HJT Log file

Your log shows signs of a couple of infections; let's see what else may be lurking around in your system:

Please do the following:

You will need to close/quit all web browser programs and disconnect from the Internet for much of the following, so you should print out these instructions or save them into a text file with Notepad.

* Download and install the following utilities:

Windows Defender - http://www.microsoft.com/downloads/d...displaylang=en
CCleaner - www.ccleaner.com
ewido Anti-malware - http://www.ewido.net/en/download/
* When installing ewido, under "Additional Options" uncheck..

1. • Install background guard
   • Install scan via context menu
2. Launch ewido, there should be an icon on your desktop, double-click it.
3. The program will now open to the main screen.
4. When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
5. You will need to update ewido to the latest definition files.
   • On the left hand side of the main screen click update.
   • Then click on Start Update.
6. The update will start and a progress bar will show the updates being installed.
   (the status bar at the bottom will display ("Update successful" )

If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates
Don't run a scan with ewido yet; just close the program once the updates are installed.

* Open your antivirus program and check for/install the most current updates. Again- don't run a scan with it; just close the program once the updates are installed.

* Open the Services utility in your Administrative Tools control panel.
- In the list of services, locate the service named "Network Monitor" or "netmon" and double-click on it.
- In the General tab of the Properties window that opens, click the Stop button if the service is not already stopped.
- Once the service is stopped, choose Disabled in the "Startup Type" drop-down menu and then click OK. Close the Services utility after that.

* Close all open programs, especially Internet Explorer.

* Run HijackThis.
- Click on the "Config" button in the lower right corner of HijackThis' main window.
- In the next window click on the "Misc Tools" button at the top then click the "Delete an NT service" button.
-Type the following in the box and click OK:
Network Monitor
(if the name Network Monitor gives you an error, try netmon instead)
- Once the deletion completes, click the "Back" button to return to HijackThis' main scan window.

* Run a scan with HJT, put a check mark in the box to the left of the following entries, and then click the "Fix checked" button.
Close HJT after the fixes have completed:
F2 - REG:system.ini: UserInit=F:\WINDOWS\system32\userinit.exe,npqkfjx.exe
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - F:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - F:\WINDOWS\system32\dmonwv.dll (file missing)
O20 - Winlogon Notify: NetCache - F:\WINDOWS\system32\wRvemsp.dll (file missing)
O23 - Service: Network Monitor - Unknown owner - F:\Program Files\Network Monitor\netmon.exe (file missing)

* Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up) and:

* Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

* Run CCleaner.
- Go to Options-> Advanced: Uncheck "Only delete files in Windows Temp folders older than 48 hours"
- Go to Options>CustomFolders>Add Folder>Navigate to these folders (click on bold file once and hit OK) :
* C:\Windows\Temp
* C:\Windows\Prefetch
* C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ (This will delete all your cached internet content including cookies.)
* C:\Documents and Settings\<Your Profile>\Local Settings\Temp
* C:\Documents and Settings\<any other user's Profile>\Local Settings\Temporary Internet Files
* C:\Documents and Settings\<Any other user's Profile>\Local Settings\Temp
* C:\Documents and Settings\<Your Profile>\Cookies
* C:\Documents and Settings\<Any other users Profile>\Cookies
Hit OK
- In left pane, scroll down to "Advanced, Custom Folders", put a check in Custom Folders
- Click on Run Cleaner. It may take a while for the program to perform its cleaning, so be patient. Close the program when it has finished.

* Run full system scans with your antivirus program, Windows Defender, and ewido; have the programs fix all malicious items they find.
When ewido finds the first malicious object on your system, it will ask you if it should clean it. When it asks this, put a checkmark in the lower left corner of the box that says "Perform action on all infections", then choose clean and click OK.
Save the log file that ewido will create after it finishes scanning; you'll be including that log in your next post here.

* Open Windows Explorer again. Locate and delete the following files if they still exist:F:\WINDOWS\system32\npqkfjx.exe
F:\WINDOWS\system32\dmonwv.dll
F:\WINDOWS\system32\wRvemsp.dll

* Delete the following folder entirely:
F:\Program Files\Network Monitor

* Empty your Recycle Bin, reboot normally, run HijackThis again, and post the new log. Also post the log that ewido generated.

