pogo - http://game1.pogo.com/applet-6.4.1.4...-ob-assets.cab
O16 - DPF: Greenback Bayou by pogo - http://game1.pogo.com/applet-6.2.3.3...-ob-assets.cab
O16 - DPF: Harvest Mania by pogo - http://game1.pogo.com/applet-6.2.5.2...-ob-assets.cab
O16 - DPF: Hearts by pogo - http://game1.pogo.com/applet-6.2.5.2...-ob-assets.cab
O16 - DPF: High Stakes Poker by pogo - http://game1.pogo.com/applet-6.3.2.3...-ob-assets.cab
O16 - DPF: High Stakes Pool by pogo - http://game1.pogo.com/applet-6.2.2.5...-ob-assets.cab
O16 - DPF: Jigsaw Detective by pogo - http://game1.pogo.com/applet-6.3.4.6...-ob-assets.cab
O16 - DPF: Jokers Wild Poker by pogo - http://game1.pogo.com/applet-6.4.0.3...-ob-assets.cab
O16 - DPF: Jungle Gin by pogo - http://game1.pogo.com/applet-6.3.2.3...-ob-assets.cab
O16 - DPF: Keno by pogo - http://keno.pogo.com/applet-6.0.4.37...-ob-assets.cab
O16 - DPF: Lottso by pogo - http://game1.pogo.com/applet-6.3.4.6...-ob-assets.cab
O16 - DPF: Mah Jong Garden by pogo - http://game1.pogo.com/applet-6.4.1.4...-ob-assets.cab
O16 - DPF: Multiline Slots by pogo - http://game1.pogo.com/applet-6.3.3.2...-ob-assets.cab
O16 - DPF: Pai Gow by pogo - http://game1.pogo.com/applet-6.2.1.2...-ob-assets.cab
O16 - DPF: Payday FreeCell by pogo - http://game1.pogo.com/applet-6.4.1.5...-ob-assets.cab
O16 - DPF: Penguin Blocks by pogo - http://game1.pogo.com/applet-6.4.0.4...-ob-assets.cab
O16 - DPF: Perfect Pair Solitaire by pogo - http://game1.pogo.com/applet-6.4.0.3...-ob-assets.cab
O16 - DPF: Phlinx by pogo - http://game1.pogo.com/applet-6.3.2.2...-ob-assets.cab
O16 - DPF: Pinochle by pogo - http://game1.pogo.com/applet-6.2.5.2...-ob-assets.cab
O16 - DPF: Pop Fu by pogo - http://game1.pogo.com/applet-6.3.4.4...-ob-assets.cab
O16 - DPF: PoppaZoppa by pogo - http://game1.pogo.com/applet-6.4.0.3...-ob-assets.cab
O16 - DPF: Poppit by pogo - http://game1.pogo.com/applet-6.4.1.5...-ob-assets.cab
O16 - DPF: Poppit TM by pogo - http://game5.pogo.com/applet-6.0.4.3...-ob-assets.cab
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: QWERTY by pogo - http://game1.pogo.com/applet-6.4.1.5...-ob-assets.cab
O16 - DPF: SciFi Slots by pogo - http://game1.pogo.com/applet-6.4.0.4...-ob-assets.cab
O16 - DPF: Showbiz Slots 2 by pogo - http://game1.pogo.com/applet-6.4.0.4...-ob-assets.cab
O16 - DPF: Showbiz Slots by pogo - http://game1.pogo.com/applet-6.4.0.4...-ob-assets.cab
O16 - DPF: Spades by pogo - http://game1.pogo.com/applet-6.2.1.4...-ob-assets.cab
O16 - DPF: Spider Solitaire by pogo - http://game1.pogo.com/applet-6.3.4.6...-ob-assets.cab
O16 - DPF: Squelchies by pogo - http://game1.pogo.com/applet-6.3.4.4...-ob-assets.cab
O16 - DPF: Sweet Tooth TM by pogo - http://game1.pogo.com/applet-6.4.1.4...-ob-assets.cab
O16 - DPF: Texas Hold'em Poker by pogo - http://game1.pogo.com/applet-6.3.4.4...-ob-assets.cab
O16 - DPF: The Sims Pinball by pogo - http://game1.pogo.com/applet-6.2.2.5...-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://game1.pogo.com/applet-6.4.1.5...-ob-assets.cab
O16 - DPF: Tumble Bees by pogo - http://game1.pogo.com/applet-6.3.1.2...-ob-assets.cab
O16 - DPF: Turbo 21 TM by pogo - http://game1.pogo.com/applet-6.3.3.2...-ob-assets.cab
O16 - DPF: Video Poker by pogo - http://game1.pogo.com/applet-6.4.0.3...-ob-assets.cab
O16 - DPF: Word Whomp by pogo - http://game1.pogo.com/applet-6.3.4.6...-ob-assets.cab
O16 - DPF: Word Whomp Whackdown by pogo - http://game1.pogo.com/applet-6.4.0.4...-ob-assets.cab
O16 - DPF: WordJong by pogo - http://game1.pogo.com/applet-6.2.0.3...-ob-assets.cab
O16 - DPF: World Class Solitaire by pogo - http://game1.pogo.com/applet-6.4.2.2...-ob-assets.cab
O16 - DPF: {01234567-1234-1234-1234-012345678921} - http://register.voiceglo.com/neoblue.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...ymmapi_416.dll
O16 - DPF: {AE8EF38E-64E0-472C-B9B4-E29643D152C1} (Neopets) - http://toolbar.neopets.com/getCab.aspx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/...ampx_en_dl.cab
O16 - DPF: {FF054BED-D972-4215-897E-726C3488DDBB} (sonyctl.sonycm) - http://supportcentral4.sel.sony.com/...ad/sonyctl.CAB
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VAIO Media Music Server (Application) (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (Application) (file missing)
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (Application) (VAIOMediaPlatform-PhotoServer-AppServer) - Unknown owner - C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe

Kizzmit5 · #6 (**permalink**) 16-11-2005, 04:38 AM

Ewido:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 7:12:02 PM, 11/15/2005
+ Report-Checksum: 793BC758

+ Scan result:

HKLM\SOFTWARE\Dsi -> Spyware.Delfin : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\Web Offer -> Spyware.eZula : Cleaned with backup
HKU\S-1-5-21-205194252-4159373444-726239912-1005\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{1A00C40B-DA85-4aa3-A67F-582D9347EECD} -> Spyware.iSearch : Cleaned with backup
HKU\S-1-5-21-205194252-4159373444-726239912-1005\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{B195B3B3-8A05-11D3-97A4-0004ACA6948E} -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-21-205194252-4159373444-726239912-1005\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{1E1B286C-88FF-11D2-8D96-D7ACAC95951F} -> Spyware.CommonName : Cleaned with backup
HKU\S-1-5-21-205194252-4159373444-726239912-1005\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{36A59337-6EEF-40AE-94B1-ED443A0C4740} -> Spyware.BetterInternet : Cleaned with backup
HKU\S-1-5-21-205194252-4159373444-726239912-1005\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E} -> Spyware.NewDotNet : Cleaned with backup
HKU\S-1-5-21-205194252-4159373444-726239912-1005\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} -> Spyware.YourSiteBar : Cleaned with backup
HKU\S-1-5-21-205194252-4159373444-726239912-1005\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{82315A18-6CFB-44A7-BDFD-90E36537C252} -> Spyware.NewDotNet : Cleaned with backup
HKU\S-1-5-21-205194252-4159373444-726239912-1005\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{E8EAEB34-F7B5-4C55-87FF-720FAF53D841} -> Spyware.MidAddle : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Neda Vargas\Application Data\Mozilla\Firefox\Profiles\xyx88pw9.default\coo kies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Neda Vargas\Cookies\neda vargas@www.myaffiliateprogram[2].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\Neda Vargas\Local Settings\Temp\Cookies\neda vargas@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Neda Vargas\Local Settings\Temporary Internet Files\Content.IE5\KMQ9SKRJ\mm[1].js -> Spyware.Chitika : Cleaned with backup
C:\Program Files\Common Files\Sony Shared\Visualizer\ExlGen.dll -> Dialer.Generic : Cleaned with backup
C:\Program Files\themexp\Themexp.org File\WUSV-SYNCmInst.exe/Sync.exe -> Adware.SaveNow : Error during cleaning
C:\Program Files\themexp\Themexp.org File\WUSV-SYNCmInst.exe/Uninst.exe -> Adware.SaveNow : Error during cleaning
C:\Program Files\themexp\Themexp.org File\WUSV-SYNCmInst.exe/Sync.exe -> Adware.SaveNow : Error during cleaning
C:\Program Files\themexp\Themexp.org File\WUSV-SYNCmInst.exe/Uninst.exe -> Adware.SaveNow : Error during cleaning
C:\Program Files\themexp\Themexp.org File\WUSV-SYNCmInst.exe/Save.exe -> Adware.SaveNow : Error during cleaning
C:\Program Files\themexp\Themexp.org File\WUSV-SYNCmInst.exe/SaveUninst.exe -> Adware.SaveNow : Error during cleaning
C:\Program Files\themexp\Themexp.org File\WUSV-SYNCmInst.exe/Save.exe -> Adware.SaveNow : Error during cleaning
C:\Program Files\themexp\Themexp.org File\WUSV-SYNCmInst.exe/SaveUninst.exe -> Adware.SaveNow : Error during cleaning
C:\WINDOWS\Cookies\neda vargas@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\WINDOWS\Cookies\neda vargas@burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\WINDOWS\Cookies\neda vargas@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\WINDOWS\Cookies\neda vargas@rotator.dex.adjuggler[1].txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
C:\WINDOWS\Cookies\neda vargas@statcounter[2].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\WINDOWS\Cookies\neda vargas@thunderbolt.adjuggler[1].txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
C:\WINDOWS\Cookies\neda vargas@www.burstbeacon[2].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
C:\WINDOWS\Cookies\neda vargas@www.burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\WINDOWS\Cookies\neda vargas@www.myaffiliateprogram[1].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
C:\WINDOWS\Cookies\neda vargas@yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\WINDOWS\NDNuninstall6_38.exe -> Spyware.NewDotNet : Cleaned with backup

