Hello!

In the past I have always been able to get ridd of Spyware by using updated Ad Aware 6 and Spybot Search & Destroy. But now I have tried to use Spy Sweeper aswell and still I got this serious problem in IE after deleting tons of spyware. The problems I have is that whenever I try to click a link on a web page or use the back/forward buttons in IE it takes forever before IE reacts and initiate the search and download. I also noticed at a couple occations that when I tried to download application files before I got the save dialog I got a dialog prompting me to install something called a ICOO Loader. Then the problem has just gotten worse and now after only a minute or so after I have opened IE and click a link instead of getting where it should I get throwed into a massive bombing of porn pop ups and sites and it installs lots of spyware and attempts to install Trojans aswell but NAV 2004 Pro deletes them automatically aswell So once again I need to get rid of the spyware for instance by using Spy Sweeper. The last time this happened I quickly opened HiJackThis and saved the log. Maybe you pros can help in in figuring out what the hell I need to do to get IE functioning again(I am currently using Opera). here is that Log:

Logfile of HijackThis v1.97.7
Scan saved at 02:22:59, on 2004-06-18
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program\Delade filer\Sonic\Update Manager\sgtray.exe
C:\Program\Delade filer\Real\Update_OB\realsched.exe
C:\Program\Ahead\InCD\InCD.exe
C:\Program\Delade filer\Symantec Shared\ccApp.exe
C:\Program\ScreenPrint32 v3\ScreenPrint32.exe
C:\Program\iTunes\iTunesHelper.exe
C:\Program\QuickTime\qttask.exe
C:\Program\DU Meter\DUMeter.exe
C:\Program\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\vzxwzdch.exe
C:\Program\Delade filer\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program\SETI@home\[email protected]
C:\Program\Messenger\msmsgs.exe
C:\Program\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program\Norton AntiVirus\navapsvc.exe
C:\Program\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program\Java\j2re1.4.2_04\bin\javaw.exe
C:\WINDOWS\system32\scagent.exe
C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program\iPod\bin\iPodService.exe
C:\Program\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ägare\Skrivbord\hijackthis\HijackThis.exe
C:\Documents and Settings\Ägare\Skrivbord\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bostream.se
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://sv8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://sv8.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 218.86.126.226:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *hot-searches.com*;*lender-search.com*
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.bostream.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://sv8.hpwis.com/
R3 - Default URLSearchHook is missing
O1 - Hosts file is located at: C:\WINDOWS\nsdb\hosts
O1 - Hosts: 81.211.105.69 lender-search.com
O1 - Hosts: 81.211.105.68 hot-searches.com
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {B9D90B27-AD4A-413a-88CB-3E6DDC10DC2D} - C:\WINDOWS\msopt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton AntiVirus\NavShExt.dll
O2 - BHO: sr - {FC2593E3-3E5A-410F-AF3D-82613CCE58E5} - c:\windows\sr.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: PowerSearch - {4E7BD74F-2B8D-469E-DFF7-EC7DA787AD2D} - C:\Program\PowerSearch\Toolbar\pwrsqsim.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\WINDOWS\Downloaded Program Files\googlenav.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program\Delade filer\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [ShowShifter TVTV EPG Daemon] "C:\Program\Home Media Networks Limited\ShowShifter\TVTVD.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\Program\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [ScreenPrint32] C:\Program\ScreenPrint32 v3\ScreenPrint32.exe -startup
O4 - HKLM\..\Run: [iTunesHelper] C:\Program\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DU Meter] C:\Program\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [xqd] C:\WINDOWS\xqd.exe
O4 - HKLM\..\Run: [swjnvjmmmdru] C:\WINDOWS\System32\vzxwzdch.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program\Delade filer\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKCU\..\Run: [seticlient] C:\Program\SETI@home\[email protected] -min
O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpySweeper] C:\Program\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Startup: PartMetBackup.lnk = C:\Program\Java\j2re1.4.2_04\bin\javaw.exe
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\Downloaded Program Files\googlenav.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\Downloaded Program Files\googlenav.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\Downloaded Program Files\googlenav.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\Downloaded Program Files\googlenav.dll/cmsimilar.html
O9 - Extra 'Tools' menuitem: Sun Java-konsol (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares...egular.cab
O16 - DPF: {2048B51E-8D74-4762-82CE-B48CF545EEEA} - http://cl55.biz/tracker/eu_cax.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar...vSniff.cab
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binaries/IA/nethv32_EN_XP.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/272982e5ddd6df8a80...xIE601.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar.../cabsa.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} (Google Activate) - http://toolbar.google.com/data/sv/big/1...gleNav.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003...scan53.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplat...curity.cab
O16 - DPF: {94F5DCB7-816C-4B94-A2C1-856C6E323C5B} - http://akamai.downloadv3.com/binaries/L..._EN_XP.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/C...8073032407
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc...wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{96587776-F08D-4323-9220-42D6881CE39E}: NameServer = 212.181.54.2,212.181.54.3,194.236.29.2,194.236.29.3,212.181.52.2,212.181.52.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{96587776-F08D-4323-9220-42D6881CE39E}: NameServer = 212.181.54.2,212.181.54.3,194.236.29.2,194.236.29.3,212.181.52.2,212.181.52.3
O17 - HKLM\System\CS2\Services\Tcpip\..\{96587776-F08D-4323-9220-42D6881CE39E}: NameServer = 212.181.54.2,212.181.54.3,194.236.29.2,194.236.29.3,212.181.52.2,212.181.52.3


