Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Autosearch And Istbar


  • This topic is locked This topic is locked
6 replies to this topic

#1 betty3

betty3

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:41 AM

Posted 29 January 2006 - 12:47 PM

Hi, I have followed the instructions of how to remove hijackers but my browser still seems to keep getting taken over. The Yahoo antispyware noted I had Autosearch and ISTbar. When completing theAd-Aware scan I first removed 11 files. The restarted and scanned again and was left with 8 files which I quarantined and delted. But they reappeared a second time. The Zonelabs search showed I was infected with the following:


Adtech - 3rd Party Cookie,
URL - Cookie:helen wildman@adtech.de/

Atdmt - 3rd Party Cookie
URL - Cookie:helen wildman@atdmt.com/

Com - 3rd Party Cookie
URL - Cookie:helen wildman@com.com/

Doubleclick - 3rd Party Cookie
URL - Cookie:helen wildman@doubleclick.net/

Mediaplex - 3rd Party Cookie
URL - Cookie:helen wildman@mediaplex.com/

EliteToolBar - Browser Plugin
RegistryKey - HKEY_CLASSES_ROOT\CLSID\{00000000-0000-0000-0000-000000000001}\

Win32.Adverts.TrojanDownloader - Hacker Tool
RegistryKey - HKEY_CURRENT_USER\Software\Program Data\

Screensavers - Adware
File Name - C:\WINDOWS\MICKEY32.DLL

qsearch - Adware
RegistryKey - HKEY_CURRENT_USER\Software\InfoSoft\qsearch\

HijackThis logfile below.
From all of this, how can I get rid of teh hijacker?
Thanks
Helen


Logfile of HijackThis v1.99.1
Scan saved at 17:38:19, on 29/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\PROGRA~1\BTYAHO~2\Help\SMARTB~1\BTHelpNotifier.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\program files\common files\system\ms1src.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\BT Yahoo!\Help\bin\mpbtn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Yahoo!\Messenger\YPAGER.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Helen Wildman\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customi...fo/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.co.uk/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\common\YIeTagBm.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTYAHO~2\Help\SMARTB~1\BTHelpNotifier.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [ms1src] c:\program files\common files\system\ms1src.exe /install
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: BT Yahoo! Help.lnk = C:\Program Files\BT Yahoo!\Help\bin\matcli.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1803B9EF-9905-4F34-AFC4-05D1BAB28801} (RegUserCfgUI Class) - http://us.dl1.yimg.com/download.yahoo.com/..._1/yregucfg.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/UK/install.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-24.cab
O16 - DPF: {71057C18-0507-4747-86BC-E11CE7512C5F} (mailhelper Class) - https://register.btinternet.com/templates/b...lcontrol013.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37570.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.sc-server1.bt.com/broadband/MotivePreQual.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btinternet.com/templates/btwebcontrol024.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:41 AM

Posted 31 January 2006 - 10:47 PM

Hello betty3,

You have some malware on your computer. Not to worry, we will soon have it off. :thumbsup:


Please disable Spybot TeaTimer as that will prevent Hijackthis making fixes.
Here is the way to disable it: http://www.russelltexas.com/malware/teatimer.htm

After we have your computer clean, then be sure to enable Teatimer.

Please follow the instructions provided, you may want to print out these instructions and use them as a reference.

First:
Please download ewido anti-malware it is a free version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Launch ewido, there should be an icon on your desktop, double-click it.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display "Update successful")
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates


Once the updates are installed do the following:
  • Boot to the Safe Mode
    tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......,then press the "Enter" key.
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.**
    • You will need to step through the process of cleaning files one-by-one.
    • If ewido detects a file you KNOW to be legitimate, select none as the action.
    • DO NOT select "Perform action on all infections"
    • If you are unsure of any entry found select none for now.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop.
Now close ewido security suite.
**(Ewido for example has been flagging parts of AVG Anti-Virus, pcAnywhere and the game "Risk")


*******************************************

How to Reboot into Safe Mode
tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......,then press the "Enter" key.