::Report End

Months ago i came across the NDN file and I think i tried to delete it then and it said it was part of a program and could harm it if i deleted it. Is it programed with that warning just to keep it on your computer for those who don't know any better? sneaky bugger!

Neal · #7 (**permalink**) 16-11-2005, 05:15 AM

Hi,

Download CCleaner from here:
http://www.majorgeeks.com/download4191.html
or here:
http://www.filehippo.com/download_ccleaner.html

don't run the tool just yet please.
Install it. The windows tab should be opened in the upper left of the program. Click analyze and then click run cleaner. Just use the windows tab that is up front by default.

1.Uncheck "Cookies" under "Internet Explorer".

2.If you are running Firefox: ,then click on the "Applications" tab and uncheck "Cookies" under "Firefox".

Re-run Ewido from safe mode.

Now reboot into safe mode by tapping your F8 key upon restart and safe mode screen appears, select safe mode and press enter.

Now run Ewido

Post the ewido log from safe mode please.

Run CCleaner while in safe mode useing the windows tab only please.

Reboot normal mode

Did BitDefender delete everything it found looks like the log you posted was not the entire log.

Do you want neopets and neopets toolbar?

Then:

Scan with HJT again and put a check next to these items, making sure all browser windows are closed includeing this one so print this or create a new text document on desktop by right clicking an open area select new text document and save it to what ever you like. Now put a check next to these:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

Again make sure all browser windows are closed and click FIX

Reboot normal mode.

How is your computer running now?

Kizzmit5 · #8 (**permalink**) 16-11-2005, 11:41 AM

Ok, finished all that. I need to know if you want me to remove the whole archive for the "themexp.org File\WYSV-STBCnUbst.exe?" There are 8 things in there that are infected but it said it was embedded and didn't know if it was safe to delete the whole thing.

The BitDefender link looked like a normal internet link so i thought it would let you see it, i'm not used to that program. Here is the full report. (then i'll post the new hijackthis and Ewido)

BitDefender Online Scanner

Scan report generated at: Tue, Nov 15, 2005 - 06:23:39

Scan path: C:\;D:\;E:\;F:\;G:\;

Statistics

Time
01:42:55

Files
439000

Folders
7935

Boot Sectors
3

Archives
11337

Packed Files
30275

Results

Identified Viruses
18

Infected Files
34

Suspect Files
1

Warnings
0

Disinfected
0

Deleted Files
35

Engines Info

Virus Definitions
233550

Engine build
AVCORE v1.0 (build 2292) (i386) (Mar 3 2005 11:57:29)

Scan plugins
13

Archive plugins
39

Unpack plugins
4

E-mail plugins
6

System plugins
1

Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions

Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes

Scanned File
Status

C:\Program Files\FileSubmit\Sharks, Terrors of the Deep\NNEZTA388.exe
Infected with: Dropped:Application.Adware.NewDotNet.A

C:\Program Files\FileSubmit\Sharks, Terrors of the Deep\NNEZTA388.exe
Disinfection failed

C:\Program Files\FileSubmit\Sharks, Terrors of the Deep\NNEZTA388.exe
Deleted

C:\Program Files\FileSubmit\Sharks, Terrors of the Deep\TBEZA127Q.exe
Infected with: Trojan.Dloader.HK

C:\Program Files\FileSubmit\Sharks, Terrors of the Deep\TBEZA127Q.exe
Disinfection failed

C:\Program Files\FileSubmit\Sharks, Terrors of the Deep\TBEZA127Q.exe
Deleted

C:\Program Files\fireplacedeluxe.exe=>wise0014
Infected with: Trojan.Dloader.HK

C:\Program Files\fireplacedeluxe.exe=>wise0014
Disinfection failed

C:\Program Files\fireplacedeluxe.exe=>wise0014
Deleted

C:\Program Files\fireplacedeluxe.exe
Update failed

C:\Program Files\fireplacedeluxe.exe=>wise0015
Infected with: Dropped:Application.Adware.NewDotNet.A