So Guys what should I do?

The first thing I would do is go to add/remove programs and uninstall Twain-Tech if it is listed. If it's not listed then follow the removal instructions at pestpatrol. (http://www.pestpatrol.com/PestInfo/t/twain-tech.asp)

Adjust your settings for adaware and run it again after that.
Check for updates. Click the gear at the top and change these settings:
general> activate:automatically save log file,automatically quarantine objects prior to removal

scanning> activate:scan within archives, scan active processes, scan registry, deep scan registry,
scan my IE Favorites for banned sites and scan my hosts file

tweaks>scanning engine>activate:unload recognized processes during scanning.

tweaks>cleaning engine>activate:automatically try to unregister objects prior to deletion and let windows remove
files in use after reboot

click proceed to save your settings.

Now run it, make sure "activate in-depth scan " is checked. Fix anything it finds.

When you finish that post a new log.

Run an online virus scan at tred micro. (http://housecall.trendmicro.com/)
See if Powersearch is listed in add/remove programs and uninstall.

Some of these may be fixed by running the virus scan and adaware again, but these need to be fixed.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bostream.se
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

If you are not running this proxy then fix:R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 218.86.126.226:80
fix:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *hot-searches.com*;*lender-search.com*
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.bostream.com/

R3 - Default URLSearchHook is missing
O1 - Hosts file is located at: C:\WINDOWS\nsdb\hosts
O1 - Hosts: 81.211.105.69 lender-search.com
O1 - Hosts: 81.211.105.68 hot-searches.com
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll

O2 - BHO: (no name) - {B9D90B27-AD4A-413a-88CB-3E6DDC10DC2D} - C:\WINDOWS\msopt.dll

O2 - BHO: sr - {FC2593E3-3E5A-410F-AF3D-82613CCE58E5} - c:\windows\sr.dll

O3 - Toolbar: PowerSearch - {4E7BD74F-2B8D-469E-DFF7-EC7DA787AD2D} - C:\Program\PowerSearch\Toolbar\pwrsqsim.dll (file missing)

O4 - HKLM\..\Run: [xqd] C:\WINDOWS\xqd.exe
O4 - HKLM\..\Run: [swjnvjmmmdru] C:\WINDOWS\System32\vzxwzdch.exe

I would fix with hijackthis all 016 entries. Any that you really need will be downloaded again when you need them.

