Help! My Computer is Infested with Spyware/Viruses

Ack! That really is quite the nest of nasties you have there :(

Please try to do as much of the following as the state of your computer will allow. If you aren't able to complete all of the procedures, let us know exactly what you were and were not able to do:

A) Open the Services utility in your Administrative Tools control panel.
* Locate the service named "Windows Overlay Components" and double-click on it.
* Click the "Stop" button; once the service is stopped, choose "Disabled" from the "Startup type" drop-down box.
* Click OK to close the service's Properties window, and then exit the Services utility.

B) Visit at least two of the following sites for an online virus scan:

BitDefender Free Online Virus Scan
http://www.bitdefender.com/scan/licence.php
Make sure you tick AutoClean under Scan Options.

Panda ActiveScan
http://www.pandasoftware.com/active...n_principal.htm
Make sure you tick Disinfect automatically under Scan Options.

Housecall at TrendMicro
http://housecall60.trendmicro.com/e...orp.asp?id=scan
Make sure you tick Auto Clean.

eTrust Antivirus Web Scanner
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx

Also run this online trojan scanner

TrojanScan

C) You will need to close/quit all web browser programs and disconnect from the Internet for much of the following, so you should print out these instructions or save them into a text file with Notepad.

> Download and install the following utilities:

CCleaner - www.ccleaner.com
Webroot Spy Sweeper (14 day free trial) - http://www.webroot.com/shoppingcart...4011&vcode=DT02
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en
ewido Anti-malware (14 day free trial) - http://www.ewido.net/en/download/

* Also download the free WinsockXPFix utility and save it in a folder of its own. Don't do anything with the program yet; we'll be using it later.

- Open Spy Sweeper, click on "Options", and then click on "Update Definitions" under the Program Options tab. Do not run a scan yet; just close the program once the update completes.

- Open ewido. In the main screen, click "Update" and click "Start Update". After the update process completes, exit from Ewido.

- Open MS Antispyware beta. Make sure the "AntiSpyware Autoupdater" feature is enabled, and that it has downloaded the most current antispyware updates. Close the program after you've verified this.

- Open your anti-virus program and make sure that it has the most current virus definitions installed. Again- don't scan yet, just close the program once it's updated.

> Run HijackThis, put a check in the boxes to the left of the following entries, and then click the "Fix checked" button:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O2 - BHO: Yvakt Class - {0DEADE31-9A37-48B2-921A-7825EA93D32A} - C:\WINDOWS\system32\wdc1n.dll
O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet7_22.dll
O2 - BHO: (no name) - {6001CDF7-6F45-471b-A203-0225615E35A7} - C:\WINDOWS\DH.dll
O2 - BHO: XBTB04715 - {A8B0BDED-64A5-495b-97DA-42C0301E229B} - C:\PROGRA~1\TOOLBA~1\TOOLBA~1.DLL
O3 - Toolbar: Toolbar888 - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Toolbar888\ToolBar888.dll
O4 - HKLM\..\Run: [csr] csrrs.exe
O4 - HKLM\..\Run: [winsysupd] C:\\winsysupd12.exe
O4 - HKLM\..\Run: [xscoclqA] C:\WINDOWS\xscoclqA.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [ms034295255-93] C:\WINDOWS\ms034295255-93.exe
O4 - HKLM\..\Run: [winsysban] C:\\winsysban12.exe
O4 - HKLM\..\Run: [gimmygames] C:\\gimmygames12.exe
O4 - HKLM\..\Run: [NJv7jy] "C:\WINDOWS\system32\dgfgql.exe"
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [{FC-C9-92-29-ZN}] C:\windows\system32\qodsregl.exe CORN001
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\pwinprai.exe CORN001
O4 - HKLM\..\RunServices: [csr] csrrs.exe
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000140.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM32\pwinprai.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\SYSTEM32\dwdsregt.exe
O4 - Global Startup: svchost.exe
O10 - Hijacked Internet access by New.Net
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} (WildTangent Active Launcher) - http://install.wildtangent.com/Acti...iveLauncher.cab
O18 - Filter: text/html - {BA576CDE-9949-4473-A8F7-6C17C2A7E600} - C:\WINDOWS\system32\wdc1n.dll
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\xscoclq.exe

* Once HJT finishes the fix, click on the "Config" button in the lower right corner of HijackThis' main window. In the next window click on the "Misc Tools" button at the top then click the "Delete an NT service" button. Type the following in the box and click OK:

Windows Overlay Components

Close HijackThis after that.

> Run WinSockXPFix. The program is very easy to use; a tutorial can be found here.

> Reboot into Safe Mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up) and:

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu; check "Show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types". Close Explorer after that.

- Open CCleaner.
- Go to Options-> Advanced: Uncheck "Only delete files in Windows Temp folders older than 48 hours"
- Go to Options>CustomFolders>Add Folder>Navigate to these folders (click on bold file once and hit OK) :
* C:\Windows\Temp
* C:\Windows\Prefetch
* C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ (This will delete all your cached internet content including cookies.)
* C:\Documents and Settings\<Your Profile>\Local Settings\Temp
* C:\Documents and Settings\<any other user's Profile>\Local Settings\Temporary Internet Files
* C:\Documents and Settings\<Any other user's Profile>\Local Settings\Temp
* C:\Documents and Settings\<Your Profile>\Cookies
* C:\Documents and Settings\<Any other users Profile>\Cookies
Hit OK

- In left pane, scroll down to "Advanced, Custom Folders", put a check in Custom Folders

- Click on Run Cleaner

It may take a while for the program to perform its cleaning, so be patient. Close the program when it has finished.

- Run your anti-virus program, MS Antispyware, and ewido; have the programs fix all malicious items they find.

When ewido finds the first malicious object on your system, it will ask you if it should clean it. When it asks this, put a checkmark in the lower left corner of the box that says "Perform action on all infections", then choose clean and click OK.
Save the log file that ewido will create after it finishes scanning; you'll be including that log in your next post here.

