0

Hi guys,

I've done some searching back through previous threads in order to help me remove the Transponder.pynix spyware (part of VX2 I believe) but to no avail - here is my hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 16:01:04, on 26/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Promise\Utility\MsgAgt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\SYSTEM32\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
C:\audio\MOTU\FireWire Audio\MFWAKeys.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Graham Archer\Desktop\Virus Protection\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://bt.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bt.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://bt.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://bt.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.co.uk
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.york.ac.uk/proxy.config
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = wwwcache.sns.york.ac.uk:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_17_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - (no file)
O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O3 - Toolbar: BT Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_17_0.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
O4 - Global Startup: MFWAKeys.lnk = C:\audio\MOTU\FireWire Audio\MFWAKeys.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: BT Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: BT - {94879043-16A1-425D-90CC-EB5D3F8F73C6} - http://www.bt.com (file missing) (HKCU)
O9 - Extra button: Homepage - {97367153-69C3-4610-835E-ACF3A3CEB6EC} - http://bt.yahoo.com (file missing) (HKCU)
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple.com/iTunes4/WW/win/019-0312.20050111.MmVrT/iTunesSetup.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093180511655
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.euro.dell.com/global/apps/systemprofiler/PROFILER.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Promise RAID message agent (RAIDmAgt) - Unknown owner - C:\Program Files\Promise\Utility\MsgAgt.exe
O23 - Service: Sophos Anti-Virus Network (SweepNet) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
O23 - Service: Sophos Anti-Virus (SWEEPSRV.SYS) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

And also my panda log:


