1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Hijack repair log

Discussion in 'Virus & Other Malware Removal' started by einbks, Feb 4, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. einbks

    einbks Thread Starter

    Joined:
    Feb 4, 2005
    Messages:
    26
    Here is our logfile - in setting up Internet Explorer again we ended up with a range of viruses & spyware. We have scanned using AVG & run AdAware & Spybot. We are getting about:blank wanting to be home page plus an unwanted toolbar with links to gambling, sex etc on Internet Explorer.

    I'd like some advice on which items we need to remove from the log.

    Logfile of HijackThis v1.99.0
    Scan saved at 2:11:00 PM, on 5/02/2005
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\csrss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\Program Files\Sygate\SPF\smc.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\RunDll32.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\WINNT\system32\internat.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://clearsurfing.net/srch.php?qq=%s
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\System32\qwsxp.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\System32\qwsxp.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\System32\qwsxp.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\System32\qwsxp.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OptusNet Cable
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {83B52BE0-68B0-4A41-976A-83E24D29B64F} - C:\WINNT\System32\qwsxp.dll
    O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-716D61788264} - C:\WINNT\System32\max8264.dll (file missing)
    O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINNT\System32\iesp2.dll
    O3 - Toolbar: AdwareFilter - {1028F737-81E7-452B-A860-E50CAD90A08C} - C:\Program Files\AdwareFilterToolBar\AdwareFilter.dll (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\\NeroCheck.exe
    O4 - HKLM\..\Run: [Hot_Tarts_Au] C:\Program Files\Video1\Dialers\Hot_Tarts_Au\Hot_Tarts_Au.exe /dontdial
    O4 - HKLM\..\Run: [Virgins_au] C:\Program Files\Video1\Dialers\Virgins_au\Virgins_au.exe /dontdial
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKCU\..\Run: [internat.exe] internat.exe
    O4 - HKCU\..\Run: [Spyware Vanisher] C:\spywarevanisher-free\FreeScanner.exe -FastScan
    O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4426/mcfscan.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{DBA7FB62-35CD-453D-9163-9A81DEC937C3}: NameServer = 69.50.176.156,195.225.176.31
    O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.50.176.156,195.225.176.31
    O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 69.50.176.156,195.225.176.31
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.176.156,195.225.176.31
    O18 - Filter: text/html - {24D3B395-5853-49A4-A4EF-ABA90D9B91D1} - C:\WINNT\System32\qwsxp.dll
    O18 - Filter: tœ†5òeEÆR - {24D3B395-5853-49A4-A4EF-ABA90D9B91D1} - C:\WINNT\System32\qwsxp.dll
    O18 - Filter: tœ†5òÏTÆR - {D3D9A006-58EC-4A26-8679-957FD293AFDE} - C:\WINNT\System32\qwsxp.dll
    O18 - Filter: tœ†5òÒEÆR - {A04E1EF5-E53E-4814-808D-579001F22F62} - C:\WINNT\System32\qwsxp.dll
    O18 - Filter: tœ†5òöEÆR - {B00BAB65-021B-4D64-A216-9CD358748A7C} - C:\WINNT\System32\qwsxp.dll
    O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
    O23 - Service: Sygate Personal Firewall - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

    Thanks - einbks
     
  2. einbks

    einbks Thread Starter

    Joined:
    Feb 4, 2005
    Messages:
    26
    :( I keep getting a Spyware Browser Alert that my IE Search page has been changed & then I have to click four times to keep my existing home page - if I don't it becomes about:blank.

    I have used AVG virus scanner & Ad Aware & Spybot, but can't remove this problem. Would someone please look at my log & let me know what I need to do.