- Run Spy Sweeper.
* Under the Sweep Options tab, select ALL options under 'What to Sweep'.
* Click the "Sweep" icon and then "Start" to begin scanning.
*When the scan completes, click Next to automatically quarantine all detected items.
*Click the Results icon, select Session Log, and then click Save to File. Save the scan results to your desktop and close Spy Sweeper.

- Open Windows explorer again, search for the following files, and delete them if found:

C:\WINDOWS\system32\wdc1n.dll
C:\WINDOWS\DH.dll
csrrs.exe <-- Note that there is a legitimate Windows file named csrss.exe in the C:\WINDOWS\system32 folder; DO NOT delete that file !!
winsysupd12.exe
C:\WINDOWS\xscoclqA.exe
C:\WINDOWS\SYSC00.exe
C:\WINDOWS\ms034295255-93.exe
winsysban12.exe
gimmygames12.exe
C:\WINDOWS\system32\dgfgql.exe
C:\windows\system32\qodsregl.exe
C:\WINDOWS\system32\pwinprai.exe
C:\Program Files\Common Files\Windows\mc-110-12-0000140.exe
C:\WINDOWS\xscoclq.exe

- Delete the following folders entirely if found:

C:\Program Files\SurfSideKick 3
C:\Program Files\NewDotNet
C:\Program Files\Common Files\VCClient

> Empty your Recycle Bin, reboot normally, run HijackThis again, and post the new log. Also post the logs that ewido and Spy Sweeper generated.

Ok - I went through the instructions provided and was able to do most.

Please note I was unable to to run most of the online virus scans, however I did run the Housecall at Trend Micro and it deleted over 700 viruses.

I was also unable to get the Microsoft Anti-Spyware beta to download, so I didn't use that.

System is definitely running better at the moment. Here are the logs, please let me know if there is more to do.

Thanks so much for your help.

Logfile of HijackThis v1.99.1
Scan saved at 11:25:47 PM, on 2/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
C:\Documents and Settings\Kevin1\Desktop\Ewido\security suite\ewidoctrl.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
C:\documents and settings\kevin1\my documents\kev\qttask.exe
C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
C:\WINDOWS\win32095-93429525.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Kevin1\Desktop\HIJACK THIS EXE\HijackThis.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://education.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://education.dellnet.com/
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\documents and settings\kevin1\my documents\kev\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TotalRecorderScheduler] "C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe"
O4 - HKLM\..\Run: [win32095-93429525] C:\WINDOWS\win32095-93429525.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://216.234.48.23/CFIDE/classes/CFJava.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4524/mcfscan.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\Kevin1\Desktop\Ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Documents and Settings\Kevin1\Desktop\Ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


ewido anti-malware - Scan report
---------------------------------------------------------


+ Created on:           10:46:33 PM, 2/28/2006
+ Report-Checksum:      508AB2CC


+ Scan result:


HKLM\SOFTWARE\SurfSideKick3 -> Adware.SurfSide : Cleaned with backup
HKLM\SOFTWARE\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned with backup
HKU\S-1-5-21-1599196801-4025279379-689279713-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6001CDF7-6F45-471B-A203-0225615E35A7} -> Adware.Generic : Cleaned with backup
HKU\S-1-5-21-1599196801-4025279379-689279713-1006\Software\SurfSideKick3 -> Adware.SurfSide : Cleaned with backup
HKU\S-1-5-21-1599196801-4025279379-689279713-1006\Software\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned with backup
[492] C:\Program Files\NewDotNet\newdotnet7_22.dll -> Adware.NewDotNet : Cleaned with backup
C:\Documents and Settings\Kevin1\Desktop\HIJACK THIS EXE\backups\backup-20050705-232857-470.dll -> Adware.HotSearchBar : Cleaned with backup
C:\Documents and Settings\Kevin1\Desktop\HIJACK THIS EXE\backups\backup-20060228-211704-113.dll -> Adware.Softomate : Cleaned with backup
C:\Documents and Settings\Kevin1\Desktop\HIJACK THIS EXE\backups\backup-20060228-211704-743.dll -> Adware.NewDotNet : Cleaned with backup
C:\Documents and Settings\Kevin1\Desktop\HIJACK THIS EXE\backups\backup-20060228-211704-828.dll -> Hijacker.Small.jf : Cleaned with backup
C:\NNSCAA638.EXE -> Adware.NewDotNet : Cleaned with backup
C:\Program Files\Common Files\InetGet\mc-110-12-0000140.exe -> Dropper.Agent.aac : Cleaned with backup
C:\Program Files\Common Files\Windows\mc-110-12-0000140.exe -> Dropper.Agent.aac : Cleaned with backup
C:\Program Files\Common Files\Windows\services32.exe -> Adware.Maxifiles : Cleaned with backup
C:\Program Files\NaviSearch -> Adware.BargainBuddy : Cleaned with backup
C:\Program Files\NaviSearch\bin -> Adware.BargainBuddy : Cleaned with backup
C:\Program Files\NaviSearch\t1141169662.dec -> Adware.BargainBuddy : Cleaned with backup
C:\Program Files\NewDotNet -> Adware.NewDotNet : Cleaned with backup
C:\Program Files\NewDotNet\newdotnet7_22.dll -> Adware.NewDotNet : Cleaned with backup
C:\Program Files\NewDotNet\readme.html -> Adware.NewDotNet : Cleaned with backup
C:\Program Files\NewDotNet\uninstall6_38.exe -> Adware.NewDotNet : Cleaned with backup
C:\Program Files\NewDotNet\uninstall7_22.exe -> Adware.NewDotNet : Cleaned with backup
C:\Program Files\Toolbar888\ToolBar888.dll -> Adware.Softomate : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP881\A0052811.exe -> Downloader.VB.tw : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP881\A0052812.dll -> Adware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP881\A0053822.exe -> Adware.Maxifiles : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP881\A0054817.exe -> Adware.Maxifiles : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP881\A0054836.exe -> Adware.Maxifiles : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP881\A0055831.exe -> Downloader.VB.tw : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP881\A0055839.exe -> Adware.Maxifiles : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP881\A0056836.exe -> Adware.Maxifiles : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP882\A0057831.srg -> Adware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP882\A0057832.dll -> Adware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP882\A0057839.exe -> Adware.Maxifiles : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP882\A0057848.exe -> Adware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP882\A0057850.exe -> Adware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP882\A0057851.vxd -> Adware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP882\A0057852.srg -> Adware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP882\A0058877.exe -> Not-A-Virus.Downloader.Win32.DigStream.a : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP882\A0058884.exe -> Adware.Maxifiles : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP882\A0059884.exe -> Adware.Maxifiles : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP882\A0060884.exe -> Adware.Maxifiles : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP882\A0061885.exe -> Adware.Maxifiles : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP882\A0062885.exe -> Adware.Maxifiles : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP882\A0063885.exe -> Adware.Maxifiles : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP882\A0064885.exe -> Adware.Maxifiles : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP882\snapshot\MFEX-1.DAT -> Adware.BargainBuddy : Cleaned with backup
C:\visfx500.exe -> Dropper.Agent.aie : Cleaned with backup
C:\WINDOWS\DH.dll -> Hijacker.Small.jf : Cleaned with backup
C:\WINDOWS\NDNuninstall6_38.exe -> Adware.NewDotNet : Cleaned with backup
C:\WINDOWS\NDNuninstall7_22.exe -> Adware.NewDotNet : Cleaned with backup
C:\WINDOWS\offun.exe -> Downloader.VB.nw : Cleaned with backup
C:\WINDOWS\SYSC00.exe -> Trojan.VB.tg : Cleaned with backup
C:\WINDOWS\SYSTEM32\dwdsregt.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\SYSTEM32\exdl.exe -> Adware.BargainBuddy : Cleaned with backup
C:\WINDOWS\SYSTEM32\exdl2.exe -> Adware.BargainBuddy : Cleaned with backup
C:\WINDOWS\SYSTEM32\nsa33.dll -> Adware.HotSearchBar : Cleaned with backup
C:\WINDOWS\SYSTEM32\nsv39.dll -> Adware.HotSearchBar : Cleaned with backup
C:\WINDOWS\SYSTEM32\nvms.dll -> Adware.BargainBuddy : Cleaned with backup
C:\WINDOWS\SYSTEM32\P2P Networking -> Adware.P2PNetworking : Cleaned with backup
C:\WINDOWS\SYSTEM32\P2P Networking\Cache -> Adware.P2PNetworking : Cleaned with backup
C:\WINDOWS\SYSTEM32\P2P Networking\Cache\Database -> Adware.P2PNetworking : Cleaned with backup
C:\WINDOWS\SYSTEM32\P2P Networking\Cache\Database\file-5001-1015447863.sig -> Adware.P2PNetworking : Cleaned with backup
C:\WINDOWS\SYSTEM32\P2P Networking\Cache\Database\index256.dbb -> Adware.P2PNetworking : Cleaned with backup
C:\WINDOWS\SYSTEM32\P2P Networking\P2P Networking.exe -> Adware.P2PNetworking : Cleaned with backup
C:\WINDOWS\SYSTEM32\qodsregl.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\SYSTEM32\redtrsha.dll -> Adware.SafeSurfing : Cleaned with backup
C:\WINDOWS\unin101.exe -> Trojan.VB.tg : Cleaned with backup
C:\WINDOWS\uni_eh.exe -> Trojan.VB.tg : Cleaned with backup
C:\WINDOWS\xscoclq.exe -> Hijacker.VB.ij : Cleaned with backup
C:\WINDOWS\xscoclqA.exe -> Hijacker.VB.ij : Cleaned with backup
C:\ZICORN001.exe -> Adware.ZenoSearch : Cleaned with backup



