Up all night; please assist...

[flatsoen]

I scanned with Ad-Aware which got rid of around 70 items. Then I scanned with Spyware Doctor, which found close to 50 more items. You have to pay before it removes the items though, and I haven't done that. Here is its report:

Infection Name Location Risk
PSGuard Desktop Hijacker HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run##intell32.exe High
PSGuard Desktop Hijacker HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Update High
PSGuard Desktop Hijacker HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Update## High
PSGuard Desktop Hijacker HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Update##DisplayName High
PSGuard Desktop Hijacker HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Update##UninstallString High
Trojan.Downloader.Delf.LH HKCU\Software\Microsoft\st3 High
Trojan.Downloader.Delf.LH HKCU\Software\Microsoft\st3## High
Trojan.Downloader.Delf.LH HKCU\Software\Microsoft\st3##vie High
Trojan.Downloader.Delf.LH HKCU\Software\Microsoft\st3##la High
Trojan.Downloader.Delf.LH HKCU\Software\Microsoft\st3##wu High
Trojan.Downloader.Delf.LH HKCU\Software\Microsoft\st3##su High
Trojan.Downloader.Delf.LH HKCU\Software\Microsoft\st3##mid High
Trojan.Downloader.Delf.LH HKCU\Software\Microsoft\st3##t High
Trojan.Downloader.Delf.LH HKCU\Software\Microsoft\st3##d High
Trojan.Downloader.Delf.LH HKCU\Software\Microsoft\st3##n High
Trojan.Downloader.Delf.LH HKCU\Software\Microsoft\st3##p High
Trojan.Downloader.Delf.LH HKCU\Software\Microsoft\st3##las High
Trojan.Downloader.Delf.LH HKCU\Software\Microsoft\st3##va High
Trojan.Downloader.Delf.LH HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler##{1B68470C-2DEF-493B-8A4A-8E2D81BE4EA5} High
Winhound HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run##WinHound Low
Advertising C:\Documents and Settings\Den\Cookies\den@doubleclick[1].txt Low
Advertising C:\Documents and Settings\Den\Cookies\den@adtech[2].txt Low
Tracking Cookie(s) C:\Documents and Settings\Den\Cookies\den@xiti[1].txt Medium
CWS C:\Documents and Settings\Den\Cookies\den@spots[1].txt High
Tracking Cookie(s) C:\Documents and Settings\Den\Cookies\den@questionmarket[1].txt Medium
Common Components for Claria C:\Documents and Settings\Den\Cookies\[email protected][2].txt Elevated
Tracking Cookie(s) C:\Documents and Settings\Den\Cookies\[email protected][1].txt Medium
Advertising C:\Documents and Settings\Den\Cookies\den@spywareremoversreview[1].txt Low
Common Components for Claria C:\Documents and Settings\Den\Cookies\den@belnk[1].txt Elevated
Winhound C:\Documents and Settings\Den\Application Data\WinHound.com Low
Winhound C:\Documents and Settings\Den\Application Data\WinHound.com\WinHound Low
Winhound C:\Documents and Settings\Den\Application Data\WinHound.com\WinHound\Autorun Low
Winhound C:\Documents and Settings\Den\Application Data\WinHound.com\WinHound\Autorun\HKCURun Low
Winhound C:\Documents and Settings\Den\Application Data\WinHound.com\WinHound\Autorun\HKCURun\RunOnce Low
Winhound C:\Documents and Settings\Den\Application Data\WinHound.com\WinHound\Autorun\HKCURun\RunOnceEx Low
Winhound C:\Documents and Settings\Den\Application Data\WinHound.com\WinHound\Autorun\HKLMRun Low
Winhound C:\Documents and Settings\Den\Application Data\WinHound.com\WinHound\Autorun\HKLMRun\RunOnce Low
Winhound C:\Documents and Settings\Den\Application Data\WinHound.com\WinHound\Autorun\HKLMRun\RunOnceEx Low
Winhound C:\Documents and Settings\Den\Application Data\WinHound.com\WinHound\Autorun\StartMenuAllUsers Low
Winhound C:\Documents and Settings\Den\Application Data\WinHound.com\WinHound\Autorun\StartMenuCurrentUser Low
Winhound C:\Documents and Settings\Den\Application Data\WinHound.com\WinHound\BrowserObjects Low
PSGuard Desktop Hijacker C:\WINDOWS\System32\intell32.exe High
PSGuard Desktop Hijacker C:\WINDOWS\warnhp.html High
Trojan.Proxy.Lager.f C:\Documents and Settings\Den\Local Settings\Temp\cbjn.exe High
Trojan.Proxy.Lager.f C:\Documents and Settings\Den\Local Settings\Temp\oecn.exe High
Trojan.Downloader.Delf.LH C:\Program Files\HijackThis\backups\backup-20051125-171538-614.dll High
Trojan.Downloader.Delf.LH C:\WINDOWS\q35988699.dll High
Trojan.Downloader.Delf.LH C:\WINDOWS\q360358.dll High


Other Sections:
Copyright © 2003 PC Tools Research Pty Ltd. All rights reserved. Legal Notice


I'm in doodoo-land, I presume? The HJT-log seems to grow bigger steadily... I'm in safe mode now, and would like some help, please. I'd like to catch some sleep too, but don't know if that makes things worse...


Logfile of HijackThis v1.99.1
Scan saved at 2:26:37 AM, on 12/2/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\System32\intell32.exe
O4 - HKLM\..\Run: [WinHound] C:\Program Files\WinHound\WinHound.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: MiniMavis.lnk = C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 12 Standard\MiniMavis.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Support - {A1C62740-93D5-4E72-A5B6-B668D58C5197} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe

 

[Buzz1927]

You may want to print out or make a copy of these instructions before starting, because you will not be able to connect to the internet during most of this fix.

Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Please download, install, and update the free version of Ewido Security Suite:

1. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
2. When you run Ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
3. From the main Ewido screen, click on update in the left menu, then click the Start update button.
4. After the update finishes, the status bar at the bottom will display "Update successful"
5. Exit Ewido. DO NOT run a scan yet.

If you do not already have Ad-Aware SE 1.06 installed, follow these download and setup instructions. Also check for updates:
Ad-Aware SE Setup
Again, do NOT run a scan yet.


Next, please reboot your computer in Safe Mode by doing the following:

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.

Now scan with HJT and place a checkmark next to each of the following items:

O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\System32\intell32.exe
O4 - HKLM\..\Run: [WinHound] C:\Program Files\WinHound\WinHound.exe

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Your desktop and icons will disappear and then reappear again --- this is normal.
Wait for the tool to complete and Disk Cleanup to finish --- this may take a while; please be patient.

Next, run Ad-aware and perform a full scan. Remove everything found.

Now open Ewido Security Suite

• Click on Scanner
• Click on Complete System Scan and the scan will begin.
• Remove all it finds.
• Close Ewido
  
  Next go to Start -> Control Panel, click Display -> Desktop -> Customize Desktop -> Web -> Uncheck "Security Info" if present.
  
  
  Restart your computer in normal mode.
  
  Run the Panda online virus scan at http://www.pandasoftware.com/products/activescan.htm
  
  - Once you are on the Panda site click the Scan your PC button
  - A new window will open...click the Check Now button
  - Enter your Country
  - Enter your State/Province
  - Enter your e-mail address and click send
  - Select either Home User or Company
  - Click the big Scan Now button
  - If it wants to install an ActiveX component allow it
  - It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  - When download is complete, click on Local Disks to start the scan
  - When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
  
  Finally, restart your computer once more, and please post a new HijackThis log and the log from the smitRem tool, which will be located at C:\smitfiles.txt.
  Let us know if any problems persist.

 

[flatsoen]

When you run Ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
From the main Ewido screen, click on update in the left menu, then click the Start update button.
After the update finishes, the status bar at the bottom will display "Update successful"
Exit Ewido. DO NOT run a scan yet.

Thanks for helping. I didn't get the Database message, and the Update button jumps back to Start without doing anything. It says there is no update available, at the bottom... Perhaps I downloaded the upgrades the first time around?

 

[Buzz1927]

It sounds like they changed the download, go ahead and run the scan.

 

[flatsoen]

Up all night indeed... I did everything (more or less) as recommended, and the sirens have stopped, I think. But I'm stuck here: "Run the Panda online virus scan at http://www.pandasoftware.com/products/activescan.htm"

Avast cuts off the downloading part with warnings of a worm in this file: "http://acs.pandasoftware.com/activescan/as5free/motor.cab\pskavs.DLL"

Is there another program that can do the same?

 

[Buzz1927]

That's strange. Never mind, try the one here.
http://housecall.trendmicro.com/housecall/start_corp.asp

 

[flatsoen]

Drek... Windows XP is installing a huge "service pack 2", and there's no Cancel button in sight. Can I stop it? Should I stop it?

Addited: too late! It's done...

 

[flatsoen]

- All right! That's what the scanner said...

- The HJT-log:
Logfile of HijackThis v1.99.1
Scan saved at 1:25:06 PM, on 12/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQInet.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 12 Standard\MiniMavis.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: MiniMavis.lnk = C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 12 Standard\MiniMavis.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Support - {A1C62740-93D5-4E72-A5B6-B668D58C5197} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) -

- and the smitfile:

smitRem © log file
version 2.7

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: Fri 12/02/2005
The current time is: 5:13:51.42

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

CLEAN!

I second that! You saved the life of an innocent little laptop. I came _very_ close to tossing it out the window last night. Thanks mate! You're worth your weight in silicon...

 

[Buzz1927]

Looks like that's done it.