-

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 4:51:48 PM, 5/26/2006
+ Report-Checksum: C73919FF

+ Scan result:

HKU\S-1-5-21-117609710-299502267-725345543-500\Software\Microsoft\Internet Explorer\URLSearchHooks\{944864A5-3916-46E2-96A9-A2E84F3F1208} -> Adware.Accoona : Cleaned with backup
HKU\S-1-5-21-117609710-299502267-725345543-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{364B6276-C6C1-40B6-A6D7-6C48871FD707} -> Adware.Accoona : Cleaned with backup
HKU\S-1-5-21-117609710-299502267-725345543-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{944864A5-3916-46E2-96A9-A2E84F3F1208} -> Adware.Accoona : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@com[1].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\drsmartload1.0xe -> Downloader.Adload.ba : Cleaned with backup
C:\NNSCAA638.EXE -> Adware.NewDotNet : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\RSInstaller.dll -> Adware.RedSwoosh : Cleaned with backup
C:\WINDOWS\keyboard16.0xe -> Downloader.VB.zg : Cleaned with backup
C:\WINDOWS\mousepad16.0xe -> Trojan.VB.ali : Cleaned with backup
C:\WINDOWS\newname16.0xe -> Downloader.VB.vr : Cleaned with backup
F:\Program Files\Common Files\wkfz\wkfzd\wkfzc.dll -> Adware.TargetServer : Cleaned with backup
F:\WINDOWS\NDNuninstall6_98.exe -> Adware.NewDotNet : Cleaned with backup
F:\WINDOWS\NDNuninstall7_22.exe -> Adware.NewDotNet : Cleaned with backup
F:\WINDOWS\system32\repairs303169578.dll -> Adware.Surfside : Cleaned with backup
F:\WINDOWS\VXNlcg\asappsrv.dll -> Adware.CommAd : Cleaned with backup

::Report End

Hijack This Log

Logfile of HijackThis v1.99.1
Scan saved at 4:54:33 PM, on 5/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
F:\WINDOWS\system32\spoolsv.exe
F:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
F:\Program Files\ewido anti-malware\ewidoctrl.exe
F:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
F:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
F:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
F:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
F:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
F:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
F:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
F:\Program Files\F-Secure Internet Security\Anti-Virus\fsqh.exe
F:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
F:\Program Files\F-Secure Internet Security\Anti-Virus\fsrw.exe
F:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
F:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\Program Files\F-Secure Internet Security\Common\FSM32.EXE
F:\Program Files\iPod\bin\iPodService.exe
F:\Program Files\F-Secure Internet Security\FSGUI\FSSW.EXE
F:\Program Files\F-Secure Internet Security\FSGUI\ispnews.exe
F:\PROGRA~1\F-SECU~1\ANTI-S~1\fsaw.exe
F:\Program Files\Yahoo!\Messenger\ypager.exe
F:\Program Files\TGTSoft\StyleXP\StyleXP.exe
F:\Program Files\AIM\aim.exe
F:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
F:\Program Files\F-Secure Internet Security\FSGUI\fsguidll.exe
F:\Program Files\MSN Messenger\MsnMsgr.Exe
F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
F:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\Documents and Settings\Administrator\Desktop\hijackthis(2)\HijackThis.exe
F:\WINDOWS\system32\wuauclt.exe
F:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [Adobe Photo Downloader] "F:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [F-Secure Manager] "F:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "F:\Program Files\F-Secure Internet Security\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "F:\Program Files\F-Secure Internet Security\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [News Service] "F:\Program Files\F-Secure Internet Security\FSGUI\ispnews.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "F:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [STYLEXP] F:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [AIM] F:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [XPRepairPro2006] F:\Program Files\XPRepairPro2006\XPRepairPro.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "F:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MsnMsgr] "F:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Adobe Gamma.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Creating Keepsakes Scrapbook Designer Event Reminder.lnk = F:\Program Files\Scrapbook Designer\scrapremind.exe
O4 - Global Startup: F-Secure 2006.lnk = F:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Block this popup - F:\Program Files\F-Secure Internet Security\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=zuzeb004YYUS_undefined
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - F:\Program Files\F-Secure Internet Security\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - F:\Program Files\F-Secure Internet Security\Anti-Spyware\ieshield.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - F:\Program Files\Yahoo!\Common\yinsthelper.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "F:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - F:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: F-Secure 2006 (BackWeb Plug-in - 4476822) - F-Secure Internet Security 2005 - F:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
O23 - Service: ewido security suite control - ewido networks - F:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - F:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - F:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - F:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - F:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - F:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: StyleXPService - Unknown owner - F:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

Your latest HJT log is clean, and it looks like ewido detected and removed a handful of other hidden "nasties". Are you seeing an improvement in browser performance, or do things still seem as sluggish as they were before removing the maware?

It does seem a little fast with just text, but certain pages are still slow that used to show up instantly on my computer..half the time they dont even load. :confused:

In your first post you said "browsers" (plural); which other browser(s) aside from IE are you using?

I also use Firefox

Sorry for the delayed response; I've been pretty busy for the last few days.

Try running the free "Cleanup!" utility. A description of the program, and links to the download and FAQs, can be found here.