Incident Status Location

Adware:Adware/IPInsight No disinfected C:\Documents and Settings\Graham Archer\Local Settings\Temp\alchem.cab
Adware:Adware/IPInsight No disinfected C:\Documents and Settings\Graham Archer\Local Settings\Temp\alchem.cab[alchem.inf]
Adware:Adware/IPInsight No disinfected C:\Documents and Settings\Graham Archer\Local Settings\Temp\alchem.cab[alchem.exe]
Adware:Adware/IPInsight No disinfected C:\Documents and Settings\Graham Archer\Local Settings\Temp\alchem.cab[alchem.ini]
Adware:Adware/IPInsight No disinfected C:\Documents and Settings\Graham Archer\Local Settings\Temp\alchem.inf
Adware:Adware/IPInsight No disinfected C:\Documents and Settings\Graham Archer\Local Settings\Temp\alchem.ini
Virus:Trj/Downloader.GK Disinfected C:\Documents and Settings\Graham Archer\Local Settings\Temp\polmx.cab
Spyware:Spyware/BetterInet No disinfected C:\Documents and Settings\Graham Archer\Local Settings\Temp\satmat.inf
Adware:Adware/IPInsight No disinfected C:\Documents and Settings\Graham Archer\Local Settings\Temp\satmat.ini
Adware:Adware/MultiMPP No disinfected C:\Documents and Settings\Graham Archer\Local Settings\Temp\THI104A.tmp\dlmax.cab[dlmax.dll]
Adware:Adware/MultiMPP No disinfected C:\Documents and Settings\Graham Archer\Local Settings\Temp\THI13AE.tmp\dlmax.cab[dlmax.dll]
Adware:Adware/MultiMPP No disinfected C:\Documents and Settings\Graham Archer\Local Settings\Temp\THI1448.tmp\dlmax.cab[dlmax.dll]
Adware:Adware/MultiMPP No disinfected C:\Documents and Settings\Graham Archer\Local Settings\Temp\THI1A74.tmp\dlmax.cab[dlmax.dll]
Adware:Adware/MultiMPP No disinfected C:\Documents and Settings\Graham Archer\Local Settings\Temp\THI248E.tmp\dlmax.cab[dlmax.dll]
Adware:Adware/MultiMPP No disinfected C:\Documents and Settings\Graham Archer\Local Settings\Temp\THI2539.tmp\dlmax.cab[dlmax.dll]
Adware:Adware/MultiMPP No disinfected C:\Documents and Settings\Graham Archer\Local Settings\Temp\THI256A.tmp\dlmax.cab[dlmax.dll]
Adware:Adware/Transponder No disinfected C:\Documents and Settings\Graham Archer\Local Settings\Temp\THI2791.tmp\Pynix.inf
Adware:Adware/MultiMPP No disinfected C:\Documents and Settings\Graham Archer\Local Settings\Temp\THI332A.tmp\zserv.cab
Spyware:Spyware/BetterInet No disinfected C:\Documents and Settings\Graham Archer\Local Settings\Temp\THI332A.tmp\zserv.cab[zserv.inf]
Adware:Adware/MultiMPP No disinfected C:\Documents and Settings\Graham Archer\Local Settings\Temp\THI332A.tmp\zserv.cab[ZServ.dll]
Spyware:Spyware/BetterInet No disinfected C:\Documents and Settings\Graham Archer\Local Settings\Temp\THI332A.tmp\zserv.inf
Adware:Adware/MultiMPP No disinfected C:\Documents and Settings\Graham Archer\Local Settings\Temp\THI34B4.tmp\dlmax.cab[dlmax.dll]
Adware:Adware/MultiMPP No disinfected C:\Documents and Settings\Graham Archer\Local Settings\Temp\THI3F86.tmp\dlmax.cab[dlmax.dll]
Adware:Adware/MultiMPP No disinfected C:\Documents and Settings\Graham Archer\Local Settings\Temp\THI4176.tmp\zserv.cab
Spyware:Spyware/BetterInet No disinfected C:\Documents and Settings\Graham Archer\Local Settings\Temp\THI4176.tmp\zserv.cab[zserv.inf]
Adware:Adware/MultiMPP No disinfected C:\Documents and Settings\Graham Archer\Local Settings\Temp\THI4176.tmp\zserv.cab[ZServ.dll]
Spyware:Spyware/BetterInet No disinfected C:\Documents and Settings\Graham Archer\Local Settings\Temp\THI4176.tmp\zserv.inf
Adware:Adware/MultiMPP No disinfected C:\Documents and Settings\Graham Archer\Local Settings\Temp\THI421D.tmp\dlmax.cab[dlmax.dll]
Adware:Adware/MultiMPP No disinfected C:\Documents and Settings\Graham Archer\Local Settings\Temp\THI4582.tmp\dlmax.cab[dlmax.dll]
Adware:Adware/MultiMPP No disinfected C:\Documents and Settings\Graham Archer\Local Settings\Temp\THI493B.tmp\zserv.cab
Spyware:Spyware/BetterInet No disinfected C:\Documents and Settings\Graham Archer\Local Settings\Temp\THI493B.tmp\zserv.cab[zserv.inf]
Adware:Adware/MultiMPP No disinfected C:\Documents and Settings\Graham Archer\Local Settings\Temp\THI493B.tmp\zserv.cab[ZServ.dll]
Spyware:Spyware/BetterInet No disinfected C:\Documents and Settings\Graham Archer\Local Settings\Temp\THI493B.tmp\zserv.inf
Adware:Adware/MultiMPP No disinfected C:\Documents and Settings\Graham Archer\Local Settings\Temp\THI49B1.tmp\dlmax.cab[dlmax.dll]
Adware:Adware/MultiMPP No disinfected C:\Documents and Settings\Graham Archer\Local Settings\Temp\THI4EDF.tmp\dlmax.cab[dlmax.dll]
Adware:Adware/MultiMPP No disinfected C:\Documents and Settings\Graham Archer\Local Settings\Temp\THI5243.tmp\dlmax.cab[dlmax.dll]
Adware:Adware/MultiMPP No disinfected C:\Documents and Settings\Graham Archer\Local Settings\Temp\THI550E.tmp\dlmax.cab[dlmax.dll]
Adware:Adware/BTGrab No disinfected C:\Documents and Settings\Graham Archer\Local Settings\Temp\THI5686.tmp\btgrab.cab[BTGrab.dll]
Adware:Adware/Twain-Tech No disinfected C:\Documents and Settings\Graham Archer\Local Settings\Temp\THI5686.tmp\btgrab.cab[polall1b.exe]
Adware:Adware/MultiMPP No disinfected C:\Documents and Settings\Graham Archer\Local Settings\Temp\THI59DF.tmp\dlmax.cab[dlmax.dll]
Adware:Adware/MultiMPP No disinfected C:\Documents and Settings\Graham Archer\Local Settings\Temp\THI5B88.tmp\dlmax.cab[dlmax.dll]
Adware:Adware/MultiMPP No disinfected C:\Documents and Settings\Graham Archer\Local Settings\Temp\THI5E3.tmp\dlmax.cab[dlmax.dll]
Adware:Adware/MultiMPP No disinfected C:\Documents and Settings\Graham Archer\Local Settings\Temp\THI614.tmp\zserv.cab
Spyware:Spyware/BetterInet No disinfected C:\Documents and Settings\Graham Archer\Local Settings\Temp\THI614.tmp\zserv.cab[zserv.inf]
Adware:Adware/MultiMPP No disinfected C:\Documents and Settings\Graham Archer\Local Settings\Temp\THI614.tmp\zserv.cab[ZServ.dll]
Spyware:Spyware/BetterInet No disinfected C:\Documents and Settings\Graham Archer\Local Settings\Temp\THI614.tmp\zserv.inf
Adware:Adware/MultiMPP No disinfected C:\Documents and Settings\Graham Archer\Local Settings\Temp\THI62A1.tmp\zserv.cab
Spyware:Spyware/BetterInet No disinfected C:\Documents and Settings\Graham Archer\Local Settings\Temp\THI62A1.tmp\zserv.cab[zserv.inf]
Adware:Adware/MultiMPP No disinfected C:\Documents and Settings\Graham Archer\Local Settings\Temp\THI62A1.tmp\zserv.cab[ZServ.dll]
Spyware:Spyware/BetterInet No disinfected C:\Documents and Settings\Graham Archer\Local Settings\Temp\THI62A1.tmp\zserv.inf
Adware:Adware/MultiMPP No disinfected C:\Documents and Settings\Graham Archer\Local Settings\Temp\THI69B8.tmp\zserv.cab
Spyware:Spyware/BetterInet No disinfected C:\Documents and Settings\Graham Archer\Local Settings\Temp\THI69B8.tmp\zserv.cab[zserv.inf]
Adware:Adware/MultiMPP No disinfected C:\Documents and Settings\Graham Archer\Local Settings\Temp\THI69B8.tmp\zserv.cab[ZServ.dll]
Spyware:Spyware/BetterInet No disinfected C:\Documents and Settings\Graham Archer\Local Settings\Temp\THI69B8.tmp\zserv.inf
Adware:Adware/MultiMPP No disinfected C:\Documents and Settings\Graham Archer\Local Settings\Temp\THI702A.tmp\dlmax.cab[dlmax.dll]
Adware:Adware/MultiMPP No disinfected C:\Documents and Settings\Graham Archer\Local Settings\Temp\THI840.tmp\zserv.cab
Spyware:Spyware/BetterInet No disinfected C:\Documents and Settings\Graham Archer\Local Settings\Temp\THI840.tmp\zserv.cab[zserv.inf]
Adware:Adware/MultiMPP No disinfected C:\Documents and Settings\Graham Archer\Local Settings\Temp\THI840.tmp\zserv.cab[ZServ.dll]
Spyware:Spyware/BetterInet No disinfected C:\Documents and Settings\Graham Archer\Local Settings\Temp\THI840.tmp\zserv.inf
Adware:Adware/MultiMPP No disinfected C:\Documents and Settings\Graham Archer\Local Settings\Temp\THI94F.tmp\dlmax.cab[dlmax.dll]
Adware:Adware/MultiMPP No disinfected C:\Documents and Settings\Graham Archer\Local Settings\Temp\THIC3E.tmp\zserv.cab
Spyware:Spyware/BetterInet No disinfected C:\Documents and Settings\Graham Archer\Local Settings\Temp\THIC3E.tmp\zserv.cab[zserv.inf]
Adware:Adware/MultiMPP No disinfected C:\Documents and Settings\Graham Archer\Local Settings\Temp\THIC3E.tmp\zserv.cab[ZServ.dll]
Spyware:Spyware/BetterInet No disinfected C:\Documents and Settings\Graham Archer\Local Settings\Temp\THIC3E.tmp\zserv.inf
Adware:Adware/TopRebates No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\2C7C7F55-F7BA-4FBD-9671-CC0580\2D780BEE-0EAC-4F3A-923C-D0B3CE
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\INF\banner.inf
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\INF\satmat.inf
Adware:Adware/IPInsight No disinfected C:\WINDOWS\satmat.ini


By the looks of this I probably have more than just the pynix spyware but any help would be much appreciated.

Thanks in advance.

Graham

3
Contributors
12
Replies
13
Views
12 Years
Discussion Span
Last Post by dlh6213
0

1. Symantec has a recently-updated descripition of the Pynix VX2 infection and a download link to their stand-alone removal utility here. Try the utility and let us know the results.


2. Download Ewido and install it, and then open the program. If you initially receive a warning message saying "Database not found" when you first run the program, just click "OK" for this. Next- in the main screen, click "Update" and click "Start Update". After the update process, exit from Ewido; do not actually have it scan your system yet.


3. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- Locate and delete the following files:

C:\WINDOWS\INF\banner.inf
C:\WINDOWS\INF\satmat.inf
C:\WINDOWS\satmat.ini

- For every user account listed under C:\Documents and Settings, delete the entire contents of the following folders (but not the folders themselves):

(Important: One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if any data that you care about is living in those Temp folders, you need to move it to a safe location now, or it will be erased along with everything else!)

1. Cookies
2. Local Settings\Temp
3. Local Settings\History
4. Local Settings\Temporary Internet Files

- Delete the entire content of your C:\Windows\Temp folder.

- Delete the entire content of your C:\Windows\Prefetch folder.

Note- If you get any messages concerning the deletion of system files such as desktop.ini or index.dat, just choose to delete those files; they'll be automatically regenerated by Windows if needed. Windows will allow you to delete the versions of those files which exist in sub-folders within the main Temp/Temorary folders, but might not let you delete the versions of those files that exist in the main Temp folders themselves; this is normal and OK.

- Empty your Recycle Bin.


4. While still in Safe Mode, open Ewido and run a full system scan. Once ewido finishes scanning/fixing, save the scan report log it generates.


5. Reboot normally, run HijackThis again, and post the new log. Also post the log that ewido generated.

0

Hi,

Thanks for the quick response! I did all the above but pynix is still there. Here is my new hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 23:51:58, on 26/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Promise\Utility\MsgAgt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\SYSTEM32\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServAlert.exe
C:\audio\MOTU\FireWire Audio\MFWAKeys.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Documents and Settings\Graham Archer\Desktop\Virus Protection\hijackthis\HijackThis.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://bt.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bt.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://bt.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://bt.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.co.uk
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.york.ac.uk/proxy.config
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = wwwcache.sns.york.ac.uk:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_17_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - (no file)
O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O3 - Toolbar: BT Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_17_0.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe"  -lang 1033
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
O4 - Global Startup: MFWAKeys.lnk = C:\audio\MOTU\FireWire Audio\MFWAKeys.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: BT Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: BT - {94879043-16A1-425D-90CC-EB5D3F8F73C6} - http://www.bt.com (file missing) (HKCU)
O9 - Extra button: Homepage - {97367153-69C3-4610-835E-ACF3A3CEB6EC} - http://bt.yahoo.com (file missing) (HKCU)
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple.com/iTunes4/WW/win/019-0312.20050111.MmVrT/iTunesSetup.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093180511655
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.euro.dell.com/global/apps/systemprofiler/PROFILER.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Promise RAID message agent (RAIDmAgt) - Unknown owner - C:\Program Files\Promise\Utility\MsgAgt.exe
O23 - Service: Sophos Anti-Virus Network (SweepNet) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
O23 - Service: Sophos Anti-Virus (SWEEPSRV.SYS) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE



And here is the Ewido log:


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------


+ Created on:           23:48:05, 26/07/2005
+ Report-Checksum:      D3BF617A


+ Scan result:


HKLM\SOFTWARE\Classes\Interface\{5326B223-DC21-43A4-9B79-635E2D18DCB2} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates : Cleaned with backup
:mozilla.20:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Ivwbox : Cleaned with backup
:mozilla.119:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.120:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.121:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.122:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.123:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.124:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.125:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.126:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.127:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.128:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.129:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.130:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.131:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.132:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.133:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.134:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.135:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.136:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.137:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.138:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.139:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.140:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.141:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.142:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.143:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.144:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.145:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.146:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.147:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.148:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.149:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.150:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.151:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.152:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.153:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.154:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.155:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.156:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.157:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.158:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.159:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.160:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.161:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.162:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.163:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.164:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.165:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.166:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.171:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.172:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.180:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.181:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.182:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.183:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.184:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.185:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.186:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.187:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.188:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.191:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.194:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.197:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.199:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
:mozilla.200:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
:mozilla.212:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.213:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.214:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.215:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.217:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.218:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.219:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.220:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.221:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.222:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.223:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.224:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.225:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.226:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.227:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.228:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.229:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.230:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.231:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.232:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.233:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.234:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.235:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.236:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.237:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.238:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.239:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.240:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.241:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.242:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.243:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.244:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.245:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.246:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.247:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.266:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.267:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.268:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.269:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.270:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.271:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.272:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Qksrv : Cleaned with backup
:mozilla.273:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Qksrv : Cleaned with backup
:mozilla.278:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.279:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.280:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.281:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.292:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Adviva : Cleaned with backup
:mozilla.293:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Adviva : Cleaned with backup
:mozilla.294:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Adviva : Cleaned with backup
:mozilla.295:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Adviva : Cleaned with backup
:mozilla.351:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
:mozilla.352:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.356:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.357:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.358:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.387:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.388:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.389:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.391:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.392:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.409:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.411:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.412:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.414:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.421:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.247realmedia : Cleaned with backup
:mozilla.422:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Coremetrics : Cleaned with backup
:mozilla.423:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.247realmedia : Cleaned with backup
:mozilla.427:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.458:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.459:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.471:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.472:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.473:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.485:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.596:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Bfast : Cleaned with backup
:mozilla.597:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Xxxtoolbar : Cleaned with backup
:mozilla.624:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Enigmasoftwaregroup : Cleaned with backup
:mozilla.625:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Enigmasoftwaregroup : Cleaned with backup
:mozilla.626:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Enigmasoftwaregroup : Cleaned with backup
:mozilla.638:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.640:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.665:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Spylog : Cleaned with backup
:mozilla.666:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Hotlog : Cleaned with backup
:mozilla.676:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Realtracker : Cleaned with backup
:mozilla.719:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.721:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Valuead : Cleaned with backup
:mozilla.722:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Valuead : Cleaned with backup
:mozilla.723:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.724:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Valuead : Cleaned with backup
:mozilla.725:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Valuead : Cleaned with backup
:mozilla.726:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Valuead : Cleaned with backup
:mozilla.727:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Valuead : Cleaned with backup
:mozilla.733:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.750:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.751:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.758:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.767:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.800:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Coremetrics : Cleaned with backup
:mozilla.809:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.817:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.831:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Targetnet : Cleaned with backup
:mozilla.833:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.853:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.854:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.856:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.857:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.860:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.861:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.862:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.870:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.874:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Weborama : Cleaned with backup
:mozilla.875:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Weborama : Cleaned with backup
:mozilla.876:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Weborama : Cleaned with backup
:mozilla.882:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.947:C:\Documents and Settings\Graham Archer\Application Data\Mozilla\Firefox\Profiles\vqgkptm5.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\2C7C7F55-F7BA-4FBD-9671-CC0580\2D780BEE-0EAC-4F3A-923C-D0B3CE -> Spyware.WebRebates : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP291\A0084325.exe -> TrojanDownloader.Agent.ex : Cleaned with backup



::Report End

I hope this helps.

Many thanks,

Graham

Edited by happygeek: fixed formatting

0

Sorry a couple of things I forgot to mention.

