need a little help have logfile. will have ewido scan log.

also... what program is making random words on pages, into little green links?

A.

also... what program is making random words on pages, into little green links?

Those are "sponsored links", and they're done on the webserver's side. The technique is a relatively new (and pretty irritating) form of advertising.

B.

something c:/recyclers s-1-5-21-304614 blah blah blah

"Recyclers" folders are where items in your Recycle Bins are kept; they can be safely deleted.

C. You've got a handful of nasties in your log; please do the following:

1. Run at least two or three of the following online anti-virus/anti-spyware scans and let them fix what they can:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.pandasoftware.com/active...n_principal.htm
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php

2. Download and install these utilities (but do not run scans with them yet):

Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en
Ad Aware SE Personal - http://www.lavasoftusa.com/
SpyBot Search & Destroy - http://www.safer-networking.org/

- Open ewido. If you receive a warning message saying "Database not found"; just click "OK" for this. Next, in the main screen, click "Update" and click "Start Update". After the update process completes, exit from Ewido.

- Open MS Antispyware beta. Make sure the "AntiSpyware Autoupdater" feature is enabled, and that it has downloaded the most current antispyware updates. Close the program after you've verified this.

- Open Adaware, click on the "Check for updates now" link, and follow the prompts to get the latest updates. Close the program when it has finished installing the updates.

- Open SpyBot and use its update feature to download and install the most current spyware definitions file. Close the program once the update is complete.

- Open your antivirus program and make sure that you have the most current update installed. As with the above programs, don't run a scan with Norton; just close it once it is updated.

2. Download and install the CleanUp! utility, but don't run it yet.

3. Run HijackTHis again, put a check mark next to the following entries, and then click the "Fix checked" button. Close HJT once it has finished performing its fixes:

O2 - BHO: ngsh35.clsIS - {392BAF48-A26A-45B5-9263-97128E429268} - C:\WINDOWS\SYSTEM32\ngsh35.dll (file missing)
O2 - BHO: wb - {55BE9F0D-6CAF-4c3e-B125-5A13A8C9D0EC} - C:\WINDOWS\System32\nsg4600.dll
O2 - BHO: IRiras Class - {95C60327-8E17-44D6-98EB-7EB70CC606DD} - C:\WINDOWS\System32\iraspbgf.dll (file missing)
O2 - BHO: (no name) - {D76F403B-D8D0-887D-87DF-D828E4213A91} - C:\WINDOWS\System32\pua.dll
O4 - HKLM\..\Run: [sms_msn] C:\WINDOWS\SYSTEM32\sms_msn.exe
O4 - HKCU\..\Run: [Aida] "C:\Program Files\rdso\eetu.exe" -vt tzt
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} (MediaGatewayX) - http://static.zangocash.com/cab/Zango/ie/bridge-c10.cab
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} (elitectl.DemoCtl) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.zillabar.com/toolbar/bin/dwnldr.cab

4. Reboot into Safe Mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up).

5. Run CleanUP! It may take a while for the program to perform its cleaning, so be patient. Close the program when it has finished.

6. Run the anti-virus, SpyBot, AdAware, ewido, and MS Antispyware beta utilities consecutively; have the programs fix all malicious items they find.

When ewido finds the first malicious object on your system, it will ask you if it should clean it. When it asks this, put a checkmark in the lower left corner of the box that says "Perform action on all infections", then choose clean and click OK.
Save the log file that ewido will create after it finishes scanning; you'll be including that log in your next post here.

7. Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- Search for the following files and delete them if found (some should have been deleted by the anti-spyware utilities already):

C:\WINDOWS\SYSTEM32\ngsh35.dll
C:\WINDOWS\System32\nsg4600.dll
C:\WINDOWS\System32\iraspbgf.dll
C:\WINDOWS\System32\pua.dll
C:\WINDOWS\SYSTEM32\sms_msn.exe

- Delete the folder entirely:

C:\Program Files\rdso

8. Empty your Recycle Bin, reboot normally, run HijackThis again, and post the new log. Alos post the log that ewido generated.

hey...i just noticed. step 3... all of the things i need to check and fix, in hijack this. are not in my hijack this log. there's a lot of things that look pretty ugly, though. that i'm not sure about. i'm gonna use the programs, though. and post a new logfile when that's done.

hey...i just noticed. step 3... all of the things i need to check and fix, in hijack this. are not in my hijack this log.

Yoiks!! You are absolutely right! :o

Very sorry about that. Friggin' cut-n-paste errors on my part; working on too many posts at the same time...