::Report End


********
10:49 PM: |       Start of Session, Tuesday, February 28, 2006       |
10:49 PM: Spy Sweeper started
10:49 PM: Sweep initiated using definitions version 623
10:49 PM: Starting Memory Sweep
10:50 PM: Memory Sweep Complete, Elapsed Time: 00:01:07
10:50 PM: Starting Registry Sweep
10:50 PM:   Found Adware: exact navisearch
10:50 PM:   HKCR\clsid\{aeecbfda-12fa-4881-bdce-8c3e1ce4b344}\  (9 subtraces) (ID = 104006)
10:50 PM:   Found Adware: clearsearch
10:50 PM:   HKLM\software\microsoft\windows\currentversion\uninstall\contextsidebar\  (2 subtraces) (ID = 105842)
10:50 PM:   HKLM\software\microsoft\windows\currentversion\uninstall\ronsidebar\  (2 subtraces) (ID = 105844)
10:50 PM:   Found Adware: exactsearch.net hijacker
10:50 PM:   HKLM\software\microsoft\internet explorer\search\ || searchassistant (ID = 125858)
10:50 PM:   HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{aeecbfda-12fa-4881-bdce-8c3e1ce4b344}\  (1 subtraces) (ID = 135578)
10:50 PM:   Found Adware: surfsidekick
10:50 PM:   HKLM\software\microsoft\internet explorer\urlsearchhooks\ || {02ee5b04-f144-47bb-83fb-a60bd91b74a9} (ID = 143400)
10:50 PM:   Found Adware: zenosearchassistant
10:50 PM:   HKLM\software\microsoft\windows\currentversion\app management\arpcache\zeno search assistant\  (2 subtraces) (ID = 147930)
10:50 PM:   HKLM\software\microsoft\windows\currentversion\app management\arpcache\enhanced ads by zeno\  (2 subtraces) (ID = 147931)
10:50 PM:   HKLM\software\microsoft\windows\currentversion\uninstall\enhanced ads by zeno\  (2 subtraces) (ID = 147934)
10:50 PM:   HKLM\software\microsoft\windows\currentversion\uninstall\zeno search assistant\  (2 subtraces) (ID = 147935)
10:50 PM:   Found Adware: rich editor
10:50 PM:   HKCR\lowsol.richeditor\  (5 subtraces) (ID = 372961)
10:50 PM:   HKCR\lowsol.richeditor.1\  (3 subtraces) (ID = 372967)
10:50 PM:   HKCR\typelib\{33add70f-53ab-4f97-b4b6-997881820f6d}\  (9 subtraces) (ID = 373009)
10:50 PM:   HKLM\software\microsoft\windows\currentversion\app paths\richedtr\  (2 subtraces) (ID = 373109)
10:50 PM:   HKLM\software\microsoft\windows\currentversion\app paths\richup\ || path (ID = 373114)
10:50 PM:   HKLM\software\microsoft\windows\currentversion\uninstall\richeditor\  (2 subtraces) (ID = 373125)
10:50 PM:   HKLM\software\riched\  (32 subtraces) (ID = 373158)
10:50 PM:   HKLM\software\classes\lowsol.richeditor\  (5 subtraces) (ID = 373176)
10:50 PM:   HKLM\software\classes\typelib\{33add70f-53ab-4f97-b4b6-997881820f6d}\  (9 subtraces) (ID = 373224)
10:50 PM:   HKLM\software\classes\lowsol.richeditor.1\  (3 subtraces) (ID = 479490)
10:50 PM:   HKLM\software\classes\clsid\{aeecbfda-12fa-4881-bdce-8c3e1ce4b344}\  (9 subtraces) (ID = 646656)
10:50 PM:   HKLM\software\classes\typelib\{4eb7bbe8-2e15-424b-9ddb-2cdb9516c2e3}\  (9 subtraces) (ID = 651255)
10:50 PM:   Found Adware: visfx
10:50 PM:   HKLM\software\microsoft\windows\currentversion\uninstall\ovmon\  (2 subtraces) (ID = 712951)
10:50 PM:   Found Adware: enbrowser
10:50 PM:   HKLM\software\system\sysold\  (2 subtraces) (ID = 926808)
10:50 PM:   Found Adware: elitemediagroup-pop64
10:50 PM:   HKLM\software\microsoft\code store database\distribution units\{9ac54695-69a4-46f1-be10-10c74f9520d5}\  (7 subtraces) (ID = 1122691)
10:50 PM:   Found Adware: dollarrevenue
10:50 PM:   HKLM\software\microsoft\drsmartload2\  (1 subtraces) (ID = 1134137)
10:50 PM:   Found Adware: maxifiles
10:50 PM:   HKCR\xbtb04715.ietoolbar.1\  (3 subtraces) (ID = 1156344)
10:50 PM:   HKCR\xbtb04715.ietoolbar\  (5 subtraces) (ID = 1156348)
10:50 PM:   HKCR\toolband.xbtb04715.1\  (3 subtraces) (ID = 1156354)
10:50 PM:   HKCR\toolband.xbtb04715\  (5 subtraces) (ID = 1156358)
10:50 PM:   HKCR\xbtb04715.xbtb04715.1\  (3 subtraces) (ID = 1156364)
10:50 PM:   HKCR\xbtb04715.xbtb04715\  (5 subtraces) (ID = 1156368)
10:50 PM:   HKCR\typelib\{75e46ee7-404b-48ec-9326-c654f21f65bf}\  (9 subtraces) (ID = 1156391)
10:50 PM:   HKLM\software\classes\toolband.xbtb04715\  (5 subtraces) (ID = 1156475)
10:50 PM:   HKLM\software\classes\xbtb04715.xbtb04715.1\  (3 subtraces) (ID = 1156481)
10:50 PM:   HKLM\software\classes\xbtb04715.xbtb04715\  (5 subtraces) (ID = 1156485)
10:50 PM:   HKLM\software\classes\typelib\{75e46ee7-404b-48ec-9326-c654f21f65bf}\  (9 subtraces) (ID = 1156508)
10:50 PM:   HKLM\software\microsoft\windows\currentversion\uninstall\xbtb04715.xbtb04715toolbar\  (2 subtraces) (ID = 1156519)
10:50 PM:   HKLM\software\classes\xbtb04715.ietoolbar.1\  (3 subtraces) (ID = 1156524)
10:50 PM:   HKLM\software\classes\xbtb04715.ietoolbar\  (5 subtraces) (ID = 1156528)
10:50 PM:   HKLM\software\classes\toolband.xbtb04715.1\  (3 subtraces) (ID = 1156534)
10:50 PM:   Found Adware: drsnsrch.com hijack
10:50 PM:   HKU\S-1-5-21-1599196801-4025279379-689279713-1006\software\microsoft\search assistant\ || defaultsearchurl (ID = 128205)
10:50 PM:   Found Adware: sidesearch
10:50 PM:   HKU\S-1-5-21-1599196801-4025279379-689279713-1006\software\microsoft\internet explorer\extensions\cmdmapping\ || {000007c6-17df-4438-92a4-de5537471ba3} (ID = 530423)
10:50 PM:   Found Adware: findthewebsiteyouneed hijack
10:50 PM:   HKU\S-1-5-21-1599196801-4025279379-689279713-1006\software\microsoft\internet explorer\search\searchassistant explorer\main\ || default_search_url (ID = 555437)