C:\Program Files\fireplacedeluxe.exe=>wise0015
Disinfection failed

C:\Program Files\fireplacedeluxe.exe=>wise0015
Deleted

C:\Program Files\fireplacedeluxe.exe
Update failed

C:\Program Files\fireplacedeluxe.exe=>wise0016
Infected with: Trojan.Dropper.Small.FF

C:\Program Files\fireplacedeluxe.exe=>wise0016
Disinfection failed

C:\Program Files\fireplacedeluxe.exe=>wise0016
Deleted

C:\Program Files\fireplacedeluxe.exe
Update failed

C:\Program Files\fireplacedeluxe.exe=>wise0024
Infected with: Trojan.Downloader.Wren.D

C:\Program Files\fireplacedeluxe.exe=>wise0024
Disinfection failed

C:\Program Files\fireplacedeluxe.exe=>wise0024
Deleted

C:\Program Files\fireplacedeluxe.exe
Update failed

C:\Program Files\Install_AIM_np.exe=>wise0085=>wise0008
Detected with: Adware.Wheaterbug.A

C:\Program Files\Install_AIM_np.exe=>wise0085=>wise0008
Disinfection failed

C:\Program Files\Install_AIM_np.exe=>wise0085=>wise0008
Deleted

C:\Program Files\Install_AIM_np.exe=>wise0085
Update failed

C:\Program Files\themexp\Themexp.org File\NNEZTA388.exe
Infected with: Dropped:Application.Adware.NewDotNet.A

C:\Program Files\themexp\Themexp.org File\NNEZTA388.exe
Disinfection failed

C:\Program Files\themexp\Themexp.org File\NNEZTA388.exe
Deleted

C:\Program Files\themexp\Themexp.org File\TBEZA127Q.exe
Infected with: Trojan.Dloader.HK

C:\Program Files\themexp\Themexp.org File\TBEZA127Q.exe
Disinfection failed

C:\Program Files\themexp\Themexp.org File\TBEZA127Q.exe
Deleted

C:\Program Files\themexp\Themexp.org File\WUSV-SYNCmInst.exe=>(CAB Sfx r)=>Save.exe
Detected with: Adware.Whenu.A

C:\Program Files\themexp\Themexp.org File\WUSV-SYNCmInst.exe=>(CAB Sfx r)=>Save.exe
Disinfection failed

C:\Program Files\themexp\Themexp.org File\WUSV-SYNCmInst.exe=>(CAB Sfx r)=>Save.exe
Deleted

C:\Program Files\themexp\Themexp.org File\WUSV-SYNCmInst.exe=>(CAB Sfx r)
Update failed

C:\System Volume Information\_restore{5D818203-277E-4890-90AC-003E003A1B8B}\RP220\A0039009.exe=>wise0019
Detected with: Application.Adware.NewDotNet.B.Dropper

C:\System Volume Information\_restore{5D818203-277E-4890-90AC-003E003A1B8B}\RP220\A0039009.exe=>wise0019
Deleted

C:\System Volume Information\_restore{5D818203-277E-4890-90AC-003E003A1B8B}\RP220\A0039009.exe
Update failed

C:\System Volume Information\_restore{5D818203-277E-4890-90AC-003E003A1B8B}\RP220\A0039018.exe
Infected with: Dropped:Application.Adware.NewDotNet.A

C:\System Volume Information\_restore{5D818203-277E-4890-90AC-003E003A1B8B}\RP220\A0039018.exe
Disinfection failed

C:\System Volume Information\_restore{5D818203-277E-4890-90AC-003E003A1B8B}\RP220\A0039018.exe
Deleted

C:\System Volume Information\_restore{5D818203-277E-4890-90AC-003E003A1B8B}\RP220\A0039019.exe
Infected with: Trojan.Dloader.HK

C:\System Volume Information\_restore{5D818203-277E-4890-90AC-003E003A1B8B}\RP220\A0039019.exe
Disinfection failed

C:\System Volume Information\_restore{5D818203-277E-4890-90AC-003E003A1B8B}\RP220\A0039019.exe
Deleted

C:\System Volume Information\_restore{5D818203-277E-4890-90AC-003E003A1B8B}\RP220\A0039020.exe
Infected with: Dropped:Application.Adware.NewDotNet.A

C:\System Volume Information\_restore{5D818203-277E-4890-90AC-003E003A1B8B}\RP220\A0039020.exe
Disinfection failed

C:\System Volume Information\_restore{5D818203-277E-4890-90AC-003E003A1B8B}\RP220\A0039020.exe
Deleted

C:\System Volume Information\_restore{5D818203-277E-4890-90AC-003E003A1B8B}\RP220\A0039021.exe
Infected with: Trojan.Dloader.HK