O17 - HKLM\System\CCS\Services\Tcpip\..\{96587776-F08D-4323-9220-42D6881CE39E}: NameServer = 212.181.54.2,212.181.54.3,194.236.29.2,194.236.29.3,212.181.52.2,212.181.52.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{96587776-F08D-4323-9220-42D6881CE39E}: NameServer = 212.181.54.2,212.181.54.3,194.236.29.2,194.236.29.3,212.181.52.2,212.181.52.3
O17 - HKLM\System\CS2\Services\Tcpip\..\{96587776-F08D-4323-9220-42D6881CE39E}: NameServer = 212.181.54.2,212.181.54.3,194.236.29.2,194.236.29.3,212.181.52.2,212.181.52.3

Go to these locations and delete in bold
C:\WINDOWS\nsdb\hosts
C:\WINDOWS\mxTarget.dl
C:\WINDOWS\msopt.dll
c:\windows\sr.dll
C:\Program\PowerSearch\Toolbar\pwrsqsim.dll ( if you did not remove with add/remove programs)
C:\WINDOWS\xqd.exe
C:\WINDOWS\System32\vzxwzdch.exe

Reset your IE settings. In IE select tools>internet options>programs
near the bottom, click "reset web settings"

Restart and post a new hjt log.

@ Jg427 can i just say that this is one of the best replies i have ever seen. Easy to follow, not arrogant and very helpful.

Hello!

Thank you very much for your reply! :)

I have now done as you said and here is the resulting Log:

Logfile of HijackThis v1.97.7
Scan saved at 04:16:03, on 2004-06-19
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program\Delade filer\Real\Update_OB\realsched.exe
C:\Program\Ahead\InCD\InCD.exe
C:\Program\Delade filer\Symantec Shared\ccApp.exe
C:\Program\ScreenPrint32 v3\ScreenPrint32.exe
C:\Program\iTunes\iTunesHelper.exe
C:\Program\DU Meter\DUMeter.exe
C:\Program\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\vzxwzdch.exe
C:\Program\Delade filer\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program\SETI@home\[email protected]
C:\Program\Messenger\msmsgs.exe
C:\Program\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program\Ahead\InCD\InCDsrv.exe
C:\Program\Java\j2re1.4.2_04\bin\javaw.exe
C:\Program\Norton AntiVirus\navapsvc.exe
C:\Program\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\scagent.exe
C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program\iPod\bin\iPodService.exe
C:\Program\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Ägare\Skrivbord\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bostream.se
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bostream.se
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\WINDOWS\Downloaded Program Files\googlenav.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program\Delade filer\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [ShowShifter TVTV EPG Daemon] "C:\Program\Home Media Networks Limited\ShowShifter\TVTVD.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\Program\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [ScreenPrint32] C:\Program\ScreenPrint32 v3\ScreenPrint32.exe -startup
O4 - HKLM\..\Run: [iTunesHelper] C:\Program\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [DU Meter] C:\Program\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program\Delade filer\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKCU\..\Run: [seticlient] C:\Program\SETI@home\[email protected] -min
O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpySweeper] C:\Program\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Startup: PartMetBackup.lnk = C:\Program\Java\j2re1.4.2_04\bin\javaw.exe
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\Downloaded Program Files\googlenav.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\Downloaded Program Files\googlenav.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\Downloaded Program Files\googlenav.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\Downloaded Program Files\googlenav.dll/cmsimilar.html
O9 - Extra 'Tools' menuitem: Sun Java-konsol (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab (http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab)
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab (http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab)
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} (Google Activate) - http://toolbar.google.com/data/sv/big/1.1....g/GoogleNav.cab (http://toolbar.google.com/data/sv/big/1.1.62-big/GoogleNav.cab)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7911.8073032407 (http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37911.8073032407)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab (http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab)

Does it look good?

Or is it more trouble to be fixed?

I am currently posting this post from IE and it atleast seems as fast as before. So maybe I finally fixed it. Lets hope that it last and dont come back at next reboot!.

One thing still appears to be running, but I don't see a run key that starts it.

vzxwzdch.exe needs to be deleted, but it must stop running first. Open task manager and see if it's listed as a running process and stop it, then delete. If it's not listed, reboot into safemode and see if you can delete it there.

C:\WINDOWS\System32\vzxwzdch.exe

After that's gone, empty all temp. files and disable system restore to remove all restore points, then enable system restore.