While in Safe Mode, go to HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each.

C:\program files\common files\system\ms1src.exe

*******************************************

While in Safe Mode, select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customi...fo/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [ms1src] c:\program files\common files\system\ms1src.exe /install



*******************************************

Next, we're going on a file hunt.
Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders' and deselect (uncheck) 'hide protected operating system files (recommended)'.

Using Windows Explorer, find and delete each of the following. If you can't delete an item, right-click it and click properties. Make sure 'read-only' is unchecked.
If you still can't delete something, right-click it and rename it to a random word. Then drag the item to a different location. Try deleting it now. If you still can't, be sure to let me know.

Using Windows Explorer, delete the following files/folders in bold

c:\program files\common files\system\ms1src.exe <==file

*******************************************

CCleaner Tutorial

Let's empty the temp files:

Download CCleaner and install it. (default location is best).

1. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"
2. Then select the items you wish to clean up.
In the Windows Tab:
o Clean all entries in the "Internet Explorer" section except Cookies.
o Clean all the entries in the "Windows Explorer" section.
o Clean all entries in the "System" section.
o Clean all entries in the "Advanced" section.
o Clean any others that you choose.
In the Applications Tab:
o Clean all except cookies in the Firefox/Mozilla section if you use it.
o Clean all in the Opera section if you use it.
o Clean Sun Java in the Internet Section.
o Clean any others that you choose.
3. Click the "Run Cleaner" button.
4. A pop up box will appear advising this process will permanently delete files from your system.
5. Click "OK" and it will scan and clean your system.
6. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

*******************************************

Finally, reboot to the Normal Mode, post the Ewido log, a new Hijackthis log, and tell me how your computer is running.

Edited by SifuMike, 31 January 2006 - 10:53 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 betty3

betty3
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:41 AM

Posted 04 February 2006 - 02:20 PM

Thank you for your advice. I did as you suggested and located the files you mentioned. Below are the Ewido Log and Hijackthis Log. I did not delete all the temp files from one of the user folders as I was not sure whether to do this. Then, when they came up for another user profile I did delete them. Should I run an Ewido scan again. This found the ms1rc.exe file.

Thanks for your help
Helen


Hijack This Log
Logfile of HijackThis v1.99.1
Scan saved at 19:11:17, on 04/02/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\PROGRA~1\BTYAHO~2\Help\SMARTB~1\BTHelpNotifier.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\BT Yahoo!\Help\bin\mpbtn.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\PROGRA~1\Yahoo!\browser\ybrowser.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Helen Wildman\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.co.uk/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\common\YIeTagBm.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTYAHO~2\Help\SMARTB~1\BTHelpNotifier.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Global Startup: BT Yahoo! Help.lnk = C:\Program Files\BT Yahoo!\Help\bin\matcli.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1803B9EF-9905-4F34-AFC4-05D1BAB28801} (RegUserCfgUI Class) - http://us.dl1.yimg.com/download.yahoo.com/..._1/yregucfg.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/UK/install.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-24.cab
O16 - DPF: {71057C18-0507-4747-86BC-E11CE7512C5F} (mailhelper Class) - https://register.btinternet.com/templates/b...lcontrol013.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37570.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.sc-server1.bt.com/broadband/MotivePreQual.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btinternet.com/templates/btwebcontrol024.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

Ewido
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 18:41:24, 04/02/2006
+ Report-Checksum: 9876D20F

+ Scan result:

C:\Documents and Settings\Andrew Bayford\Local Settings\Temp\lf_230.tmp -> Downloader.Dluca.ci : Ignored
C:\Documents and Settings\Andrew Bayford\Local Settings\Temp\lf_234.tmp -> Downloader.Dluca.ce : Ignored
C:\Documents and Settings\Andrew Bayford\Local Settings\Temp\lf_238.tmp -> Downloader.Dluca.ci : Ignored
C:\Documents and Settings\Andrew Bayford\Local Settings\Temp\lf_240.tmp -> Downloader.Dluca.ci : Ignored
C:\Documents and Settings\Andrew Bayford\Local Settings\Temp\lf_58C.tmp -> Downloader.Dluca.ci : Ignored
C:\Documents and Settings\Andrew Bayford\Local Settings\Temp\lf_760.tmp -> Downloader.Dluca.ce : Ignored
C:\Documents and Settings\Andrew Bayford\Local Settings\Temp\lf_814.tmp -> Downloader.Dluca.ci : Ignored
C:\Documents and Settings\Andrew Bayford\Local Settings\Temp\lf_81C.tmp -> Downloader.Dluca.ce : Ignored
C:\Documents and Settings\Andrew Bayford\Local Settings\Temp\lf_828.tmp -> Downloader.Dluca.ce : Ignored
C:\Documents and Settings\Andrew Bayford\Local Settings\Temp\lf_830.tmp -> Downloader.Dluca.ci : Ignored
C:\Documents and Settings\Andrew Bayford\Local Settings\Temp\lf_89C.tmp -> Downloader.Dluca.ce : Ignored
C:\Documents and Settings\Andrew Bayford\Local Settings\Temp\lf_8A0.tmp -> Downloader.Dluca.ce : Ignored
C:\Documents and Settings\Andrew Bayford\Local Settings\Temp\lf_8B8.tmp -> Downloader.Dluca.ce : Ignored
C:\Documents and Settings\Andrew Bayford\Local Settings\Temp\lf_8E4.tmp -> Downloader.Dluca.ci : Ignored
C:\Documents and Settings\Andrew Bayford\Local Settings\Temp\lf_8E8.tmp -> Downloader.Dluca.ci : Ignored
C:\Documents and Settings\Andrew Bayford\Local Settings\Temp\lf_90C.tmp -> Downloader.Dluca.ce : Ignored
C:\Documents and Settings\Andrew Bayford\Local Settings\Temp\lf_A20.tmp -> Downloader.Dluca.ce : Ignored
C:\Documents and Settings\Andrew Bayford\Local Settings\Temp\lf_A64.tmp -> Downloader.Dluca.ci : Ignored
C:\Documents and Settings\Andrew Bayford\Local Settings\Temp\lf_AE4.tmp -> Downloader.Dluca.ce : Ignored
C:\Documents and Settings\Andrew Bayford\Local Settings\Temp\lf_C00.tmp -> Downloader.Dluca.ci : Ignored
C:\Documents and Settings\Andrew Bayford\Local Settings\Temp\lf_D98.tmp -> Downloader.Dluca.ci : Ignored
C:\Documents and Settings\Andrew Bayford\Local Settings\Temp\lf_DDC.tmp -> Downloader.Dluca.ce : Ignored
C:\Documents and Settings\Andrew Bayford\Local Settings\Temp\lf_E14.tmp -> Downloader.Dluca.ci : Ignored
C:\Program Files\Internet Explorer\BT Yahoo! Internet Upgrade\btwebcontrol.dll -> Dialer.Generic : Ignored
C:\Program Files\Internet Explorer\BTOW Shared Files\btwebcontrol.dll -> Dialer.Generic : Ignored
C:\WINDOWS\SYSTEM32\1234abcd.exe -> Downloader.Dluca.bu : Ignored
HKLM\SOFTWARE\Classes\CLSID\{00000000-0000-0000-0000-000000000001} -> Spyware.AutoSearch : Cleaned with backup
C:\Documents and Settings\Andrew Bayford\Cookies\andrew bayford@112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Andrew Bayford\Cookies\andrew bayford@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Andrew Bayford\Cookies\andrew bayford@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Andrew Bayford\Cookies\andrew bayford@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Andrew Bayford\Cookies\andrew bayford@e-2dj6wfk4epdjkeo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Andrew Bayford\Cookies\andrew bayford@e-2dj6wfk4ggajocp.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Andrew Bayford\Cookies\andrew bayford@e-2dj6wfkicjdzmco.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Andrew Bayford\Cookies\andrew bayford@e-2dj6wfkieoczcbq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Andrew Bayford\Cookies\andrew bayford@e-2dj6wfkoanajghq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Andrew Bayford\Cookies\andrew bayford@e-2dj6wfkoapcjedp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Andrew Bayford\Cookies\andrew bayford@e-2dj6wfkoogdpaeo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Andrew Bayford\Cookies\andrew bayford@e-2dj6wfkyeidpsgp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Andrew Bayford\Cookies\andrew bayford@e-2dj6wfkyqjdpolq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Andrew Bayford\Cookies\andrew bayford@e-2dj6wfl4gocpifq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Andrew Bayford\Cookies\andrew bayford@e-2dj6wfl4oicpwfo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Andrew Bayford\Cookies\andrew bayford@e-2dj6wflialcpibo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Andrew Bayford\Cookies\andrew bayford@e-2dj6wflienazgdo.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Andrew Bayford\Cookies\andrew bayford@e-2dj6wfliggc5sho.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Andrew Bayford\Cookies\andrew bayford@e-2dj6wfligmdjcbo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Andrew Bayford\Cookies\andrew bayford@e-2dj6wfliondpseo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Andrew Bayford\Cookies\andrew bayford@e-2dj6wflisic5ego.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Andrew Bayford\Cookies\andrew bayford@e-2dj6wfloglazaap.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Andrew Bayford\Cookies\andrew bayford@e-2dj6wfmiwiajikp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Andrew Bayford\Cookies\andrew bayford@e-2dj6wfmiwocpkep.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Andrew Bayford\Cookies\andrew bayford@e-2dj6wfmyuldzsbq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Andrew Bayford\Cookies\andrew bayford@e-2dj6wgk4gndjiep.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Andrew Bayford\Cookies\andrew bayford@e-2dj6wgkiuldpieo.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Andrew Bayford\Cookies\andrew bayford@e-2dj6wgkowhdpwfo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Andrew Bayford\Cookies\andrew bayford@e-2dj6wgkygmdzagq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Andrew Bayford\Cookies\andrew bayford@e-2dj6wgkyspd5elp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Andrew Bayford\Cookies\andrew bayford@e-2dj6wjk4gkcjgfp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Andrew Bayford\Cookies\andrew bayford@e-2dj6wjk4ugdzwko.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Andrew Bayford\Cookies\andrew bayford@e-2dj6wjkokhcpwlp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Andrew Bayford\Cookies\andrew bayford@e-2dj6wjkosndzobp.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Andrew Bayford\Cookies\andrew bayford@e-2dj6wjkycndzilq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Andrew Bayford\Cookies\andrew bayford@e-2dj6wjkyspcpcgq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Andrew Bayford\Cookies\andrew bayford@e-2dj6wjl4egdzwdp.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Andrew Bayford\Cookies\andrew bayford@e-2dj6wjl4sidpseo.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Andrew Bayford\Cookies\andrew bayford@e-2dj6wjl4wncpwco.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Andrew Bayford\Cookies\andrew bayford@e-2dj6wjliekc5kdp.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Andrew Bayford\Cookies\andrew bayford@e-2dj6wjligiazklo.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Andrew Bayford\Cookies\andrew bayford@e-2dj6wjliklcpmgq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Andrew Bayford\Cookies\andrew bayford@e-2dj6wjlisgdjifo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Andrew Bayford\Cookies\andrew bayford@e-2dj6wjlocldpiap.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Andrew Bayford\Cookies\andrew bayford@e-2dj6wjloekcjodo.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Andrew Bayford\Cookies\andrew bayford@e-2dj6wjlokmc5wco.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Andrew Bayford\Cookies\andrew bayford@e-2dj6wjlyggcjeho.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Andrew Bayford\Cookies\andrew bayford@e-2dj6wjlysid5odo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Andrew Bayford\Cookies\andrew bayford@e-2dj6wjmighcpsbq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Andrew Bayford\Cookies\andrew bayford@e-2dj6wjmioodzodo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Andrew Bayford\Cookies\andrew bayford@e-2dj6wjmiuhczglo.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Andrew Bayford\Cookies\andrew bayford@e-2dj6wjmiujdzokp.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Andrew Bayford\Cookies\andrew bayford@e-2dj6wjmiwndzwhq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Andrew Bayford\Cookies\andrew bayford@e-2dj6wjmyejdpkfo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Andrew Bayford\Cookies\andrew bayford@e-2dj6wjmyendpcdo.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Andrew Bayford\Cookies\andrew bayford@e-2dj6wjnyohc5kbp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Andrew Bayford\Cookies\andrew bayford@hypertracker[2].txt -> Spyware.Cookie.Hypertracker : Cleaned with backup
C:\Documents and Settings\Andrew Bayford\Cookies\andrew bayford@marksandspencer.122.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Andrew Bayford\Cookies\andrew bayford@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Andrew Bayford\Cookies\andrew bayford@rotator.adjuggler[1].txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\Andrew Bayford\Cookies\andrew bayford@sales.liveperson[2].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Andrew Bayford\Cookies\andrew bayford@statcounter[1].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\Documents and Settings\Andrew Bayford\Local Settings\Temp\lf_270.tmp -> Downloader.Dluca.ce : Cleaned with backup
C:\Documents and Settings\Andrew Bayford\Local Settings\Temporary Internet Files\Content.IE5\SWARPJGU\qsearch[1].exe -> Downloader.Dluca.ce : Cleaned with backup
C:\Documents and Settings\Helen Wildman\Cookies\helen wildman@adtech[2].txt -> Spyware.Cookie.Adtech : Cleaned with backup
C:\Documents and Settings\Helen Wildman\Cookies\helen wildman@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Helen Wildman\Cookies\helen wildman@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Helen Wildman\Cookies\helen wildman@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Helen Wildman\Cookies\helen wildman@mediaplex[2].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Helen Wildman\Cookies\helen wildman@stat.onestat[2].txt -> Spyware.Cookie.Onestat : Cleaned with backup
C:\Documents and Settings\Helen Wildman\Local Settings\Temp\lf_24C.tmp -> Downloader.Dluca.ci : Cleaned with backup
C:\Documents and Settings\Helen Wildman\Local Settings\Temp\lf_274.tmp -> Downloader.Dluca.ci : Cleaned with backup
C:\Documents and Settings\Helen Wildman\Local Settings\Temp\lf_43C.tmp -> Downloader.Dluca.ci : Cleaned with backup
C:\Documents and Settings\Helen Wildman\Local Settings\Temp\lf_558.tmp -> Downloader.Dluca.ci : Cleaned with backup
C:\Documents and Settings\Helen Wildman\Local Settings\Temp\lf_814.tmp -> Downloader.Dluca.ci : Cleaned with backup
C:\Documents and Settings\Helen Wildman\Local Settings\Temp\lf_86C.tmp -> Downloader.Dluca.ci : Cleaned with backup
C:\Documents and Settings\Helen Wildman\Local Settings\Temp\lf_88C.tmp -> Downloader.Dluca.ci : Cleaned with backup
C:\Documents and Settings\Helen Wildman\Local Settings\Temp\lf_894.tmp -> Downloader.Dluca.ce : Cleaned with backup
C:\Documents and Settings\Helen Wildman\Local Settings\Temp\lf_8B8.tmp -> Downloader.Dluca.ci : Cleaned with backup
C:\Documents and Settings\Helen Wildman\Local Settings\Temp\lf_8D8.tmp -> Downloader.Dluca.ci : Cleaned with backup
C:\Documents and Settings\Helen Wildman\Local Settings\Temp\lf_8E0.tmp -> Downloader.Dluca.ci : Cleaned with backup
C:\Documents and Settings\Helen Wildman\Local Settings\Temp\lf_8F8.tmp -> Downloader.Dluca.ci : Cleaned with backup
C:\Documents and Settings\Helen Wildman\Local Settings\Temp\lf_908.tmp -> Downloader.Dluca.ci : Cleaned with backup
C:\Documents and Settings\Helen Wildman\Local Settings\Temp\lf_938.tmp -> Downloader.Dluca.ci : Cleaned with backup
C:\Documents and Settings\Helen Wildman\Local Settings\Temp\lf_A00.tmp -> Downloader.Dluca.ci : Cleaned with backup
C:\Documents and Settings\Helen Wildman\Local Settings\Temp\lf_B18.tmp -> Downloader.Dluca.ci : Cleaned with backup
C:\Documents and Settings\Helen Wildman\Local Settings\Temp\lf_C08.tmp -> Downloader.Dluca.ci : Cleaned with backup
C:\Documents and Settings\Helen Wildman\Local Settings\Temp\lf_DCC.tmp -> Downloader.Dluca.ci : Cleaned with backup
C:\Documents and Settings\Helen Wildman\Local Settings\Temp\lf_DEC.tmp -> Downloader.Dluca.ci : Cleaned with backup
C:\Program Files\Common Files\System\ms1src.exe -> Downloader.Dluca.ci : Cleaned with backup


::Report End

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:41 AM

Posted 04 February 2006 - 03:14 PM

Hi Betty,

did not delete all the temp files from one of the user folders as I was not sure whether to do this. Then, when they came up for another user profile I did delete them. Should I run an Ewido scan again

.

Yes, using the directions I gave in my last post, run Ewido again.

Then post the Ewido log and fresh Hijackthis log.

How is your computer acting? :thumbsup:

Edited by SifuMike, 04 February 2006 - 03:15 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 betty3

betty3
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:41 AM

Posted 05 February 2006 - 03:19 PM

Hi! OK, I've rerun the Ewido scan and deleted all but 2 files which looked to be ones linked to my Internet service provider BT Openworld. Attached are the latest scans. My PC does seem to be running faster although I haven't surfed the net enough in the last 2 days to tell whether the hijacker takes over my browser yet. I ran a BT Yahoo antispy scan which still showed the ISTbar Hijacker but the Autosearch had gone. What do I do about enabling the TeaTimer?
Many thanks, Betty 3
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 20:07:58, 05/02/2006
+ Report-Checksum: 20BA28A1

+ Scan result:

C:\Program Files\Internet Explorer\BT Yahoo! Internet Upgrade\btwebcontrol.dll -> Dialer.Generic : Ignored
C:\Program Files\Internet Explorer\BTOW Shared Files\btwebcontrol.dll -> Dialer.Generic : Ignored
C:\Documents and Settings\Andrew Bayford\Local Settings\Temp\lf_230.tmp -> Downloader.Dluca.ci : Cleaned with backup
C:\Documents and Settings\Andrew Bayford\Local Settings\Temp\lf_234.tmp -> Downloader.Dluca.ce : Cleaned with backup
C:\Documents and Settings\Andrew Bayford\Local Settings\Temp\lf_238.tmp -> Downloader.Dluca.ci : Cleaned with backup
C:\Documents and Settings\Andrew Bayford\Local Settings\Temp\lf_240.tmp -> Downloader.Dluca.ci : Cleaned with backup
C:\Documents and Settings\Andrew Bayford\Local Settings\Temp\lf_58C.tmp -> Downloader.Dluca.ci : Cleaned with backup
C:\Documents and Settings\Andrew Bayford\Local Settings\Temp\lf_760.tmp -> Downloader.Dluca.ce : Cleaned with backup
C:\Documents and Settings\Andrew Bayford\Local Settings\Temp\lf_814.tmp -> Downloader.Dluca.ci : Cleaned with backup
C:\Documents and Settings\Andrew Bayford\Local Settings\Temp\lf_81C.tmp -> Downloader.Dluca.ce : Cleaned with backup
C:\Documents and Settings\Andrew Bayford\Local Settings\Temp\lf_828.tmp -> Downloader.Dluca.ce : Cleaned with backup
C:\Documents and Settings\Andrew Bayford\Local Settings\Temp\lf_830.tmp -> Downloader.Dluca.ci : Cleaned with backup
C:\Documents and Settings\Andrew Bayford\Local Settings\Temp\lf_89C.tmp -> Downloader.Dluca.ce : Cleaned with backup
C:\Documents and Settings\Andrew Bayford\Local Settings\Temp\lf_8A0.tmp -> Downloader.Dluca.ce : Cleaned with backup
C:\Documents and Settings\Andrew Bayford\Local Settings\Temp\lf_8B8.tmp -> Downloader.Dluca.ce : Cleaned with backup
C:\Documents and Settings\Andrew Bayford\Local Settings\Temp\lf_8E4.tmp -> Downloader.Dluca.ci : Cleaned with backup
C:\Documents and Settings\Andrew Bayford\Local Settings\Temp\lf_8E8.tmp -> Downloader.Dluca.ci : Cleaned with backup
C:\Documents and Settings\Andrew Bayford\Local Settings\Temp\lf_90C.tmp -> Downloader.Dluca.ce : Cleaned with backup
C:\Documents and Settings\Andrew Bayford\Local Settings\Temp\lf_A20.tmp -> Downloader.Dluca.ce : Cleaned with backup
C:\Documents and Settings\Andrew Bayford\Local Settings\Temp\lf_A64.tmp -> Downloader.Dluca.ci : Cleaned with backup
C:\Documents and Settings\Andrew Bayford\Local Settings\Temp\lf_AE4.tmp -> Downloader.Dluca.ce : Cleaned with backup
C:\Documents and Settings\Andrew Bayford\Local Settings\Temp\lf_C00.tmp -> Downloader.Dluca.ci : Cleaned with backup
C:\Documents and Settings\Andrew Bayford\Local Settings\Temp\lf_D98.tmp -> Downloader.Dluca.ci : Cleaned with backup
C:\Documents and Settings\Andrew Bayford\Local Settings\Temp\lf_DDC.tmp -> Downloader.Dluca.ce : Cleaned with backup
C:\Documents and Settings\Andrew Bayford\Local Settings\Temp\lf_E14.tmp -> Downloader.Dluca.ci : Cleaned with backup
C:\WINDOWS\SYSTEM32\1234abcd.exe -> Downloader.Dluca.bu : Cleaned with backup

Logfile of HijackThis v1.99.1
Scan saved at 20:12:09, on 05/02/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\PROGRA~1\BTYAHO~2\Help\SMARTB~1\BTHelpNotifier.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\BT Yahoo!\Help\bin\mpbtn.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Helen Wildman\Desktop\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.co.uk/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\common\YIeTagBm.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTYAHO~2\Help\SMARTB~1\BTHelpNotifier.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Global Startup: BT Yahoo! Help.lnk = C:\Program Files\BT Yahoo!\Help\bin\matcli.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1803B9EF-9905-4F34-AFC4-05D1BAB28801} (RegUserCfgUI Class) - http://us.dl1.yimg.com/download.yahoo.com/..._1/yregucfg.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/UK/install.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-24.cab
O16 - DPF: {71057C18-0507-4747-86BC-E11CE7512C5F} (mailhelper Class) - https://register.btinternet.com/templates/b...lcontrol013.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37570.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.sc-server1.bt.com/broadband/MotivePreQual.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btinternet.com/templates/btwebcontrol024.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:41 AM

Posted 05 February 2006 - 03:37 PM

Hello Betty,

Your log looks clean! :thumbsup:

You can enable Spybot Teatimer.

I ran a BT Yahoo antispy scan which still showed the ISTbar Hijacker but the Autosearch had gone.


Can you copy and paste the BT Yahoo antispy scan so I can see the what it found?
I am not seeing anything in your log, so it may be a false positive or a remenent of ISTbar.



Lets clean your System Restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows.
The files in System Restore are protected to prevent any programs from changing those files.
This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

1. Turn off System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK

2. Restart your computer.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.

System Restore will now be active again.


Please read and follow Groovicus' Guide to Simple PC Security to help keep yourself from becoming infected.

Edited by SifuMike, 05 February 2006 - 03:38 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:41 AM

Posted 19 February 2006 - 02:07 AM

Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users