C:\System Volume Information\_restore{5D818203-277E-4890-90AC-003E003A1B8B}\RP220\A0039021.exe
Disinfection failed

C:\System Volume Information\_restore{5D818203-277E-4890-90AC-003E003A1B8B}\RP220\A0039021.exe
Deleted

C:\WINDOWS\candycornv1.exe=>wise0015
Infected with: Trojan.Dloader.HK

C:\WINDOWS\candycornv1.exe=>wise0015
Disinfection failed

C:\WINDOWS\candycornv1.exe=>wise0015
Deleted

C:\WINDOWS\candycornv1.exe
Update failed

C:\WINDOWS\candycornv1.exe=>wise0016
Infected with: Dropped:Application.Adware.NewDotNet.A

C:\WINDOWS\candycornv1.exe=>wise0016
Disinfection failed

C:\WINDOWS\candycornv1.exe=>wise0016
Deleted

C:\WINDOWS\candycornv1.exe
Update failed

C:\WINDOWS\candycornv1.exe=>wise0017
Infected with: Trojan.Dropper.Small.JH

C:\WINDOWS\candycornv1.exe=>wise0017
Disinfection failed

C:\WINDOWS\candycornv1.exe=>wise0017
Deleted

C:\WINDOWS\candycornv1.exe
Update failed

C:\WINDOWS\celebrss.exe=>wise0015
Detected with: Application.Adware.NewDotNet.Dropper

C:\WINDOWS\celebrss.exe=>wise0015
Deleted

C:\WINDOWS\celebrss.exe
Update failed

C:\WINDOWS\hhousefree.exe=>wise0035=>(CAB Sfx r)=>Save.exe
Infected with: Trojan.Adware.Whenu.A

C:\WINDOWS\hhousefree.exe=>wise0035=>(CAB Sfx r)=>Save.exe
Disinfection failed

C:\WINDOWS\hhousefree.exe=>wise0035=>(CAB Sfx r)=>Save.exe
Deleted

C:\WINDOWS\hhousefree.exe=>wise0035=>(CAB Sfx r)
Update failed

C:\WINDOWS\hhousefree.exe=>wise0036
Detected with: Application.Adware.NewDotNet.Dropper

C:\WINDOWS\hhousefree.exe=>wise0036
Deleted

C:\WINDOWS\hhousefree.exe
Update failed

C:\WINDOWS\newyearseve.exe=>wise0015
Detected with: Application.Adware.NewDotNet.Dropper

C:\WINDOWS\newyearseve.exe=>wise0015
Deleted

C:\WINDOWS\newyearseve.exe
Update failed

C:\WINDOWS\system32\Macromed\Shockwave 8\Download.exe
Suspected of: BehavesLike:Trojan.Downloader

C:\WINDOWS\system32\Macromed\Shockwave 8\Download.exe
Disinfection failed

C:\WINDOWS\system32\Macromed\Shockwave 8\Download.exe
Deleted

C:\WINDOWS\themesfree.exe=>wise0072
Detected with: Application.Adware.NewDotNet.Dropper

C:\WINDOWS\themesfree.exe=>wise0072
Deleted

C:\WINDOWS\themesfree.exe
Update failed

C:\WINDOWS\themesfree.exe=>wise0073=>(RAR Sfx o)=>WhAgent.exe
Detected with: Application.Spyware.WebHancer.A

C:\WINDOWS\themesfree.exe=>wise0073=>(RAR Sfx o)=>WhAgent.exe
Disinfection failed

C:\WINDOWS\themesfree.exe=>wise0073=>(RAR Sfx o)=>WhAgent.exe
Deleted

C:\WINDOWS\themesfree.exe=>wise0073=>(RAR Sfx o)
Update failed

G:\ART\themes.zip=>themes/crystalicepalace.exe=>wise0020
Detected with: Application.Adware.NewDotNet.B.Dropper

G:\ART\themes.zip=>themes/crystalicepalace.exe=>wise0020
Deleted

G:\ART\themes.zip=>themes/crystalicepalace.exe
Update failed

G:\ART\themes.zip=>themes/crystalicepalace.exe=>wise0023
Infected with: Trojan.Muldrop.1869.A

G:\ART\themes.zip=>themes/crystalicepalace.exe=>wise0023
Disinfection failed

G:\ART\themes.zip=>themes/crystalicepalace.exe=>wise0023
Deleted

G:\ART\themes.zip=>themes/crystalicepalace.exe
Update failed

G:\ART\themes.zip=>themes/kittyreflections.exe=>wise0020
Detected with: Application.Adware.NewDotNet.B.Dropper

G:\ART\themes.zip=>themes/kittyreflections.exe=>wise0020
Deleted

G:\ART\themes.zip=>themes/kittyreflections.exe
Update failed

G:\ART\themes.zip=>themes/kittyreflections.exe=>wise0023
Infected with: Trojan.Muldrop.1869.A

G:\ART\themes.zip=>themes/kittyreflections.exe=>wise0023
Disinfection failed

G:\ART\themes.zip=>themes/kittyreflections.exe=>wise0023
Deleted

G:\ART\themes.zip=>themes/kittyreflections.exe
Update failed

G:\AIM95\aim95.exe=>wise0034=>wise0008
Detected with: Adware.Wheaterbug.A

G:\AIM95\aim95.exe=>wise0034=>wise0008
Disinfection failed

G:\AIM95\aim95.exe=>wise0034=>wise0008
Deleted

G:\AIM95\aim95.exe=>wise0034
Update failed

G:\AIM95\Sysfiles\WxBug.EXE=>wise0008
Detected with: Adware.Wheaterbug.A

G:\AIM95\Sysfiles\WxBug.EXE=>wise0008
Disinfection failed

G:\AIM95\Sysfiles\WxBug.EXE=>wise0008
Deleted

G:\AIM95\Sysfiles\WxBug.EXE
Update failed

G:\fireplacedeluxe.exe=>wise0014
Infected with: Trojan.Dloader.HK

G:\fireplacedeluxe.exe=>wise0014
Disinfection failed

G:\fireplacedeluxe.exe=>wise0014
Deleted

G:\fireplacedeluxe.exe
Update failed

G:\fireplacedeluxe.exe=>wise0015
Infected with: Dropped:Application.Adware.NewDotNet.A