    Logfile of HijackThis v1.99.0
    Scan saved at 10:26:23 PM, on 7/02/2005
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\csrss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\Program Files\Sygate\SPF\smc.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\RunDll32.exe
    C:\WINNT\system32\internat.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OptusNet Cable
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {83B52BE0-68B0-4A41-976A-83E24D29B64F} - C:\WINNT\System32\qwsxp.dll
    O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-716D61788264} - C:\WINNT\System32\max8264.dll (file missing)
    O3 - Toolbar: AdwareFilter - {1028F737-81E7-452B-A860-E50CAD90A08C} - C:\Program Files\AdwareFilterToolBar\AdwareFilter.dll (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\\NeroCheck.exe
    O4 - HKCU\..\Run: [internat.exe] internat.exe
    O4 - HKCU\..\Run: [Spyware Vanisher] C:\spywarevanisher-free\FreeScanner.exe -FastScan
    O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4426/mcfscan.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{DBA7FB62-35CD-453D-9163-9A81DEC937C3}: NameServer = 69.50.176.156,195.225.176.31
    O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.50.176.156,195.225.176.31
    O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 69.50.176.156,195.225.176.31
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.176.156,195.225.176.31
    O18 - Filter: text/html - {10796BDF-F294-4051-86B3-0CA10CFC0928} - C:\WINNT\System32\qwsxp.dll
    O18 - Filter: tœ†5ò EÆR - {10796BDF-F294-4051-86B3-0CA10CFC0928} - C:\WINNT\System32\qwsxp.dll
    O18 - Filter: tœ†5ò1EÆR - {DBC4BD16-1228-4037-8AA5-49360CF538AE} - C:\WINNT\System32\qwsxp.dll
    O18 - Filter: tœ†5ò2EÆR - {DEF71504-B58E-4F83-B904-7CEA1E58A336} - C:\WINNT\System32\qwsxp.dll
    O18 - Filter: tœ†5òeEÆR - {24D3B395-5853-49A4-A4EF-ABA90D9B91D1} - C:\WINNT\System32\qwsxp.dll
    O18 - Filter: tœ†5òÏTÆR - {D3D9A006-58EC-4A26-8679-957FD293AFDE} - C:\WINNT\System32\qwsxp.dll
    O18 - Filter: tœ†5òÒEÆR - {A04E1EF5-E53E-4814-808D-579001F22F62} - C:\WINNT\System32\qwsxp.dll
    O18 - Filter: tœ†5òöEÆR - {B00BAB65-021B-4D64-A216-9CD358748A7C} - C:\WINNT\System32\qwsxp.dll
    O18 - Filter: tœ†5òßFÆR - {A8151F7C-52D1-485C-8933-6D4F59E4C779} - C:\WINNT\System32\qwsxp.dll
    O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
    O23 - Service: Sygate Personal Firewall - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

    Thanks - Einbks
     
  3. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Hi einbks, Welcome to TSG!! :)


    I have combined both of your threads into this one. Please don't create a new thread for the same problem, continue to reply here.


    Click on the link below to download CWshredder.
    http://www.intermute.com/spysubtract/cwshredder_download.html

    Run the program and let it do it's thing. Make sure to click on "Fix" and not scan only.

    __________________________

    Run HJT again and put a check in the following:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {83B52BE0-68B0-4A41-976A-83E24D29B64F} - C:\WINNT\System32\qwsxp.dll
    O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-716D61788264} - C:\WINNT\System32\max8264.dll (file missing)
    O3 - Toolbar: AdwareFilter - {1028F737-81E7-452B-A860-E50CAD90A08C} - C:\Program Files\AdwareFilterToolBar\AdwareFilter.dll (file missing)
    O17 - HKLM\System\CCS\Services\Tcpip\..\{DBA7FB62-35CD-453D-9163-9A81DEC937C3}: NameServer = 69.50.176.156,195.225.176.31
    O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.50.176.156,195.225.176.31
    O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 69.50.176.156,195.225.176.31
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.176.156,195.225.176.31
    O18 - Filter: text/html - {10796BDF-F294-4051-86B3-0CA10CFC0928} - C:\WINNT\System32\qwsxp.dll
    O18 - Filter: tœ†5ò EÆR - {10796BDF-F294-4051-86B3-0CA10CFC0928} - C:\WINNT\System32\qwsxp.dll
    O18 - Filter: tœ†5ò1EÆR - {DBC4BD16-1228-4037-8AA5-49360CF538AE} - C:\WINNT\System32\qwsxp.dll
    O18 - Filter: tœ†5ò2EÆR - {DEF71504-B58E-4F83-B904-7CEA1E58A336} - C:\WINNT\System32\qwsxp.dll
    O18 - Filter: tœ†5òeEÆR - {24D3B395-5853-49A4-A4EF-ABA90D9B91D1} - C:\WINNT\System32\qwsxp.dll
    O18 - Filter: tœ†5òÏTÆR - {D3D9A006-58EC-4A26-8679-957FD293AFDE} - C:\WINNT\System32\qwsxp.dll
    O18 - Filter: tœ†5òÒEÆR - {A04E1EF5-E53E-4814-808D-579001F22F62} - C:\WINNT\System32\qwsxp.dll
    O18 - Filter: tœ†5òöEÆR - {B00BAB65-021B-4D64-A216-9CD358748A7C} - C:\WINNT\System32\qwsxp.dll
    O18 - Filter: tœ†5òßFÆR - {A8151F7C-52D1-485C-8933-6D4F59E4C779} - C:\WINNT\System32\qwsxp.dll

    Close all applications and browser windows before you click "fix checked".

    Download Spybot http://www.majorgeeks.com/download.php?det=2471


    Click on "Search For updates" When prompted.

    Next, close all Internet Explorer windows, and click Check for Problems. Once the scan is complete, have SpyBot remove all it finds marked in RED.

    __________________________________________________


    Download Adaware SE http://lavasoft.element5.com/software/adaware/

    Install the program and launch it.