Originally posted by Jg427@19 June 2004 - 05:30
One thing still appears to be running, but I don't see a run key that starts it.

vzxwzdch.exe needs to be deleted, but it must stop running first. Open task manager and see if it's listed as a running process and stop it, then delete. If it's not listed, reboot into safemode and see if you can delete it there.

C:\WINDOWS\System32\vzxwzdch.exe

After that's gone, empty all temp. files and disable system restore to remove all restore points, then enable system restore.
Hello!

I was able to delte that process in safe mode!. Today the processes listed in HiJackThis seems good and none of the bad ones are there. So lets hope it will last and not come back!. IE is working fine also!

Thank you for your much helpful help! :01:

Here is the latest log:

Logfile of HijackThis v1.97.7
Scan saved at 18:00:22, on 2004-06-19
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\ps2.exe
C:\Program\Ahead\InCD\InCD.exe
C:\Program\Delade filer\Symantec Shared\ccApp.exe
C:\Program\ScreenPrint32 v3\ScreenPrint32.exe
C:\Program\iTunes\iTunesHelper.exe
C:\Program\DU Meter\DUMeter.exe
C:\Program\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program\Delade filer\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program\SETI@home\[email protected]
C:\Program\Messenger\msmsgs.exe
C:\Program\Java\j2re1.4.2_04\bin\javaw.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program\Ahead\InCD\InCDsrv.exe
C:\Program\Norton AntiVirus\navapsvc.exe
C:\Program\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\scagent.exe
C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program\iPod\bin\iPodService.exe
C:\Program\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Ägare\Skrivbord\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bostream.se
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bostream.se
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\WINDOWS\Downloaded Program Files\googlenav.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program\Delade filer\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [ShowShifter TVTV EPG Daemon] "C:\Program\Home Media Networks Limited\ShowShifter\TVTVD.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\Program\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [ScreenPrint32] C:\Program\ScreenPrint32 v3\ScreenPrint32.exe -startup
O4 - HKLM\..\Run: [iTunesHelper] C:\Program\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [DU Meter] C:\Program\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program\Delade filer\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKCU\..\Run: [seticlient] C:\Program\SETI@home\[email protected] -min
O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background
O4 - Startup: PartMetBackup.lnk = C:\Program\Java\j2re1.4.2_04\bin\javaw.exe
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\Downloaded Program Files\googlenav.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\Downloaded Program Files\googlenav.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\Downloaded Program Files\googlenav.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\Downloaded Program Files\googlenav.dll/cmsimilar.html
O9 - Extra 'Tools' menuitem: Sun Java-konsol (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab (http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab)
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab (http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab)
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} (Google Activate) - http://toolbar.google.com/data/sv/big/1.1....g/GoogleNav.cab (http://toolbar.google.com/data/sv/big/1.1.62-big/GoogleNav.cab)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7911.8073032407 (http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37911.8073032407)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab (http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab)
O17 - HKLM\System\CCS\Services\Tcpip\..\{96587776-F08D-4323-9220-42D6881CE39E}: NameServer = 212.181.54.2,212.181.54.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{96587776-F08D-4323-9220-42D6881CE39E}: NameServer = 212.181.54.2,212.181.54.3
O17 - HKLM\System\CS2\Services\Tcpip\..\{96587776-F08D-4323-9220-42D6881CE39E}: NameServer = 212.181.54.2,212.181.54.3

Check your IE security settings, my bet is that one of these progs will have modified it to LOW. This makes the chances or reinfection much more likely, since ActiveX controls no longer have to ask for permission to install/run.

as additional protection download spywareblaster.

it has a database of bad activex programs, and doesn't have to run to be effective. just check occasionally for updates. :)


http://www.javacoolsoftware.com/spywareblaster.html

That last log looks clean to me.

Some suggestions for increasing your browser security

Check for and install windows security updates
Check your active x settings, as lynx said. You can test your settings at Jason's security test. (http://www.jasons-toolbox.com/BrowserSecurity/javascript-clipboard-test-passed.asp)
Spybot has an immunize feature that will block some bad sites, enable it.
Switch from IE to Firefox ( sorry, I couldn't resist adding that) :D