G:\fireplacedeluxe.exe=>wise0015
Disinfection failed

G:\fireplacedeluxe.exe=>wise0015
Deleted

G:\fireplacedeluxe.exe
Update failed

G:\fireplacedeluxe.exe=>wise0016
Infected with: Trojan.Dropper.Small.FF

G:\fireplacedeluxe.exe=>wise0016
Disinfection failed

G:\fireplacedeluxe.exe=>wise0016
Deleted

G:\fireplacedeluxe.exe
Update failed

G:\fireplacedeluxe.exe=>wise0024
Infected with: Trojan.Downloader.Wren.D

G:\fireplacedeluxe.exe=>wise0024
Disinfection failed

G:\fireplacedeluxe.exe=>wise0024
Deleted

G:\fireplacedeluxe.exe
Update failed

Kizzmit5 · #9 (**permalink**) 16-11-2005, 11:51 AM

Logfile of HijackThis v1.99.1
Scan saved at 2:42:57 AM, on 11/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Neda Vargas\Desktop\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://neopets.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: myVersion Class - {B62502B0-FFD0-40a9-908E-9EE4FC493EBF} - C:\WINDOWS\Downloaded Program Files\VsiBar.dll
O2 - BHO: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O3 - Toolbar: Neopets - {AE8EF38E-64E0-472c-B9B4-E29643D152C1} - C:\WINDOWS\Downloaded Program Files\VsiBar.dll
O3 - Toolbar: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [Versato] C:\Program Files\Magic Wheel\MulMouse.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: BINGOOO - {1DEF565C-31E7-427F-A39C-CAF9E1E5A9F2} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: 6th Street Omaha Poker by pogo - http://game1.pogo.com/applet-6.2.4.3...-ob-assets.cab
O16 - DPF: Aces Up! by pogo - http://game1.pogo.com/applet-6.3.3.2...-ob-assets.cab
O16 - DPF: Ali Baba Slots TM by pogo - http://game1.pogo.com/applet-6.3.4.6...-ob-assets.cab
O16 - DPF: Backgammon by pogo - http://game1.pogo.com/applet-6.3.3.3...-ob-assets.cab
O16 - DPF: Big Shot Roulette TM by pogo - http://game1.pogo.com/applet-6.2.3.3...-ob-assets.cab
O16 - DPF: Blackjack by pogo - http://game1.pogo.com/applet-6.4.2.2...-ob-assets.cab
O16 - DPF: Buckaroo Blackjack TM by pogo - http://game1.pogo.com/applet-6.4.0.4...-ob-assets.cab
O16 - DPF: Canasta by pogo - http://game1.pogo.com/applet-6.3.1.3...-ob-assets.cab
O16 - DPF: Checkers by pogo - http://game1.pogo.com/applet-6.4.0.3...-ob-assets.cab
O16 - DPF: Cribbage by pogo - http://game1.pogo.com/applet-6.4.0.4...-ob-assets.cab
O16 - DPF: Dice Derby by pogo - http://game1.pogo.com/applet-6.3.4.6...-ob-assets.cab
O16 - DPF: Dominoes by pogo - http://game1.pogo.com/applet-6.2.2.5...-ob-assets.cab
O16 - DPF: Double Deuce Poker by pogo - http://game1.pogo.com/applet-6.4.0.3...-ob-assets.cab
O16 - DPF: Euchre by pogo - http://game1.pogo.com/applet-6.3.3.2...-ob-assets.cab
O16 - DPF: EZ Win Bingo by pogo - http://game1.pogo.com/applet-6.2.5.2...-ob-assets.cab
O16 - DPF: First Class Solitaire by pogo - http://game1.pogo.com/applet-6.4.0.4...-ob-assets.cab
O16 - DPF: Fortune Bingo by pogo - http://game1.pogo.com/applet-6.4.1.4...-ob-assets.cab
O16 - DPF: Greenback Bayou by pogo - http://game1.pogo.com/applet-6.2.3.3...-ob-assets.cab
O16 - DPF: Harvest Mania by pogo - http://game1.pogo.com/applet-6.2.5.2...-ob-assets.cab
O16 - DPF: Hearts by pogo - http://game1.pogo.com/applet-6.2.5.2...-ob-assets.cab
O16 - DPF: High Stakes Poker by pogo - http://game1.pogo.com/applet-6.3.2.3...-ob-assets.cab
O16 - DPF: High Stakes Pool by pogo - http://game1.pogo.com/applet-6.2.2.5...-ob-assets.cab
O16 - DPF: Jigsaw Detective by pogo - http://game1.pogo.com/applet-6.3.4.6...-ob-assets.cab
O16 - DPF: Jokers Wild Poker by pogo - http://game1.pogo.com/applet-6.4.0.3...-ob-assets.cab
O16 - DPF: Jungle Gin by pogo - http://game1.pogo.com/applet-6.3.2.3...-ob-assets.cab
O16 - DPF: Keno by pogo - http://keno.pogo.com/applet-6.0.4.37...-ob-assets.cab
O16 - DPF: Lottso by pogo - http://game1.pogo.com/applet-6.3.4.6...-ob-assets.cab
O16 - DPF: Mah Jong Garden by pogo - http://game1.pogo.com/applet-6.4.1.4...-ob-assets.cab
O16 - DPF: Multiline Slots by pogo - http://game1.pogo.com/applet-6.3.3.2...-ob-assets.cab
O16 - DPF: Pai Gow by pogo - http://game1.pogo.com/applet-6.2.1.2...-ob-assets.cab
O16 - DPF: Payday FreeCell by pogo - http://game1.pogo.com/applet-6.4.1.5...-ob-assets.cab
O16 - DPF: Penguin Blocks by pogo - http://game1.pogo.com/applet-6.4.0.4...-ob-assets.cab
O16 - DPF: Perfect Pair Solitaire by pogo - http://game1.pogo.com/applet-6.4.0.3...-ob-assets.cab
O16 - DPF: Phlinx by pogo - http://game1.pogo.com/applet-6.3.2.2...-ob-assets.cab
O16 - DPF: Pinochle by pogo - http://game1.pogo.com/applet-6.2.5.2...-ob-assets.cab
O16 - DPF: Pop Fu by pogo - http://game1.pogo.com/applet-6.3.4.4...-ob-assets.cab
O16 - DPF: PoppaZoppa by pogo - http://game1.pogo.com/applet-6.4.0.3...-ob-assets.cab
O16 - DPF: Poppit by pogo - http://game1.pogo.com/applet-6.4.1.5...-ob-assets.cab
O16 - DPF: Poppit TM by pogo - http://game5.pogo.com/applet-6.0.4.3...-ob-assets.cab
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: QWERTY by pogo - http://game1.pogo.com/applet-6.4.1.5...-ob-assets.cab
O16 - DPF: SciFi Slots by pogo - http://game1.pogo.com/applet-6.4.0.4...-ob-assets.cab
O16 - DPF: Showbiz Slots 2 by pogo - http://game1.pogo.com/applet-6.4.0.4...-ob-assets.cab
O16 - DPF: Showbiz Slots by pogo - http://game1.pogo.com/applet-6.4.0.4...-ob-assets.cab
O16 - DPF: Spades by pogo - http://game1.pogo.com/applet-6.2.1.4...-ob-assets.cab
O16 - DPF: Spider Solitaire by pogo - http://game1.pogo.com/applet-6.3.4.6...-ob-assets.cab
O16 - DPF: Squelchies by pogo - http://game1.pogo.com/applet-6.3.4.4...-ob-assets.cab
O16 - DPF: Sweet Tooth TM by pogo - http://game1.pogo.com/applet-6.4.1.4...-ob-assets.cab
O16 - DPF: Texas Hold'em Poker by pogo - http://game1.pogo.com/applet-6.3.4.4...-ob-assets.cab
O16 - DPF: The Sims Pinball by pogo - http://game1.pogo.com/applet-6.2.2.5...-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://game1.pogo.com/applet-6.4.1.5...-ob-assets.cab
O16 - DPF: Tumble Bees by pogo - http://game1.pogo.com/applet-6.3.1.2...-ob-assets.cab
O16 - DPF: Turbo 21 TM by pogo - http://game1.pogo.com/applet-6.3.3.2...-ob-assets.cab
O16 - DPF: Video Poker by pogo - http://game1.pogo.com/applet-6.4.0.3...-ob-assets.cab
O16 - DPF: Word Whomp by pogo - http://game1.pogo.com/applet-6.3.4.6...-ob-assets.cab
O16 - DPF: Word Whomp Whackdown by pogo - http://game1.pogo.com/applet-6.4.0.4...-ob-assets.cab
O16 - DPF: WordJong by pogo - http://game1.pogo.com/applet-6.2.0.3...-ob-assets.cab
O16 - DPF: World Class Solitaire by pogo - http://game1.pogo.com/applet-6.4.2.2...-ob-assets.cab
O16 - DPF: {01234567-1234-1234-1234-012345678921} - http://register.voiceglo.com/neoblue.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...ymmapi_416.dll
O16 - DPF: {AE8EF38E-64E0-472C-B9B4-E29643D152C1} (Neopets) - http://toolbar.neopets.com/getCab.aspx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/...ampx_en_dl.cab
O16 - DPF: {FF054BED-D972-4215-897E-726C3488DDBB} (sonyctl.sonycm) - http://supportcentral4.sel.sony.com/...ad/sonyctl.CAB
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VAIO Media Music Server (Application) (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (Application) (file missing)
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (Application) (VAIOMediaPlatform-PhotoServer-AppServer) - Unknown owner - C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe

Ewido

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 2:05:34 AM, 11/16/2005
+ Report-Checksum: 30BB960C

+ Scan result:

C:\Program Files\themexp\Themexp.org File\WUSV-SYNCmInst.exe/Sync.exe -> Adware.SaveNow : Error during cleaning
C:\Program Files\themexp\Themexp.org File\WUSV-SYNCmInst.exe/Uninst.exe -> Adware.SaveNow : Error during cleaning
C:\Program Files\themexp\Themexp.org File\WUSV-SYNCmInst.exe/Sync.exe -> Adware.SaveNow : Error during cleaning
C:\Program Files\themexp\Themexp.org File\WUSV-SYNCmInst.exe/Uninst.exe -> Adware.SaveNow : Error during cleaning
C:\Program Files\themexp\Themexp.org File\WUSV-SYNCmInst.exe/Save.exe -> Adware.SaveNow : Error during cleaning
C:\Program Files\themexp\Themexp.org File\WUSV-SYNCmInst.exe/SaveUninst.exe -> Adware.SaveNow : Error during cleaning
C:\Program Files\themexp\Themexp.org File\WUSV-SYNCmInst.exe/Save.exe -> Adware.SaveNow : Error during cleaning
C:\Program Files\themexp\Themexp.org File\WUSV-SYNCmInst.exe/SaveUninst.exe -> Adware.SaveNow : Error during cleaning

::Report End

I still have the dragging but its not as bad as it is when i'm in safe mode. When I got in there it was dragging really bad. Thanks for being patient with me.

Oops, yes i do want the neopets toolbar.

Neal · #10 (**permalink**) 16-11-2005, 10:07 PM

Did you install themexp?

From what I have been able to find that this does come bundled with some adware.

Reboot into safe mode and look for and delete if found:

looks like BitDefender got most things.

C:\Program Files\fireplacedeluxe.exe
C:\Program Files\Install_AIM_np.exe
C:\Program Files\themexp\Themexp.org File\WUSV-SYNCmInst.exe
C:\WINDOWS\candycornv1.exe
C:\WINDOWS\celebrss.exe
C:\WINDOWS\hhousefree.exe
C:\WINDOWS\newyearseve.exe
C:\WINDOWS\themesfree.exe
G:\ART\themes.zip=>themes/crystalicepalace.exe
G:\ART\themes.zip=>themes/kittyreflections.exe
G:\AIM95\aim95.exe
G:\fireplacedeluxe.exe

Please download Webroot SpySweeper from here: SpySweeper

Click the Free Trial link under to "SpySweeper" to download the program.
Install it.
Once the program is installed, it will open.
It will prompt you to update to the latest definitions, click Yes.
Once the definitions are installed, click Sweep Now on the left side.
Click the Start button.
When it's done scanning, click the Next button.
Make sure everything has a check next to it, then click the Next button.
It will remove all of the items found.
Click Session Log in the upper right corner, copy everything in that window.
Click the Summary tab and click Finish.

Paste the contents of the session log you copied into your next reply.

Also

Go here to get SilentRunners and post the log it makes also please.

SilentRunners