    First in the main window look in the bottom right corner and click on Check for updates now then click Connect and download the latest reference files.

    From main window: Click Start then under Select a scan Mode tick Perform full system scan.

    Next deselect Search for negligible risk entries.

    Now to scan just click the Next button.

    When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose select all from the drop down menu and click Next)

    Reboot and post another HJT log for review.
     
  4. einbks

    einbks Thread Starter

    Joined:
    Feb 4, 2005
    Messages:
    26
    Dear Cybertech Moderator
    Thanks so much for your help. The problem seems to be solved.
    Here is a copy of my curretn HJT Log

    einbks

    Logfile of HijackThis v1.99.0
    Scan saved at 9:32:46 PM, on 15/02/2005
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\csrss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\Program Files\Sygate\SPF\smc.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\RunDll32.exe
    C:\WINNT\system32\internat.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OptusNet Cable
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\\NeroCheck.exe
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
    O4 - HKCU\..\Run: [internat.exe] internat.exe
    O4 - HKCU\..\Run: [Spyware Vanisher] C:\spywarevanisher-free\FreeScanner.exe -FastScan
    O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4426/mcfscan.cab
    O18 - Filter: tœ†5ò
    EÆR - {F90BA1DE-821E-4B81-9F18-D57005F4EC86} - C:\WINNT\System32\qwsxp.dll
    O18 - Filter: tœ†5òNLÆR - {2985EC10-A9CB-4C0E-9A4A-BDDCEBB84D3A} - C:\WINNT\System32\qwsxp.dll
    O18 - Filter: tœ†5òÈFÆR - {C7AE0063-8F04-4343-8733-C046F30E9A4C} - (no file)
    O18 - Filter: tœ†5òÊFÆR - {9C97D5CA-B01A-4A4F-9D89-68C3016B85F2} - C:\WINNT\System32\qwsxp.dll
    O18 - Filter: tœ†5òËFÆR - {E21CBB83-402B-408F-929A-5A385AAC348C} - C:\WINNT\System32\qwsxp.dll
    O18 - Filter: tœ†5òÏTÆR - {D3D9A006-58EC-4A26-8679-957FD293AFDE} - C:\WINNT\System32\qwsxp.dll
    O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
    O23 - Service: Sygate Personal Firewall - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
     
  5. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Run HJT again and put a check in the following:

    O4 - HKCU\..\Run: [Spyware Vanisher] C:\spywarevanisher-free\FreeScanner.exe -FastScan
    O18 - Filter: tœ†5ò
    EÆR - {F90BA1DE-821E-4B81-9F18-D57005F4EC86} - C:\WINNT\System32\qwsxp.dll
    O18 - Filter: tœ†5òNLÆR - {2985EC10-A9CB-4C0E-9A4A-BDDCEBB84D3A} - C:\WINNT\System32\qwsxp.dll
    O18 - Filter: tœ†5òÈFÆR - {C7AE0063-8F04-4343-8733-C046F30E9A4C} - (no file)
    O18 - Filter: tœ†5òÊFÆR - {9C97D5CA-B01A-4A4F-9D89-68C3016B85F2} - C:\WINNT\System32\qwsxp.dll
    O18 - Filter: tœ†5òËFÆR - {E21CBB83-402B-408F-929A-5A385AAC348C} - C:\WINNT\System32\qwsxp.dll
    O18 - Filter: tœ†5òÏTÆR - {D3D9A006-58EC-4A26-8679-957FD293AFDE} - C:\WINNT\System32\qwsxp.dll

    Close all applications and browser windows before you click "fix checked".


    Restart in Safe Mode

    Uninstall Spyware Vanisher in add/remove programs.
    Delete the folder: C:\spywarevanisher-free
    Delete the file: C:\WINNT\System32\qwsxp.dll

    Reboot.
     
  6. einbks

    einbks Thread Starter

    Joined:
    Feb 4, 2005
    Messages:
    26
    Thanks - I've run HJT & fix checked what you indicated.

    However when I go to uninstall Spyware Vanisher I get the following error message - could not load initialization file.

    I have not deleted the folder & file as yet in case they need to be done in that order.
     
  7. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    I would go ahead and delete the folder, your other choice would be to reload it to be able to remove it in add/remove programs. I'm guessing the initializaion file was probably in your temporary internet files.
     
  8. einbks

    einbks Thread Starter

    Joined:
    Feb 4, 2005
    Messages:
    26
    Thanks - Couldn't find the folder or file. I searched via windows explorer & find. Can I assume that they don't exist? All seems to be working fine now.
     
  9. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Sounds like it's gone! :)
     
  10. einbks

    einbks Thread Starter

    Joined:
    Feb 4, 2005
    Messages:
    26
    Thanks so much for your help
     
  11. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
  12. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/326892

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice