Swaine_Thompson
asked on
How do I remove the "Better.Internet" , "Begin2Search" and "ISTBAR" Viruses.
Norton has discovered these files trying to access the internet using my ports. Each time, I have blocked its access.
Istsvc[1].exe
nail.exe
nail[1].exe
thnall1ac.exe
nwqjmlhkca.exe
nsa91f.dll
I have rebooted in the safe mode and used HIJACK THIS to delete these files. They keep returning. I have also tried to Norton and Spyware Doctor to remove them. Nothing works.
Here is a copy of my latest file from HIJACK THIS:
Logfile of HijackThis v1.98.2
Scan saved at 8:08:26 PM, on 4/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCE S.EXE
C:\WINDOWS\system32\spools v.exe
C:\PROGRA~1\COMMON~1\AOL\A CS\AOLacsd .exe
C:\Program Files\Digidesign\Drivers\M MERefresh. exe
C:\WINDOWS\System32\DVDRAM SV.exe
C:\WINDOWS\system32\driver s\KodakCCS .exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\ Binn\sqlse rvr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc3 2.exe
C:\WINDOWS\System32\svchos t.exe
c:\toshiba\ivp\swupdate\sw updtmr.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.ex e
C:\WINDOWS\system32\sessmg r.exe
C:\Program Files\iPod\bin\iPodService .exe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\ezSP_P x.exe
C:\WINDOWS\explorer.exe
C:\Program Files\EzButton\CplBTQ00.EX E
C:\Program Files\TOSHIBA\TouchPad\TPT ray.exe
C:\TOSHIBA\IVP\ISM\pinger. exe
C:\Program Files\ScanSoft\OmniPageSE\ opware32.e xe
C:\Program Files\Toshiba Controls\CpRmtKey.EXE
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey .exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\Program Files\Common Files\Real\Update_OB\reals ched.exe
C:\Program Files\Picasa2\PicasaMediaD etector.ex e
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\TOSHIBA\TOSCDSPD\tos cdspd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\WINDOWS\system32\ctfmon .exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\unzipped\framxpro\FreeR AM XP Pro 1.40.exe
C:\Program Files\Logitech\MouseWare\s ystem\em_e xec.exe
C:\Program Files\eFax Messenger 3.5\J2GDllCmd.exe
C:\Program Files\eFax Messenger 3.5\J2GTray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex. exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl. exe
C:\WINDOWS\explorer.exe
c:\windows\system32\ajchqh d.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.e xe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EX E
C:\Program Files\Yahoo!\Messenger\YPa ger.exe
C:\Program Files\Common Files\Symantec Shared\NMain.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\QConsole.exe
C:\Documents and Settings\Swaine\Desktop\Hi jackThis.e xe
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://www.toshiba.com
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Sear ch_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\In ternet Explorer\SearchURL,(Defaul t) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-B BB69598904 6} - C:\Program Files\ICQToolbar\toolbaru. dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7 695ECA0567 0} - C:\Program Files\Yahoo!\Companion\Ins talls\cpn\ ycomp5_5_7 _0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.d ll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D 426709BBFE B} - C:\PROGRA~1\SPYWAR~1\tools \iesdsg.dl l
O2 - BHO: IeCaptureBho Object - {7c1ce531-09e9-4fc5-9803-1 c295661578 6} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-2 98DDF1699E 1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt .dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0 445EE16191 0} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClien t.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-1 7DF180C71A C} - C:\PROGRA~1\SPYWAR~1\tools \iesdpb.dl l
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-F ADC6B08487 2} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-B BB69598904 6} - C:\Program Files\ICQToolbar\toolbaru. dll
O3 - Toolbar: Handy Password - {B2DE56E2-907A-4080-AE06-5 C2A7BD4364 E} - C:\Program Files\Handy Password\HandyPasswordTool bar.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0 090271D4F8 8} - C:\Program Files\Yahoo!\Companion\Ins talls\cpn\ ycomp5_5_7 _0.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B 5B5E98D167 C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0 819E2EAAC9 3} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClien t.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A 37C9A5676A 7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt .dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7 859DF00B1D 6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_P x.exe
O4 - HKLM\..\Run: [CplBTQ00] C:\Program Files\EzButton\CplBTQ00.EX E
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPT ray.exe
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger. exe /run
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\ opware32.e xe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl. dll,NvStar tup
O4 - HKLM\..\Run: [CpRmtKey] "C:\Program Files\Toshiba Controls\CpRmtKey.EXE"
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey .exe
O4 - HKLM\..\Run: [B'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K \BSCLIP.ex e
O4 - HKLM\..\Run: [CloneDVDElbyDelay] "C:\Program Files\Elaborate Bytes\CloneDVD\ElbyCheck.e xe" /L ElbyDelay
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMo n.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe " -atboottime
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [Ad-watch] C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\reals ched.exe" -osboot
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaD etector.ex e
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\ AOLSPY~1\A OLSP Scheduler.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper. exe
O4 - HKLM\..\Run: [DOoHbrh6] C:\WINDOWS\isdtkns.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\M MERefresh. exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ftuhup] c:\windows\system32\ajchqh d.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\tos cdspd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe " /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon .exe
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [FreeRAM XP] "C:\unzipped\framxpro\Free RAM XP Pro 1.40.exe" -win
O4 - Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopM gr.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Ad obe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: eFax DllCmd 3.5.lnk = C:\Program Files\eFax Messenger 3.5\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 3.5.lnk = C:\Program Files\eFax Messenger 3.5\J2GTray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH .HTML
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.h tm
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru. dll/SEARCH .HTML
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.h tm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch .htm
O8 - Extra context menu item: Autologin - res://C:\Program Files\Handy Password\HandyPasswordTool bar.dll/me nu_autolog in.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClien t.dll/Acro IECapture. html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClien t.dll/Acro IEAppend.h tml
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClien t.dll/Acro IECaptureS elLinks.ht ml
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClien t.dll/Acro IEAppendSe lLinks.htm l
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClien t.dll/Acro IECapture. html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClien t.dll/Acro IEAppend.h tml
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClien t.dll/Acro IECapture. html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClien t.dll/Acro IEAppend.h tml
O8 - Extra context menu item: Fill - res://C:\Program Files\Handy Password\HandyPasswordTool bar.dll/me nu_fill.ht ml
O8 - Extra context menu item: Fill with - res://C:\Program Files\Handy Password\HandyPasswordTool bar.dll/me nu_fillwit h.html
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Lock - res://C:\Program Files\Handy Password\HandyPasswordTool bar.dll/me nu_lock.ht ml
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: Save - res://C:\Program Files\Handy Password\HandyPasswordTool bar.dll/me nu_save.ht ml
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict .htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict .htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\WINDOWS\system32\msjava .dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\WINDOWS\system32\msjava .dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4 C56B4E14E8 4} - C:\PROGRA~1\SPYWAR~1\tools \iesdpb.dl l
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-0 0010333D0A D} - C:\Program Files\Yahoo!\Messenger\yhe xbmes0521. dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-0 0010333D0A D} - C:\Program Files\Yahoo!\Messenger\yhe xbmes0521. dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B 5B5E98D167 C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B 5B5E98D167 C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3 C9C571A826 3} - C:\PROGRA~1\MICROS~2\OFFIC E11\REFIEB AR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-0 0C0F0318AF E} - C:\WINDOWS\System32\Shdocv w.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwor k1.dll
O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwor k1.dll
O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwor k1.dll
O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwor k1.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox. dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: Transaction Management - https://tmm8.care.usbank.com/Tmm/Tmm.cab
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot8_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C 7C580BBF70 0} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3 C54734667F E} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E 099162EEEC 5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {A82C3A33-5C0E-466C-B020-7 1585433A7E 4} (PhxStudent.OeSetup15) - https://mycampus.phoenix.edu/secure/PhxStudent15.CAB
O16 - DPF: {B9191F79-5613-4C76-AA2A-3 98534BB899 9} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0 F47A330807 8} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
Istsvc[1].exe
nail.exe
nail[1].exe
thnall1ac.exe
nwqjmlhkca.exe
nsa91f.dll
I have rebooted in the safe mode and used HIJACK THIS to delete these files. They keep returning. I have also tried to Norton and Spyware Doctor to remove them. Nothing works.
Here is a copy of my latest file from HIJACK THIS:
Logfile of HijackThis v1.98.2
Scan saved at 8:08:26 PM, on 4/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCE
C:\WINDOWS\system32\spools
C:\PROGRA~1\COMMON~1\AOL\A
C:\Program Files\Digidesign\Drivers\M
C:\WINDOWS\System32\DVDRAM
C:\WINDOWS\system32\driver
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc3
C:\WINDOWS\System32\svchos
c:\toshiba\ivp\swupdate\sw
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.ex
C:\WINDOWS\system32\sessmg
C:\Program Files\iPod\bin\iPodService
C:\WINDOWS\system32\winlog
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\ezSP_P
C:\WINDOWS\explorer.exe
C:\Program Files\EzButton\CplBTQ00.EX
C:\Program Files\TOSHIBA\TouchPad\TPT
C:\TOSHIBA\IVP\ISM\pinger.
C:\Program Files\ScanSoft\OmniPageSE\
C:\Program Files\Toshiba Controls\CpRmtKey.EXE
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\Program Files\Common Files\Real\Update_OB\reals
C:\Program Files\Picasa2\PicasaMediaD
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\TOSHIBA\TOSCDSPD\tos
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\WINDOWS\system32\ctfmon
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\unzipped\framxpro\FreeR
C:\Program Files\Logitech\MouseWare\s
C:\Program Files\eFax Messenger 3.5\J2GDllCmd.exe
C:\Program Files\eFax Messenger 3.5\J2GTray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.
C:\WINDOWS\explorer.exe
c:\windows\system32\ajchqh
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.e
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EX
C:\Program Files\Yahoo!\Messenger\YPa
C:\Program Files\Common Files\Symantec Shared\NMain.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\QConsole.exe
C:\Documents and Settings\Swaine\Desktop\Hi
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\Wi
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-B
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D
O2 - BHO: IeCaptureBho Object - {7c1ce531-09e9-4fc5-9803-1
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-2
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-1
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-F
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-B
O3 - Toolbar: Handy Password - {B2DE56E2-907A-4080-AE06-5
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_P
O4 - HKLM\..\Run: [CplBTQ00] C:\Program Files\EzButton\CplBTQ00.EX
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPT
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.
O4 - HKLM\..\Run: [CpRmtKey] "C:\Program Files\Toshiba Controls\CpRmtKey.EXE"
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey
O4 - HKLM\..\Run: [B'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K
O4 - HKLM\..\Run: [CloneDVDElbyDelay] "C:\Program Files\Elaborate Bytes\CloneDVD\ElbyCheck.e
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMo
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [Ad-watch] C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\reals
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaD
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.
O4 - HKLM\..\Run: [DOoHbrh6] C:\WINDOWS\isdtkns.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\M
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ftuhup] c:\windows\system32\ajchqh
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\tos
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [FreeRAM XP] "C:\unzipped\framxpro\Free
O4 - Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopM
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Ad
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: eFax DllCmd 3.5.lnk = C:\Program Files\eFax Messenger 3.5\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 3.5.lnk = C:\Program Files\eFax Messenger 3.5\J2GTray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.h
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.h
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch
O8 - Extra context menu item: Autologin - res://C:\Program Files\Handy Password\HandyPasswordTool
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClien
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClien
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClien
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClien
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClien
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClien
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClien
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClien
O8 - Extra context menu item: Fill - res://C:\Program Files\Handy Password\HandyPasswordTool
O8 - Extra context menu item: Fill with - res://C:\Program Files\Handy Password\HandyPasswordTool
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Lock - res://C:\Program Files\Handy Password\HandyPasswordTool
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: Save - res://C:\Program Files\Handy Password\HandyPasswordTool
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-0
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-0
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-0
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwor
O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwor
O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwor
O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwor
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: Transaction Management - https://tmm8.care.usbank.com/Tmm/Tmm.cab
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot8_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3
O16 - DPF: {644E432F-49D3-41A1-8DD5-E
O16 - DPF: {A82C3A33-5C0E-466C-B020-7
O16 - DPF: {B9191F79-5613-4C76-AA2A-3
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0
Hi Swaine_Thompson,
You could use these 2 programs like I did, SpyBot and MS AntiSpyware, I had to run these a couple of times to remove them but they eventually were removed. The problem is that deleting the registry is not enough, you need to have the program creating the reg keys removed.
Cheers!
You could use these 2 programs like I did, SpyBot and MS AntiSpyware, I had to run these a couple of times to remove them but they eventually were removed. The problem is that deleting the registry is not enough, you need to have the program creating the reg keys removed.
Cheers!
Have you tried these spyware removal tools? Download, and run these.
Spybot Search and Destroy 1.3
http://www.safer-networking.org/en/index.html
Lavasoft Ad-aware
http://download.com/3000-2144-10045910.html?part=69274&subj=dlpage&tag=button
Microsoft Windows Antispyware Beta
http://www.microsoft.com/athome/security/spyware/software/default.mspx
Spybot Search and Destroy 1.3
http://www.safer-networking.org/en/index.html
Lavasoft Ad-aware
http://download.com/3000-2144-10045910.html?part=69274&subj=dlpage&tag=button
Microsoft Windows Antispyware Beta
http://www.microsoft.com/athome/security/spyware/software/default.mspx
The system restore feature on XP will restore these files upon reboot after you have deleted them if it is not disabled.
ASKER
Stenlj,
I ran the MS Anti Spam several times. It removed it but when I rebooted it, the virus was still there. I noticed, "Nail.exe" was still showing up in my HIJACK THIS log. Ill try this again.
I ran the MS Anti Spam several times. It removed it but when I rebooted it, the virus was still there. I noticed, "Nail.exe" was still showing up in my HIJACK THIS log. Ill try this again.
Please make sure that your virus files are current in Norton AV and that you have installed the latest update for MS Anti-Spyware. If you have already done this, run your AV and Spyware programs in Windows Safe Mode. You can access Safe Mode by pressing the F8 key when the system is first booting up. This will ensure that the files are not running when you run the scans. Sometimes, AV and spyware programs cannot delete files that are already running.
Also, as craylord suggested, you may want to also download additional spyware detectors as they may find a 'carrier' program that is responsible for re-installing these programs after they are uninstalled.
Again, it is important that you do as much of the cleaning as you can in Safe Mode. This not only lets you delete files that would otherwise be in use, it prevents access to the Internet so that new items cannot be downloaded while you are trying to clean your system.
Best of luck!
Also, as craylord suggested, you may want to also download additional spyware detectors as they may find a 'carrier' program that is responsible for re-installing these programs after they are uninstalled.
Again, it is important that you do as much of the cleaning as you can in Safe Mode. This not only lets you delete files that would otherwise be in use, it prevents access to the Internet so that new items cannot be downloaded while you are trying to clean your system.
Best of luck!
Few that look odd to me:
C:\WINDOWS\System32\DVDRAM SV.exe <-- never seen that before....
C:\WINDOWS\System32\ezSP_P x.exe <-- nor that
C:\WINDOWS\Explorer.exe <-- running 3 times... that's weird.
C:\WINDOWS\SM1BG.EXE <-- dunno that one
c:\windows\system32\ajchqh d.exe <-- that really sounds like a virus!
Now these are my assumption. Based on what I have seen before.
back these executables up and delete em.
Then reboot.
If all hell breaks loose (which I doubt) put em back.
Ow and don;t delete explorer.exe you kinda need that ;)
C:\WINDOWS\System32\DVDRAM
C:\WINDOWS\System32\ezSP_P
C:\WINDOWS\Explorer.exe <-- running 3 times... that's weird.
C:\WINDOWS\SM1BG.EXE <-- dunno that one
c:\windows\system32\ajchqh
Now these are my assumption. Based on what I have seen before.
back these executables up and delete em.
Then reboot.
If all hell breaks loose (which I doubt) put em back.
Ow and don;t delete explorer.exe you kinda need that ;)
Hi!
The version of HijackThis you're using is outdated (1.98.2)!!
Download HijackThis version 1.99.1 from:
http://www.gatesofdelirium.com/ee/tools/
Place it into a folder of it's own - something like:
C:\HJT\hijackthis.exe or C:\Program Files\HJT\hijackthis.exe
Do not run it directly from the "Zip" file, a "temp" folder, or the Desktop. <-<-
HijackThis makes "backups" and it's good to have them in a centralized location.
With all browser windows closed - run HijackThis and
copy and paste the log file into the Analysis site here:
http://www.hijackthis.de/en
Click on the "Analyze" button; and when the analysis is done -
Click on the "Save Analysis" button -
A page will be generated with your saved analysis -
Post a LINK to that page back here.
Please, do not post your log file here!
We'll take a look at it! :)
Good luck!
RF
The version of HijackThis you're using is outdated (1.98.2)!!
Download HijackThis version 1.99.1 from:
http://www.gatesofdelirium.com/ee/tools/
Place it into a folder of it's own - something like:
C:\HJT\hijackthis.exe or C:\Program Files\HJT\hijackthis.exe
Do not run it directly from the "Zip" file, a "temp" folder, or the Desktop. <-<-
HijackThis makes "backups" and it's good to have them in a centralized location.
With all browser windows closed - run HijackThis and
copy and paste the log file into the Analysis site here:
http://www.hijackthis.de/en
Click on the "Analyze" button; and when the analysis is done -
Click on the "Save Analysis" button -
A page will be generated with your saved analysis -
Post a LINK to that page back here.
Please, do not post your log file here!
We'll take a look at it! :)
Good luck!
RF
You can enter your Hijack This log at:
http://www.hijackthis.de/
I ran it through - use the link below (good for 3 days only) and remove anything marked as Nasty, and anyhting marked as Unknown if you don't recognize it (make sure to back up the entries you remove, just in case.)
http://www.hijackthis.de/logfiles/1502fdd4197cfb3528f9504341814d54.html
http://www.hijackthis.de/
I ran it through - use the link below (good for 3 days only) and remove anything marked as Nasty, and anyhting marked as Unknown if you don't recognize it (make sure to back up the entries you remove, just in case.)
http://www.hijackthis.de/logfiles/1502fdd4197cfb3528f9504341814d54.html
ASKER
Hi Rossfingal,
I followed your instructions. Here is the link:
http://www.hijackthis.de/logfiles/21500d3eb7dd4c6bb3c20a172b0e1480.html
I followed your instructions. Here is the link:
http://www.hijackthis.de/logfiles/21500d3eb7dd4c6bb3c20a172b0e1480.html
Hi!
I'm looking at your log file right now.
Be back soon.
RF
I'm looking at your log file right now.
Be back soon.
RF
ASKER
Great! Just wanted to tell you that this entry:
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
Keeps reappearing every time I delete it. I have no idea what it is but my Norton Internet Security keeps popping up asking me to allow:
Thnall1.exe
to access the internet, right after I delete NAIL.EXE
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
Keeps reappearing every time I delete it. I have no idea what it is but my Norton Internet Security keeps popping up asking me to allow:
Thnall1.exe
to access the internet, right after I delete NAIL.EXE
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi Ross,
Im trying to follow your instructions but here are some problems Im having:
Shell=Explorer.exe C:\windows\nail.exe
does not show up in my system.ini. I doubled checked this by running START, RUN, "System.ini"
Also, I have seen a few of these processes you mentioned in my task manager, processes section, however Im getting an "access denied" when Im trying to stop the processes. Should I move on to the next set of instructions?
Im trying to follow your instructions but here are some problems Im having:
Shell=Explorer.exe C:\windows\nail.exe
does not show up in my system.ini. I doubled checked this by running START, RUN, "System.ini"
Also, I have seen a few of these processes you mentioned in my task manager, processes section, however Im getting an "access denied" when Im trying to stop the processes. Should I move on to the next set of instructions?
Try removing the line from system.ini when you're in "safe" mode.
Are you logged on with Administrative rights?
After you stop the System Startup Service with services.msc -
try killing the tasks again.
RF
Are you logged on with Administrative rights?
After you stop the System Startup Service with services.msc -
try killing the tasks again.
RF
Hi!
Been doing some research on this.
Search your computer for this file:
DrPMon.dll
Should be in the "system32" folder
Delete it if it's there.
Also, check the "registry" for these 2 keys:
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\C ontrol\Pri nt\Monitor s\ZepMon]
"Driver"=DrPMon.dll
[HKEY_LOCAL_MACHINE\SYSTEM \ControlSe t002\Contr ol\Print\M onitors\Ze pMon]
"Driver"=DrPMon.dll
If present - delete the value in the right-hand pane:
"Driver"=DrPMon.dll
RF
Been doing some research on this.
Search your computer for this file:
DrPMon.dll
Should be in the "system32" folder
Delete it if it's there.
Also, check the "registry" for these 2 keys:
[HKEY_LOCAL_MACHINE\SYSTEM
"Driver"=DrPMon.dll
[HKEY_LOCAL_MACHINE\SYSTEM
"Driver"=DrPMon.dll
If present - delete the value in the right-hand pane:
"Driver"=DrPMon.dll
RF
I installed the tool from here: http://www.microsoft.com/downloads/details.aspx?FamilyID=321cd7a2-6a57-4c57-a8bd-dbf62eda9671&displaylang=en
Then installed it and let it update itself. Then, I ran a scan and it found and uninstalled all the spyware it found.