[alltracman78]

My desktop has suddenly turned into a Warning sign saying "Warning! Spyware detected on your computer. Install Antivirus or Spyware Removal to clean your computer. And then it has a link to this hxxp://www.teslaplus.com/search.php?wmid=1...ub=0&q=Removers . I no longer even have a View tab on my display options [Windows XP] so that I can change it back. My homepage has also been changed, and I cannot change it back either.
I have NoAdware and EZTrust as my spyware/antivirus programs.
Neither is anygood for this.

I noticed this gentleman had the same problem and seemed to fix it, I was wondering if anyone else knows the answer?
http://forums.spywar...=0&#entry335785

This post has been edited by jw50: 21 December 2005 - 10:09 PM

[crazy_jelly]

alltracman78, on Dec 18 2005, 01:10 AM, said:

My desktop has suddenly turned into a Warning sign saying "Warning! Spyware detected on your computer. Install Antivirus or Spyware Removal to clean your computer. And then it has a link to this http://www.teslaplus...ub=0&q=Removers . I no longer even have a View tab on my display options [Windows XP] so that I can change it back. My homepage has also been changed, and I cannot change it back either.
I have NoAdware and EZTrust as my spyware/antivirus programs.
Neither is anygood for this.

I noticed this gentleman had the same problem and seemed to fix it, I was wondering if anyone else knows the answer?
http://forums.spywar...=0&#entry335785

i had the EXACT problem! after about 3 straight hours of surfing on Firefox (like Internet Explorer but safer), downloading, and frequently scaning each one i found Spy Sweeper. You can search for it in Google (thats how i did it) and download the trial version with is for 14 days. you'd have to mess around with the options so that it fully scans everything in your computer but its worth the effort. make sure you close everything that is open except the Spy Sweeper because your computer may get pretty slow and the scan should last for maybe 30 mins. remove the hijack, ect. and restart your computer and everything should be back to normal!


p.s. i have no idea how the guy did it xD

p.p.s. i didn't download Hijack This so im not sure if it would be better... hope any of this helpped at all

This post has been edited by crazy_jelly: 18 December 2005 - 07:21 PM

[alltracman78]

OK.
I've downloaded Spybot, Spyware Blaster, Spyware Guard, MS Spyware, and Hijack.
I JUST did a scan with No Adware, Spybot, and EZ Trust. Found and deleted some stuff.
Then, I did a scan with Hijack.
This is the log.

Logfile of HijackThis v1.99.1
Scan saved at 8:29:43 PM, on 12/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\ca.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\CTHELPER.EXE
C:\WINNT\system32\shdochp.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINNT\system32\wscntfy.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\jeremy\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.dogpile.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdochp.dll/blank.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.dogpile.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.celicatech.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gatewaybiz.com/
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: MyBHO - {784aa380-13f2-422e-8540-f2280f1dd4f1} - C:\WINNT\System32\bhoimpl.dll
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\ca.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [FHPage] C:\WINNT\system32\shdochp.exe home
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe


The red highlighted program is [at least one of] my problem[s].
I spent a bunch of time on the phone with my dad, and we tried to go into the registry and delete this. I also tried other places [I dont' remember where. I'm not really a computer guru. ].
Every time it is deleted, it comes back.
Including when it comes up in the hijack log.
As far as I can tell, it is responsible for the changed homepage [which I cannot change back, even though I have like 3 different programs all supposedly locking my homepage. I have been warned numerous times that an effort to change my homepage to res://shdochp.dll/blank.html has been made, and I am asked if I approve. I say no. It changes anyways.
Also, regarding my desktop being hijacked, it's not so much hijacked as covered up. It comes up when I turn the computer off.

I'm going to try this spy sweeper in a minute. I'll post up in a bit with the results.

Does anyone have any suggestions?

[alltracman78]

BTW, when I scanned with EZ Trust, there were 55? files it could not scan. I saved the scan.
Should I post that up as well?

[alltracman78]

Well, Spy Sweeper did no good either.
It picked up a few more cookies, but that's it.
I still have the same problem.

Does anyone else have any insight?

[alltracman78]

Posted a link in the 3 day old thread.

Update.
I have gotten rid of most of it, thanks to a buddy of mine.
I learned how to manually remove stuff.
The only problem I have left is my desktop is still hijacked. I can't acess it to change the pic.
Also, I found 2 suspicous files in My Documents. One was titled "Thumbs" and the other "Desktop" They were both all over my folders. Every time I deleted them one place, they would come back another. I finally deleted everything in My Documents. They havn't come back [yet].

I just ran a HiJack This scan.
Here's the log.

Logfile of HijackThis v1.99.1
Scan saved at 9:01:20 PM, on 12/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\ca.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINNT\system32\wscntfy.exe
C:\DOCUME~1\jeremy\LOCALS~1\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.dogpile.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.dogpile.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.celicatech.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gatewaybiz.com/
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\ca.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe

[jake1]

Check out this entry -- O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[alltracman78]

How do I "check it out"?

[JG427]

alltracman78, wait for a trained helper to assist you. jake1 is not authorized to post help.

jake1, Please see The various helper groups here. Do join the team if you want to post help, we'd love to have you with us.

[alltracman78]

[cnm]

Hi alltracman78,

Thumbs.db is normal: http://www.pcworld.c...id,13357,00.asp

Quote

What's up with Thumbs.db. If a folder's options are set to let you view all files, you may see a new file called Thumbs.db in that folder. This is the folder's thumbnails database. If you don't see Thumbs.db, choose View, Folder Options, click the View tab, select "Show all files" in the Advanced settings list, and click OK. Each folder with a thumbnail view will have its own Thumbs.db file; and the more files a folder contains, the larger its Thumbs.db file will be.

Scan again with HijackThis. Mark the box next to this:
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
Close the other windows, then click 'Fix checked'.
That is the only problematical entry I notice.

Reboot.

Set your IE home page: Tools->Internet options

Then please post a new HT log, and tell us:
What exactly happens when you right-click on the desktop, select Properties, select something in the Desktop tab (there should be around 12 choices), and click OK?

[JG427]

Hi, alltracman78.
I have more time to post now, so I can take another look at your problem.

As cnm said, I also don't see any other bad entries left in your log.
You did have a smitfraud infection and the damage it does has remained.
Lets backup and run the fix which should solve most of the remaining problems.

But first, Your copy of hijackthis has not been unzipped and is located in a temporary directory.
When the temp files are cleaned out, the program and backup files it makes will be lost.

Instead of hunting it down and moving it, let's download a new one.
Click the link below, then choose to save it to your drive. Go to the download location and double click hijackthis_sfx.exe.
A box will open, choose unzip, then close the box. A hijackthis folder will be placed at C:\Program Files\HijackThis.

http://www.merijn.or...ackthis_sfx.exe

Next step:
Please print out the following or copy and paste into notepad for reference while in safemode.


Download smitRem.zip and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.

Please download, install, and update the free version of ewido security suite:
When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
Click on update in the left menu, then click the Start update button.
After the update finishes, exit from ewido as it should be run later in safemode.

Download the latest version of Ad-Aware SE from here.
Open Ad-Aware and from the main screen Click on "Check for Updates Now".
After updating, close Ad-Aware, we will run it later.

Reboot into safemode
Restart the computer, as soon as the BIOS has finished loading, begin tapping the F8 key .
Continue to do so until the Windows Advanced Options menu appears.
Using the arrow keys, scroll to and select Safemode, then press Enter.

Scan with hijackthis and checkmark these lines:

O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB

Close all open windows, except hijackthis, and click fix checked.


Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt located at C:/smitfiles.txt, or partition where your operating system is installed.
Please post smitfiles.txt in your next reply.


Open Ad-Aware
Click on the "Scan Now" button on the left.
Under "Select Scan Mode,select "Perform full system scan".
Click on "Next" in the bottom right corner to start the scan.
Run the Ad-Aware scan and allow it to remove everything it finds.


Open Ewido and click on the Scanner button in the left menu, then click on complete system scan.
When ewido finds something, it will pop up a notification.
Select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on ok.
When the scan finishes, click on "Save Report".

Next, click the start button on the taskbar, then click control panel (or settings then control panel on xp pro )
In control panel, click Display > Desktop > Customize Desktop > Website > Uncheck "Security Info" if present.

Restart your system into normal mode.

In internet explorer, please run the BitDefender online scan at BitDefender.com
You will need to allow an active x install for the scan to run.
Leave the scanning options at default and press "click here to scan"

Scan with hijackthis and post the new log along with smitfiles.txt.
Also post the report from ewido.
It's located in the folder at C:\Program Files\ewido\security suite\Reports.



After running the smitrem fix and reboot, your system may using the windows classic theme again.
To set it back to XP-theme, rightclick on your desktop > properties > tab Appearances and choose Windows XP style under windows and buttons.
Click apply and OK.

[alltracman78]

Thanks alot guys.
I can't do this now. Hopefully tonite.

[alltracman78]

Ok.
Finally got it done.

Everything is running alot better now.
Here are my scan results.

Logfile of HijackThis v1.99.1
Scan saved at 10:51:36 PM, on 12/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\ca.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINNT\system32\wscntfy.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.dogpile.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.dogpile.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.celicatech.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gatewaybiz.com/
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\ca.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe



smitRem © log file
version 2.8

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: Tue 12/27/2005
The current time is: 20:14:10.15

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!

spyaxe uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~

warnhp.html


~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 784 'explorer.exe'

Starting registry repairs

Deleting files


Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

CLEAN!



---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 10:18:10 PM, 12/27/2005
+ Report-Checksum: 3D0025D8

+ Scan result:

C:\Documents and Settings\jeremy\Cookies\jeremy@adopt.euroclick[1].txt -> Spyware.Cookie.Euroclick : Cleaned with backup
C:\Documents and Settings\jeremy\Cookies\jeremy@image.masterstats[1].txt -> Spyware.Cookie.Masterstats : Cleaned with backup
C:\Documents and Settings\jeremy\Local Settings\Temp\NoadwareBkupTemp\jeremy@com[1].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\System Volume Information\_restore{1920DD05-C3B3-4337-B7AE-8CBB7597E6CD}\RP36\A0002041.exe -> Not-A-Virus.Hoax.Win32.EvidenceEliminator.a : Cleaned with backup
C:\System Volume Information\_restore{1920DD05-C3B3-4337-B7AE-8CBB7597E6CD}\RP5\A0001192.exe -> Not-A-Virus.Hoax.Win32.EvidenceEliminator.a : Cleaned with backup
C:\System Volume Information\_restore{1920DD05-C3B3-4337-B7AE-8CBB7597E6CD}\RP67\A0006091.exe -> Not-A-Virus.Hoax.Win32.EvidenceEliminator.a : Cleaned with backup
C:\System Volume Information\_restore{1920DD05-C3B3-4337-B7AE-8CBB7597E6CD}\RP67\A0006092.dll -> Not-A-Virus.Hoax.Win32.EvidenceEliminator.a : Cleaned with backup


::Report End

[alltracman78]

It did.
It's gone, for now at least....

If someone could just check out the logs and tell me if I'm good to go.