10:50 PM:   HKU\S-1-5-21-1599196801-4025279379-689279713-1006\software\system\sysuid\  (1 subtraces) (ID = 731748)
10:50 PM:   HKU\S-1-5-21-1599196801-4025279379-689279713-1006\software\director\ || baseurl (ID = 980277)
10:50 PM:   HKU\S-1-5-21-1599196801-4025279379-689279713-1006\software\xbtb04715\  (71 subtraces) (ID = 1156401)
10:51 PM: Registry Sweep Complete, Elapsed Time:00:00:17
10:51 PM: Starting Cookie Sweep
10:51 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
10:51 PM: Starting File Sweep
10:51 PM:   c:\program files\toolbar888 (8 subtraces) (ID = -2147456311)
10:51 PM:   c:\documents and settings\kevin1\start menu\programs\navisearch (1 subtraces) (ID = -2147470942)
10:51 PM:   c:\program files\clearsearch (ID = -2147481257)
10:51 PM:   Found Trojan Horse: trojan downloader matcash
10:51 PM:   c:\program files\common files\inetget (ID = -2147477182)
10:52 PM:   drsmartload1.exe (ID = 245972)
10:52 PM:   sskknwrd.dll (ID = 77733)
10:52 PM:   ss1001.exe (ID = 216718)
10:52 PM:   Found Adware: ezsearchbar
10:52 PM:   name_gender.ini (ID = 60351)
10:54 PM:   Found Adware: apropos
10:54 PM:   exec.exe (ID = 50118)
10:54 PM:   mc-110-12-0000140.exe (ID = 246327)
10:55 PM:   backup-20050705-232857-990.dll (ID = 109658)
10:58 PM:   autoit3.exe (ID = 185254)
10:58 PM:   pf78.exe (ID = 244430)
11:00 PM:   Found Adware: ipinsight
11:00 PM:   ipinsigt.inf (ID = 64282)
11:02 PM:   adbltzun.exe (ID = 109655)
11:04 PM:   basis.xml (ID = 244764)
11:04 PM:   Found Adware: zquest
11:04 PM:   dr21206.exe (ID = 251354)
11:05 PM:   Found Adware: quicklink search toolbar
11:05 PM:   f50i.tcp (ID = 208796)
11:06 PM:   Found Adware: wild media - statblaster
11:06 PM:   msview.ini (ID = 77091)
11:06 PM:   Found Adware: directrevenue-abetterinternet
11:06 PM:   abiuninst.htm (ID = 83087)
11:06 PM:   Found Adware: safesurf
11:06 PM:   installerv3.exe (ID = 113942)
11:07 PM:   msnav32.ax (ID = 220229)
11:07 PM:   zxdnt3d.cfg (ID = 91140)
11:07 PM:   addr_var.ini (ID = 60329)
11:07 PM:   birth_var.ini (ID = 60332)
11:07 PM:   city_var.ini (ID = 60333)
11:07 PM:   name_var.ini (ID = 60352)
11:07 PM:   states.ini (ID = 60360)
11:07 PM:   zip_var.ini (ID = 60362)
11:07 PM:   phone_var.ini (ID = 60353)
11:07 PM:   sskcwrd.dll (ID = 77712)
11:07 PM:   nt68rrtc12.sys (ID = 220230)
11:07 PM:   msvini.inf (ID = 77093)
11:07 PM:   alchem.inf (ID = 83109)
11:07 PM:   susp.inf (ID = 83526)
11:07 PM:   Found Adware: twain-tech
11:07 PM:   mxtini.inf (ID = 81846)
11:07 PM: File Sweep Complete, Elapsed Time: 00:16:13
11:07 PM: Full Sweep has completed.  Elapsed time 00:17:46
11:07 PM: Traces Found: 354
11:08 PM: Removal process initiated
11:08 PM:   Quarantining All Traces: exact navisearch
11:08 PM:   Quarantining All Traces: clearsearch
11:08 PM:   Quarantining All Traces: exactsearch.net hijacker
11:08 PM:   Quarantining All Traces: surfsidekick
11:08 PM:   Quarantining All Traces: zenosearchassistant
11:08 PM:   Quarantining All Traces: rich editor
11:08 PM:   Quarantining All Traces: visfx
11:08 PM:   Quarantining All Traces: enbrowser
11:08 PM:   Quarantining All Traces: elitemediagroup-pop64
11:08 PM:   Quarantining All Traces: dollarrevenue
11:08 PM:   Quarantining All Traces: maxifiles
11:08 PM:   Quarantining All Traces: drsnsrch.com hijack
11:08 PM:   Quarantining All Traces: sidesearch
11:09 PM:   Quarantining All Traces: findthewebsiteyouneed hijack
11:09 PM:   Quarantining All Traces: trojan downloader matcash
11:09 PM:   Quarantining All Traces: ezsearchbar
11:09 PM:   Quarantining All Traces: apropos
11:09 PM:   Quarantining All Traces: ipinsight
11:09 PM:   Quarantining All Traces: zquest
11:09 PM:   Quarantining All Traces: quicklink search toolbar
11:09 PM:   Quarantining All Traces: wild media - statblaster
11:09 PM:   Quarantining All Traces: directrevenue-abetterinternet
11:09 PM:   Quarantining All Traces: safesurf
11:09 PM:   Quarantining All Traces: twain-tech
11:09 PM: Removal process completed.  Elapsed time 00:00:57
********
8:44 PM: |       Start of Session, Tuesday, February 28, 2006       |
8:44 PM: Spy Sweeper started
8:46 PM: Your spyware definitions have been updated.
8:50 PM: The Spy Communication shield has blocked access to: www.maxifiles.com
8:50 PM: The Spy Communication shield has blocked access to: www.maxifiles.com
9:14 PM: Memory Shield: Found: Memory-resident threat zquest, version 1.0.0.0
9:14 PM: Detected running threat: zquest
9:14 PM: Ignored memory-resident threat: zquest
9:14 PM: Memory Shield: Found: Memory-resident threat maxifiles, version 1.0.0.0
9:14 PM: Detected running threat: maxifiles
9:14 PM: Ignored memory-resident threat: maxifiles
9:14 PM: Memory Shield: Found: Memory-resident threat exact navisearch, version 1.0.0.0
9:14 PM: Detected running threat: exact navisearch
9:14 PM: Ignored memory-resident threat: exact navisearch
9:14 PM: Memory Shield: Found: Memory-resident threat trojan downloader matcash, version 1.0.0.0
9:14 PM: Detected running threat: trojan downloader matcash
9:14 PM: Ignored memory-resident threat: trojan downloader matcash
9:14 PM: Memory Shield: Found: Memory-resident threat enbrowser, version 1.0.0.0
9:14 PM: Detected running threat: enbrowser
9:14 PM: Ignored memory-resident threat: enbrowser
10:48 PM: Program Version 4.5.9  (Build 709)  Using Spyware Definitions 623
10:49 PM: |       End of Session, Tuesday, February 28, 2006       |

Much better, but not totally clean yet.

A) Disable XP's System Restore function. Instructions for doing so and an explanation of why we're doing it are here.

B) Open your Add/Remove Programs control panel. Uninstall NewDotNet via the control panel if you find it listed there.

C) Run another HJT scan and fix the following entries:

O4 - HKLM\..\Run: [win32095-93429525] C:\WINDOWS\win32095-93429525.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s

* Additionally, the files referenced in the following entries, while not necessarilly malicious, do not need to run at Windows startup. Disabling them will not adversely effect their "parent" programs, but it will speed up your boot time slightly and also reduce the load on your system resources (memory and CPU usage):

O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\documents and settings\kevin1\my documents\kev\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TotalRecorderScheduler] "C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

D) As described in my last post, open your antivirus and antispyware programs and make sure they have the most current updates installed. Do not run scans with them yet.

E) Reboot into Safe Mode and:

* Open Windows Explorer, and in the Folder Options->View settings under the Tools menu; check "Show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types". Close Explorer after that.
* Run CCleaner again.
* Run your antivirus and antispyware programs as you did before.
* Open Windows explorer again, search for the following file, and delete it if found:
C:\WINDOWS\win32095-93429525.exe

* Delete the following folders entirely if they still exist:
C:\PROGRAM FILES\NEWDOTNET
C:\Program Files\Toolbar888
C:\Program Files\Common Files\InetGet
C:\Program Files\NaviSearch
C:\Program Files\SurfSideKick 3

F) Empty your Recycle Bin, reboot normally, run HijackThis again, and post the new log. Also post the logs that ewido and Spy Sweeper generated.

Here are the logs - things are looking better. Let me know if you see anything else. Thanks!

Logfile of HijackThis v1.99.1
Scan saved at 9:44:07 PM, on 3/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
C:\Documents and Settings\Kevin1\Desktop\Ewido\security suite\ewidoctrl.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Kevin1\Desktop\HIJACK THIS EXE\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url]http://education.dellnet.com/[/url]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://www.yahoo.com/[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://education.dellnet.com/[/url]
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [url]http://education.dellnet.com/[/url]
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - [url]http://housecall60.trendmicro.com/housecall/xscan60.cab[/url]
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - [url]http://216.234.48.23/CFIDE/classes/CFJava.cab[/url]
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - [url]http://acs.pandasoftware.com/activescan/as5free/asinst.cab[/url]
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - [url]http://www.windowsecurity.com/trojanscan/axscan.cab[/url]
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - [url]http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4524/mcfscan.cab[/url]
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - [url]http://www.gamespot.com/KDX22/download/kdx.cab[/url]
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\Kevin1\Desktop\Ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Documents and Settings\Kevin1\Desktop\Ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

ewido anti-malware - Scan report
---------------------------------------------------------

 + Created on:          9:04:11 PM, 3/1/2006
 + Report-Checksum:     C4987D62

 + Scan result:

    No infected objects found.


::Report End

********
9:04 PM: |       Start of Session, Wednesday, March 01, 2006       |
9:04 PM: Spy Sweeper started
9:04 PM: Sweep initiated using definitions version 623
9:04 PM: Starting Memory Sweep
9:05 PM: Memory Sweep Complete, Elapsed Time: 00:01:00
9:05 PM: Starting Registry Sweep
9:05 PM:   Found Adware: enbrowser
9:05 PM:   HKLM\software\system\sysold\  (1 subtraces) (ID = 926808)
9:06 PM:   HKU\S-1-5-21-1599196801-4025279379-689279713-1006\software\system\sysuid\  (1 subtraces) (ID = 731748)
9:06 PM: Registry Sweep Complete, Elapsed Time:00:00:16
9:06 PM: Starting Cookie Sweep
9:06 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
9:06 PM: Starting File Sweep
9:21 PM: File Sweep Complete, Elapsed Time: 00:15:30
9:21 PM: Full Sweep has completed.  Elapsed time 00:17:03
9:21 PM: Traces Found: 4
9:30 PM: Removal process initiated
9:30 PM:   Quarantining All Traces: enbrowser
9:30 PM: Removal process completed.  Elapsed time 00:00:04
********
10:49 PM: |       Start of Session, Tuesday, February 28, 2006       |
10:49 PM: Spy Sweeper started
10:49 PM: Sweep initiated using definitions version 623
10:49 PM: Starting Memory Sweep
10:50 PM: Memory Sweep Complete, Elapsed Time: 00:01:07
10:50 PM: Starting Registry Sweep
10:50 PM:   Found Adware: exact navisearch
10:50 PM:   HKCR\clsid\{aeecbfda-12fa-4881-bdce-8c3e1ce4b344}\  (9 subtraces) (ID = 104006)
10:50 PM:   Found Adware: clearsearch
10:50 PM:   HKLM\software\microsoft\windows\currentversion\uninstall\contextsidebar\  (2 subtraces) (ID = 105842)
10:50 PM:   HKLM\software\microsoft\windows\currentversion\uninstall\ronsidebar\  (2 subtraces) (ID = 105844)
10:50 PM:   Found Adware: exactsearch.net hijacker
10:50 PM:   HKLM\software\microsoft\internet explorer\search\ || searchassistant (ID = 125858)
10:50 PM:   HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{aeecbfda-12fa-4881-bdce-8c3e1ce4b344}\  (1 subtraces) (ID = 135578)
10:50 PM:   Found Adware: surfsidekick
10:50 PM:   HKLM\software\microsoft\internet explorer\urlsearchhooks\ || {02ee5b04-f144-47bb-83fb-a60bd91b74a9} (ID = 143400)
10:50 PM:   Found Adware: zenosearchassistant
10:50 PM:   HKLM\software\microsoft\windows\currentversion\app management\arpcache\zeno search assistant\  (2 subtraces) (ID = 147930)
10:50 PM:   HKLM\software\microsoft\windows\currentversion\app management\arpcache\enhanced ads by zeno\  (2 subtraces) (ID = 147931)
10:50 PM:   HKLM\software\microsoft\windows\currentversion\uninstall\enhanced ads by zeno\  (2 subtraces) (ID = 147934)
10:50 PM:   HKLM\software\microsoft\windows\currentversion\uninstall\zeno search assistant\  (2 subtraces) (ID = 147935)
10:50 PM:   Found Adware: rich editor
10:50 PM:   HKCR\lowsol.richeditor\  (5 subtraces) (ID = 372961)
10:50 PM:   HKCR\lowsol.richeditor.1\  (3 subtraces) (ID = 372967)
10:50 PM:   HKCR\typelib\{33add70f-53ab-4f97-b4b6-997881820f6d}\  (9 subtraces) (ID = 373009)
10:50 PM:   HKLM\software\microsoft\windows\currentversion\app paths\richedtr\  (2 subtraces) (ID = 373109)
10:50 PM:   HKLM\software\microsoft\windows\currentversion\app paths\richup\ || path (ID = 373114)
10:50 PM:   HKLM\software\microsoft\windows\currentversion\uninstall\richeditor\  (2 subtraces) (ID = 373125)
10:50 PM:   HKLM\software\riched\  (32 subtraces) (ID = 373158)
10:50 PM:   HKLM\software\classes\lowsol.richeditor\  (5 subtraces) (ID = 373176)
10:50 PM:   HKLM\software\classes\typelib\{33add70f-53ab-4f97-b4b6-997881820f6d}\  (9 subtraces) (ID = 373224)
10:50 PM:   HKLM\software\classes\lowsol.richeditor.1\  (3 subtraces) (ID = 479490)
10:50 PM:   HKLM\software\classes\clsid\{aeecbfda-12fa-4881-bdce-8c3e1ce4b344}\  (9 subtraces) (ID = 646656)
10:50 PM:   HKLM\software\classes\typelib\{4eb7bbe8-2e15-424b-9ddb-2cdb9516c2e3}\  (9 subtraces) (ID = 651255)
10:50 PM:   Found Adware: visfx
10:50 PM:   HKLM\software\microsoft\windows\currentversion\uninstall\ovmon\  (2 subtraces) (ID = 712951)
10:50 PM:   Found Adware: enbrowser
10:50 PM:   HKLM\software\system\sysold\  (2 subtraces) (ID = 926808)
10:50 PM:   Found Adware: elitemediagroup-pop64
10:50 PM:   HKLM\software\microsoft\code store database\distribution units\{9ac54695-69a4-46f1-be10-10c74f9520d5}\  (7 subtraces) (ID = 1122691)
10:50 PM:   Found Adware: dollarrevenue
10:50 PM:   HKLM\software\microsoft\drsmartload2\  (1 subtraces) (ID = 1134137)
10:50 PM:   Found Adware: maxifiles
10:50 PM:   HKCR\xbtb04715.ietoolbar.1\  (3 subtraces) (ID = 1156344)
10:50 PM:   HKCR\xbtb04715.ietoolbar\  (5 subtraces) (ID = 1156348)
10:50 PM:   HKCR\toolband.xbtb04715.1\  (3 subtraces) (ID = 1156354)
10:50 PM:   HKCR\toolband.xbtb04715\  (5 subtraces) (ID = 1156358)
10:50 PM:   HKCR\xbtb04715.xbtb04715.1\  (3 subtraces) (ID = 1156364)
10:50 PM:   HKCR\xbtb04715.xbtb04715\  (5 subtraces) (ID = 1156368)
10:50 PM:   HKCR\typelib\{75e46ee7-404b-48ec-9326-c654f21f65bf}\  (9 subtraces) (ID = 1156391)
10:50 PM:   HKLM\software\classes\toolband.xbtb04715\  (5 subtraces) (ID = 1156475)
10:50 PM:   HKLM\software\classes\xbtb04715.xbtb04715.1\  (3 subtraces) (ID = 1156481)
10:50 PM:   HKLM\software\classes\xbtb04715.xbtb04715\  (5 subtraces) (ID = 1156485)
10:50 PM:   HKLM\software\classes\typelib\{75e46ee7-404b-48ec-9326-c654f21f65bf}\  (9 subtraces) (ID = 1156508)
10:50 PM:   HKLM\software\microsoft\windows\currentversion\uninstall\xbtb04715.xbtb04715toolbar\  (2 subtraces) (ID = 1156519)
10:50 PM:   HKLM\software\classes\xbtb04715.ietoolbar.1\  (3 subtraces) (ID = 1156524)