I've edited my last post so that the instructions now reflect the infections on your system (what a concept, eh?).

i was blindly optimistic for a second, there... thinking that i had none of the threats you were mentioning, and i was in pretty good shape. i just had different ones.

hijack....

Logfile of HijackThis v1.99.1
Scan saved at 11:28:11 AM, on 12/6/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\GEARSEC.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {95C60327-8E17-44D6-98EB-7EB70CC606DD} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O15 - Trusted Zone: [url]http://awbeta.net-nucleus.com[/url] (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [url]http://go.microsoft.com/fwlink/?linkid=39204[/url]
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - [url]http://a1408.g.akamai.net/7/1408/9955/20031218/akamai.info.apple.com/iTunes4/WW/win/019-0123.20031218.zes4d/iTunesSetup.exe[/url]
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - [url]http://by107fd.bay107.hotmail.msn.com/resources/MsnPUpld.cab[/url]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url]http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1129012798000[/url]
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - [url]http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4642/mcfscan.cab[/url]
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSEC.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe



 + Scan result:

    HKLM\SOFTWARE\PSGuard.com -> Spyware.PSGuard : Error during cleaning
    HKLM\SOFTWARE\PSGuard.com\PSGuard -> Spyware.PSGuard : Error during cleaning
    HKLM\SOFTWARE\PSGuard.com\PSGuard\P.S.Guard -> Spyware.PSGuard : Error during cleaning
    HKLM\SOFTWARE\PSGuard.com\PSGuard\P.S.Guard\License -> Spyware.PSGuard : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP517\A0095752.exe -> Downloader.Qoologic.al : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP517\A0095753.exe -> Dropper.Agent.abb : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP517\A0095754.exe -> Downloader.Small.bue : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP517\A0095755.dll -> Spyware.AdBlaster : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP517\A0095757.exe -> Spyware.SafeSurfing : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP517\A0095758.dll -> Spyware.SafeSurfing : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP520\A0095854.exe -> Dropper.Small.of : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP520\A0095855.dll -> Downloader.Agent.br : Cleaned with backup

ewido... didn't find too much. i've never been able to get rid of psguard, though. that's one of my concerns.
that CleanUp! is amazing, though. it zapped like 300 mb's worth of files, from my computer. felt good.

a few other concerns...in program files... NetMeeting? PAL SPYREM? wild tangent? a few icons escaped detection, too. free ipod things.

and lastly (thanks for all the help, by the way...i can get pretty lost and hard to lead through things) on my desktop, no idea how it got there, where it came from... is a file... s.dll

just wondering about that one.
one thing that scared me was, all of the scanners missed it, but the microsoft one caught it was vx2? or something similar. i know i had it before, but adaware caught it.

so, thanks again...that one bho, doesn't look too friendly, either.

i've never been able to get rid of psguard, though.

PSGuard is part of the "Smitfraud" infection. To clean the PSGuard entries from your Registry, please do the following:

- Download smitrem.exe and save the file to your desktop.
Double-click on the file and extract it to it's own folder on the desktop.

- Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

- When finished, the tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log in your next reply.

NetMeeting? PAL SPYREM? wild tangent? a few icons escaped detection, too. free ipod things... a file... s.dll

- NetMeeting is an Internet teleconferencing program from Microsoft; it comes bundled with Internet Explorer.
- PAL Spyware Remover (PAL SpyRem) is spyware "remover" of dubious reputation; you can read more about it here. Uninstall it through you Add/Remove Programs control panel if it is listed there; if it isn't, open Windows Explorer and delete the entire C:\Program Files\PAL SpyRem folder.
- Wild Tanget makes popular free game downloads, the "free" part meaning that the game are bundled with Adware. As with SpyRem, remove all Wild Tangent programs through the control panel and/or delete all Wild Tangent and WT folders found on your hard drive.
- "s.dll" is a component of the "Xupiter" family of Adware infections; delete the file.
- You can also safely delete the bogus .ico files manually if none of hte anti-spyware utilities are catching them.

that one bho, doesn't look too friendly, either.

No, that BHO is definitely not a friendly; it's a leftover from the C:\WINDOWS\System32\iraspbgf.dll file that we removed. Run HijackThis again and have it fix the entry for that BHO.

One other thing: The references in your ewido report to the C:\System Volume Information\_restore folder indicate that you have infections stored in your saved System Restore points, which is a Bad Thing. ewido obviously cleaned some of the nasties, but there may still be others present; you should delete your saved System Restore points to eliminate that possibility. A slightly more detailed explanation of the problem, and instructions for clearing you Restore Points, can be found here.