- I tried the Symantec Pynix VX2 remover and this was the log:

Symantec Adware.BetterInternet Removal Tool 1.1.3


C:\bac47cd371a50f383bec07\sp2: (not scanned)
C:\Documents and Settings\Graham Archer\Desktop\Current Projects\Recording SIG - Due 2.05.05\Liverpool Philharmonic Orchestra 23.02.2005\LPO Cut and mastered CD tracks\Edward Elgar - Symphony No.1 in A flat major\1. Andante. Nobilmente e semplice - Allegro.wav (WARNING: not scanned, path to long)
Adware.BetterInternet has not been found on your computer.


Also I have microsoft anti-spyware beta installed and on every start up it prompts me to remove transponder.pynix to which I always click remove - is this the right thing to be doing?

Thanks,

Graham

0

Do you use any file-sharing programs? That's the most common way for this particular infection to spread.

Open Firefox and go to Tools, Options, and then click on Privacy (padlock icon on the left); click on the Clear All button.

Download, install, update, and run the following utilities:

CounterSpy
http://www.download.com/CounterSpy/3000-8022_4-10375153.html?tag=lst-0-1

CCleanerhttp://www.filehippo.com/download/Qi6RR0U86febzhqUrQQIBQ2/download.html

If, after doing the above, pynix is still on your computer, can you tell us where MS's Anti-spyware says it's located?

0

Hi,

I used to use Kazaa about a year ago for a short while but have since uninstalled it - I'm guessing that where I've picked this up from as pynix has been on my computer for a while now.

I did the things in Firefox and also downloaded and ran the two spyware programs but its still there!

However when I boot up I now get Counter Spy telling me that VX2.ABetterInternet is trying to install itself and not MS Anti-spyware. Also Counter Spy won't let me see where the infection is. On the other hand Spyware guard also says on start up:

Warning a BHO has been added:

{00000000-DD60-0064-6EC2-6E0100000000}

And its gives me the option to remove it (which I always take) but then its says that the program has performed a run time error:

'-2147024770(8007007e)'

I wondered if I should uninstall CounterSpy to see if MS Anti-spyware will tell me the location of the infection?

Thanks,

Graham

0

I wondered if I should uninstall CounterSpy to see if MS Anti-spyware will tell me the location of the infection?

Try that, and also post a new HijackThis log with your next reply.

0

Hi,

I uninstalled CounterSpy and MS AntiSpyware said that pynix was located here:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\00000000-DD60-0064-6EC2-6E0100000000

And this is what I get on start up:

"Microsoft AntiSpyware has detected the threat Transponder.Pynix trying to install a Browser Helper Object on your computer. If you would like to allow Transponder.Pynix to install the Browser Helper Object click the 'Allow' button below.

Name: Transponder.Pynix
Type: Spyware
Threat Level: High

Description: Software that collects information, such as the websites a user visits, without adequate consent. This may include installing without prominent notice or running without a clear method to disable.

Advise: High-risk items have a large potential for adverse effect, such as loss of computer control, and should be removed unless knowingly installed."


My new hijackthis log is:

Logfile of HijackThis v1.99.1
Scan saved at 12:17:04, on 31/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Promise\Utility\MsgAgt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\SYSTEM32\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
C:\audio\MOTU\FireWire Audio\MFWAKeys.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\iTunes\iTunes.exe
C:\Documents and Settings\Graham Archer\Desktop\Virus Protection\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.co.uk
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.york.ac.uk/proxy.config
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = wwwcache.sns.york.ac.uk:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_17_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - (no file)
O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O3 - Toolbar: BT Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_17_0.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
O4 - Global Startup: MFWAKeys.lnk = C:\audio\MOTU\FireWire Audio\MFWAKeys.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: BT Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: BT - {94879043-16A1-425D-90CC-EB5D3F8F73C6} - http://www.bt.com (file missing) (HKCU)
O9 - Extra button: Homepage - {97367153-69C3-4610-835E-ACF3A3CEB6EC} - http://bt.yahoo.com (file missing) (HKCU)
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple.com/iTunes4/WW/win/019-0312.20050111.MmVrT/iTunesSetup.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093180511655
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.euro.dell.com/global/apps/systemprofiler/PROFILER.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Promise RAID message agent (RAIDmAgt) - Unknown owner - C:\Program Files\Promise\Utility\MsgAgt.exe
O23 - Service: Sophos Anti-Virus Network (SweepNet) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
O23 - Service: Sophos Anti-Virus (SWEEPSRV.SYS) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

0

Go to Start, Run, type regedit in the box, and hit Enter.

At the top of the Registry Editor window, click on File, and then Export. In the Export range panel (at the bottom), click All, give the file a name, and then Save your registry as a backup to a location where you will be able to locate it easily if necessary.

Then click on Edit, Find; in the box, paste pynix, and then click on Find Next

Right-click on any entries found and click Delete.

Continue using the Find Next option until you get the Finished searching through registry message.

Repeat the above instructions using 00000000-DD60-0064-6EC2-6E0100000000

Close the Registry Editor.

Let us know the results and post a new HJT log please.

0

Hi I did the above and deleted about 5 reg keys but pynix is still there! Not quite sure what else to do but as ever here is my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 00:16:02, on 01/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Promise\Utility\MsgAgt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\SYSTEM32\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
C:\audio\MOTU\FireWire Audio\MFWAKeys.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Graham Archer\Desktop\Virus Protection\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.co.uk
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.york.ac.uk/proxy.config
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = wwwcache.sns.york.ac.uk:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_17_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - (no file)
O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O3 - Toolbar: BT Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_17_0.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
O4 - Global Startup: MFWAKeys.lnk = C:\audio\MOTU\FireWire Audio\MFWAKeys.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: BT Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: BT - {94879043-16A1-425D-90CC-EB5D3F8F73C6} - http://www.bt.com (file missing) (HKCU)
O9 - Extra button: Homepage - {97367153-69C3-4610-835E-ACF3A3CEB6EC} - http://bt.yahoo.com (file missing) (HKCU)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple.com/iTunes4/WW/win/019-0312.20050111.MmVrT/iTunesSetup.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093180511655
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.euro.dell.com/global/apps/systemprofiler/PROFILER.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Promise RAID message agent (RAIDmAgt) - Unknown owner - C:\Program Files\Promise\Utility\MsgAgt.exe
O23 - Service: Sophos Anti-Virus Network (SweepNet) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
O23 - Service: Sophos Anti-Virus (SWEEPSRV.SYS) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE


Thanks guys.

0

Open Task Manager (Ctrl-Alt-Del), and look for polall1p.exe; if found, highlight it and then hit the End Process button.

Go to the Start menu and select Run. In the box that pops up type in cmd; the command prompt will open.

Unregister these dll's by entering the following (hit Enter after each line):

regsvr32 /u C:\Documents and Settings\Graham Archer\local settings\temp\drtemp\pynix.dll

regsvr32 /u C:\Documents and Settings\Graham Archer\local settings\temp\thi1e71.tmp\pynix.dll

regsvr32 /u C:\Documents and Settings\Graham Archer\local settings\temp\thi4f81.tmp\pynix.dll

regsvr32 /u C:\WINDOWS\System32\lastgood\pynix.dll

regsvr32 /u C:\WINDOWS\System32\pynix.dll

Close the Command window.

Go to Start, Run, type regedit in the box, and hit Enter. When the Registry Editor opens, navigate to the following locations, right-click on the entry, and delete it:

HKEY_CLASSES_ROOT\clsid\{00000000-dd60-0064-6ec2-6e0100000000}

HKEY_CLASSES_ROOT\interface\{17973bd7-959c-4d8a-8b2f-ab200e20a75e}

HKEY_CLASSES_ROOT\pynixdll.pynixdllobj.1\pynixobj class

HKEY_CLASSES_ROOT\pynixdll.pynixdllobj\curver\pynixdll.pynixdllobj.1

HKEY_CLASSES_ROOT\pynixdll.pynixdllobj\pynix functional class

HKEY_CURRENT_USER\software\pynix

Close the Registry Editor.

Do a search for the following and delete any instances found:

Polall1p
Pynix


Run CCleaner again.

Scan with MS Antispyware and let us know the results.

Close any open browser windows, scan with HJT, and post a new log please.

0

I did all the above but its still there! See what I've documented below:

Open Task Manager (Ctrl-Alt-Del), and look for polall1p.exe; if found, highlight it and then hit the End Process button.

Go to the Start menu and select Run. In the box that pops up type in cmd; the command prompt will open.

Unregister these dll's by entering the following (hit Enter after each line):

regsvr32 /u C:\Documents and Settings\Graham Archer\local settings\temp\drtemp\pynix.dll

regsvr32 /u C:\Documents and Settings\Graham Archer\local settings\temp\thi1e71.tmp\pynix.dll

regsvr32 /u C:\Documents and Settings\Graham Archer\local settings\temp\thi4f81.tmp\pynix.dll

regsvr32 /u C:\WINDOWS\System32\lastgood\pynix.dll

regsvr32 /u C:\WINDOWS\System32\pynix.dll - None of these were found I manually checked at these locations and pynix wasn't any of them.

Close the Command window.

Go to Start, Run, type regedit in the box, and hit Enter. When the Registry Editor opens, navigate to the following locations, right-click on the entry, and delete it:

HKEY_CLASSES_ROOT\clsid\{00000000-dd60-0064-6ec2-6e0100000000} - Not there either but on a check for just {00000000-dd60-0064-6ec2-6e0100000000} it was found at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-DD60-0064-6EC2-6E0100000000}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-DD60-0064-6EC2-6E0100000000}\iexplore folder was also found inside - I deleted both.

HKEY_CLASSES_ROOT\interface\{17973bd7-959c-4d8a-8b2f-ab200e20a75e} - not found

HKEY_CLASSES_ROOT\pynixdll.pynixdllobj.1\pynixobj class - not found

HKEY_CLASSES_ROOT\pynixdll.pynixdllobj\curver\pynixdll.pynixdllobj.1 - not found

HKEY_CLASSES_ROOT\pynixdll.pynixdllobj\pynix functional class - not found

HKEY_CURRENT_USER\software\pynix - not found

Close the Registry Editor.

Do a search for the following and delete any instances found:

Polall1p - not found
Pynix - found at HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\FilesNamedMRU I deleted this


Run CCleaner again. - finds nothing

Scan with MS Antispyware and let us know the results. - finds nothing

Close any open browser windows, scan with HJT, and post a new log please.


New HJT log is as follows:

Logfile of HijackThis v1.99.1
Scan saved at 23:38:24, on 03/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Promise\Utility\MsgAgt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\SYSTEM32\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
C:\audio\MOTU\FireWire Audio\MFWAKeys.exe
C:\Program Files\iTunes\iTunes.exe
C:\Documents and Settings\Graham Archer\Desktop\Virus Protection\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.co.uk
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.york.ac.uk/proxy.config
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = wwwcache.sns.york.ac.uk:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_17_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - (no file)
O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O3 - Toolbar: BT Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_17_0.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
O4 - Global Startup: MFWAKeys.lnk = C:\audio\MOTU\FireWire Audio\MFWAKeys.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: BT Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: BT - {94879043-16A1-425D-90CC-EB5D3F8F73C6} - http://www.bt.com (file missing) (HKCU)
O9 - Extra button: Homepage - {97367153-69C3-4610-835E-ACF3A3CEB6EC} - http://bt.yahoo.com (file missing) (HKCU)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple.com/iTunes4/WW/win/019-0312.20050111.MmVrT/iTunesSetup.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093180511655
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.euro.dell.com/global/apps/systemprofiler/PROFILER.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Promise RAID message agent (RAIDmAgt) - Unknown owner - C:\Program Files\Promise\Utility\MsgAgt.exe
O23 - Service: Sophos Anti-Virus Network (SweepNet) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
O23 - Service: Sophos Anti-Virus (SWEEPSRV.SYS) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

0

How do you know you still have it?

Scan with HJT and have it fix the following:

O2 - BHO: (no name) - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - (no file)
O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)

Close any open windows and hit Fix checked.

Update both your AV program and Ewido.

Reboot into Safe Mode and do a full system scan with each.

Reboot normally and post a new HJT log and the new Ewido log please.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.