10:50 PM:   HKLM\software\classes\xbtb04715.ietoolbar\  (5 subtraces) (ID = 1156528)
10:50 PM:   HKLM\software\classes\toolband.xbtb04715.1\  (3 subtraces) (ID = 1156534)
10:50 PM:   Found Adware: drsnsrch.com hijack
10:50 PM:   HKU\S-1-5-21-1599196801-4025279379-689279713-1006\software\microsoft\search assistant\ || defaultsearchurl (ID = 128205)
10:50 PM:   Found Adware: sidesearch
10:50 PM:   HKU\S-1-5-21-1599196801-4025279379-689279713-1006\software\microsoft\internet explorer\extensions\cmdmapping\ || {000007c6-17df-4438-92a4-de5537471ba3} (ID = 530423)
10:50 PM:   Found Adware: findthewebsiteyouneed hijack
10:50 PM:   HKU\S-1-5-21-1599196801-4025279379-689279713-1006\software\microsoft\internet explorer\search\searchassistant explorer\main\ || default_search_url (ID = 555437)
10:50 PM:   HKU\S-1-5-21-1599196801-4025279379-689279713-1006\software\system\sysuid\  (1 subtraces) (ID = 731748)
10:50 PM:   HKU\S-1-5-21-1599196801-4025279379-689279713-1006\software\director\ || baseurl (ID = 980277)
10:50 PM:   HKU\S-1-5-21-1599196801-4025279379-689279713-1006\software\xbtb04715\  (71 subtraces) (ID = 1156401)
10:51 PM: Registry Sweep Complete, Elapsed Time:00:00:17
10:51 PM: Starting Cookie Sweep
10:51 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
10:51 PM: Starting File Sweep
10:51 PM:   c:\program files\toolbar888 (8 subtraces) (ID = -2147456311)
10:51 PM:   c:\documents and settings\kevin1\start menu\programs\navisearch (1 subtraces) (ID = -2147470942)
10:51 PM:   c:\program files\clearsearch (ID = -2147481257)
10:51 PM:   Found Trojan Horse: trojan downloader matcash
10:51 PM:   c:\program files\common files\inetget (ID = -2147477182)
10:52 PM:   drsmartload1.exe (ID = 245972)
10:52 PM:   sskknwrd.dll (ID = 77733)
10:52 PM:   ss1001.exe (ID = 216718)
10:52 PM:   Found Adware: ezsearchbar
10:52 PM:   name_gender.ini (ID = 60351)
10:54 PM:   Found Adware: apropos
10:54 PM:   exec.exe (ID = 50118)
10:54 PM:   mc-110-12-0000140.exe (ID = 246327)
10:55 PM:   backup-20050705-232857-990.dll (ID = 109658)
10:58 PM:   autoit3.exe (ID = 185254)
10:58 PM:   pf78.exe (ID = 244430)
11:00 PM:   Found Adware: ipinsight
11:00 PM:   ipinsigt.inf (ID = 64282)
11:02 PM:   adbltzun.exe (ID = 109655)
11:04 PM:   basis.xml (ID = 244764)
11:04 PM:   Found Adware: zquest
11:04 PM:   dr21206.exe (ID = 251354)
11:05 PM:   Found Adware: quicklink search toolbar
11:05 PM:   f50i.tcp (ID = 208796)
11:06 PM:   Found Adware: wild media - statblaster
11:06 PM:   msview.ini (ID = 77091)
11:06 PM:   Found Adware: directrevenue-abetterinternet
11:06 PM:   abiuninst.htm (ID = 83087)
11:06 PM:   Found Adware: safesurf
11:06 PM:   installerv3.exe (ID = 113942)
11:07 PM:   msnav32.ax (ID = 220229)
11:07 PM:   zxdnt3d.cfg (ID = 91140)
11:07 PM:   addr_var.ini (ID = 60329)
11:07 PM:   birth_var.ini (ID = 60332)
11:07 PM:   city_var.ini (ID = 60333)
11:07 PM:   name_var.ini (ID = 60352)
11:07 PM:   states.ini (ID = 60360)
11:07 PM:   zip_var.ini (ID = 60362)
11:07 PM:   phone_var.ini (ID = 60353)
11:07 PM:   sskcwrd.dll (ID = 77712)
11:07 PM:   nt68rrtc12.sys (ID = 220230)
11:07 PM:   msvini.inf (ID = 77093)
11:07 PM:   alchem.inf (ID = 83109)
11:07 PM:   susp.inf (ID = 83526)
11:07 PM:   Found Adware: twain-tech
11:07 PM:   mxtini.inf (ID = 81846)
11:07 PM: File Sweep Complete, Elapsed Time: 00:16:13
11:07 PM: Full Sweep has completed.  Elapsed time 00:17:46
11:07 PM: Traces Found: 354
11:08 PM: Removal process initiated
11:08 PM:   Quarantining All Traces: exact navisearch
11:08 PM:   Quarantining All Traces: clearsearch
11:08 PM:   Quarantining All Traces: exactsearch.net hijacker
11:08 PM:   Quarantining All Traces: surfsidekick
11:08 PM:   Quarantining All Traces: zenosearchassistant
11:08 PM:   Quarantining All Traces: rich editor
11:08 PM:   Quarantining All Traces: visfx
11:08 PM:   Quarantining All Traces: enbrowser
11:08 PM:   Quarantining All Traces: elitemediagroup-pop64
11:08 PM:   Quarantining All Traces: dollarrevenue
11:08 PM:   Quarantining All Traces: maxifiles
11:08 PM:   Quarantining All Traces: drsnsrch.com hijack
11:08 PM:   Quarantining All Traces: sidesearch
11:09 PM:   Quarantining All Traces: findthewebsiteyouneed hijack
11:09 PM:   Quarantining All Traces: trojan downloader matcash
11:09 PM:   Quarantining All Traces: ezsearchbar
11:09 PM:   Quarantining All Traces: apropos
11:09 PM:   Quarantining All Traces: ipinsight
11:09 PM:   Quarantining All Traces: zquest
11:09 PM:   Quarantining All Traces: quicklink search toolbar
11:09 PM:   Quarantining All Traces: wild media - statblaster
11:09 PM:   Quarantining All Traces: directrevenue-abetterinternet
11:09 PM:   Quarantining All Traces: safesurf
11:09 PM:   Quarantining All Traces: twain-tech
11:09 PM: Removal process completed.  Elapsed time 00:00:57
11:20 PM: The Spy Communication shield has blocked access to: [url]www.yourenhancement.com[/url]
11:20 PM: The Spy Communication shield has blocked access to: [url]www.yourenhancement.com[/url]
9:04 PM: Program Version 4.5.9  (Build 709)  Using Spyware Definitions 623
9:04 PM: |       End of Session, Wednesday, March 01, 2006       |
********

That's a clean log now; good work! :)

If it's possible to do now, I'd suggest trying to run the online scanners again just to see if they find any "loose ends" that ewido and Spy Sweeper missed.

Thanks for your help.

You're welcome :)

Were you able to do the online scans? If so, did they turn up anything else?