Hello,

I have a problem with WinAntiVirus 2006 popups. I can't get rid of them. I read most of the threads down here, but still can't get it of my PC. Maybe because the names of the files are different every time? Think so.
Already have a HJT log available from today. Eiwido also. Already ran Vundofix. It couldn't find anything. I didn't run any other scans yet.

Since every WinAntiVirus 2006 seems different can someone please help me out?

Download SmitfraudFix (by S!Ri) http://siri.urz.free.fr/Fix/Smitfra... to your Desktop.
Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed.

Post your Hijackthis log along with the logs from SmitFraud and Ewido.

Thanks for the help. Here are my logs.

Logfile of HijackThis v1.97.7
Scan saved at 19:45:56, on 10-10-2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\ASUSKBService.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\UAService7.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Labtec\Mouse\2.1\moffice.exe
C:\Program Files\Labtec\Media Keyboard\V5.0\KbdAp32A.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Hitman Pro\srhelper.exe
C:\Program Files\Labtec\Mouse\2.1\MOUSE32A.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijack this\Show.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Bastiaan\Application Data\Mozilla\Profiles\default\3tsl1yr8.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Bastiaan\Application Data\Mozilla\Profiles\default\3tsl1yr8.slt\prefs.js)
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Labtec\Mouse\2.1\moffice.exe
O4 - HKLM\..\Run: [LWBKEYBOARD] C:\Program Files\Labtec\Media Keyboard\V5.0\KbdAp32A.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [forgpl] C:\PROGRA~1\INTRAM~1\Does Else.exe
O4 - HKLM\..\Run: [Internet Explorer Updater] C:\WINDOWS\system32\lexbac.exe
O4 - HKLM\..\Run: [SmartToDo] "C:\Program Files\Smart To-Do\SmartToDo.exe" minimize
O4 - HKLM\..\Run: [pokelivethearmy] C:\Documents and Settings\All Users\Application Data\setup size poke live\LoudBash.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PCMMRealtime] C:\Program Files\PC MightyMax\pcmm.exe /R
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Hitman Pro SurfRight Helper] "C:\Program Files\Hitman Pro\srhelper.exe"
O4 - HKCU\..\Run: [µTorrent] "C:\Documents and Settings\Bastiaan\Bureaublad\utorrent.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [024h Lucky Reminder] "C:\Program Files\024h Lucky Reminder\LuckyReminder.exe" /m
O4 - HKCU\..\Run: [CuteReminder] C:\Program Files\reminder\CuteReminder.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Spyware Doctor (HKLM)
O9 - Extra button: Research (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtpl...
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pu...

SmitFraudFix v2.109

Scan done at 13:43:09,53, wo 11-10-2006
Run from C:\Documents and Settings\Bastiaan\Bureaublad\SmitfraudFix
OS: Microsoft Windows XP [versie 5.1.2600] - Windows_NT
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Bastiaan

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Bastiaan\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Bastiaan\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Mijn huidige introductiepagina"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

ewido anti-spyware - Scan Report

+ Created at: 19:04:36 10-10-2006

+ Scan result:

C:\!KillBox\dekquoui.dll -> Adware.Look2Me : No action taken.
C:\System Volume Information\_restore{73C1283E-7C5D-4D5D-BE47-B2EBF9C53734}\RP9\A0000190.dll -> Adware.Look2Me : No action taken.
C:\WINDOWS\system32\MQRDO20.DLL -> Adware.Look2Me : No action taken.
C:\WINDOWS\system32\OMBCSTF.DLL -> Adware.Look2Me : No action taken.
[712] C:\WINDOWS\system32\maafd.dll -> Adware.Look2Me : No action taken.
[852] C:\WINDOWS\system32\maafd.dll -> Adware.Look2Me : No action taken.
:mozilla.74:C:\Documents and Settings\Bastiaan\Application Data\Mozilla\Firefox\Profiles\4z1iv6rw.Standaardgebruiker1\cookies.txt -> TrackingCookie.Burstnet : No action taken.
:mozilla.75:C:\Documents and Settings\Bastiaan\Application Data\Mozilla\Firefox\Profiles\4z1iv6rw.Standaardgebruiker1\cookies.txt -> TrackingCookie.Burstnet : No action taken.
:mozilla.77:C:\Documents and Settings\Bastiaan\Application Data\Mozilla\Firefox\Profiles\4z1iv6rw.Standaardgebruiker1\cookies.txt -> TrackingCookie.Burstnet : No action taken.
:mozilla.111:C:\Documents and Settings\Bastiaan\Application Data\Mozilla\Firefox\Profiles\4z1iv6rw.Standaardgebruiker1\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.112:C:\Documents and Settings\Bastiaan\Application Data\Mozilla\Firefox\Profiles\4z1iv6rw.Standaardgebruiker1\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.113:C:\Documents and Settings\Bastiaan\Application Data\Mozilla\Firefox\Profiles\4z1iv6rw.Standaardgebruiker1\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.114:C:\Documents and Settings\Bastiaan\Application Data\Mozilla\Firefox\Profiles\4z1iv6rw.Standaardgebruiker1\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.24:C:\Documents and Settings\Bastiaan\Application Data\Mozilla\Firefox\Profiles\4z1iv6rw.Standaardgebruiker1\cookies.txt -> TrackingCookie.Cpvfeed : No action taken.
:mozilla.26:C:\Documents and Settings\Bastiaan\Application Data\Mozilla\Firefox\Profiles\4z1iv6rw.Standaardgebruiker1\cookies.txt -> TrackingCookie.Cpvfeed : No action taken.
:mozilla.27:C:\Documents and Settings\Bastiaan\Application Data\Mozilla\Firefox\Profiles\4z1iv6rw.Standaardgebruiker1\cookies.txt -> TrackingCookie.Cpvfeed : No action taken.
:mozilla.28:C:\Documents and Settings\Bastiaan\Application Data\Mozilla\Firefox\Profiles\4z1iv6rw.Standaardgebruiker1\cookies.txt -> TrackingCookie.Cpvfeed : No action taken.
:mozilla.145:C:\Documents and Settings\Bastiaan\Application Data\Mozilla\Firefox\Profiles\4z1iv6rw.Standaardgebruiker1\cookies.txt -> TrackingCookie.Googleadservices : No action taken.
:mozilla.204:C:\Documents and Settings\Bastiaan\Application Data\Mozilla\Firefox\Profiles\4z1iv6rw.Standaardgebruiker1\cookies.txt -> TrackingCookie.Googleadservices : No action taken.
:mozilla.148:C:\Documents and Settings\Bastiaan\Application Data\Mozilla\Firefox\Profiles\4z1iv6rw.Standaardgebruiker1\cookies.txt -> TrackingCookie.Reliablestats : No action taken.
:mozilla.151:C:\Documents and Settings\Bastiaan\Application Data\Mozilla\Firefox\Profiles\4z1iv6rw.Standaardgebruiker1\cookies.txt -> TrackingCookie.Reliablestats : No action taken.
:mozilla.152:C:\Documents and Settings\Bastiaan\Application Data\Mozilla\Firefox\Profiles\4z1iv6rw.Standaardgebruiker1\cookies.txt -> TrackingCookie.Reliablestats : No action taken.
:mozilla.154:C:\Documents and Settings\Bastiaan\Application Data\Mozilla\Firefox\Profiles\4z1iv6rw.Standaardgebruiker1\cookies.txt -> TrackingCookie.Reliablestats : No action taken.
:mozilla.155:C:\Documents and Settings\Bastiaan\Application Data\Mozilla\Firefox\Profiles\4z1iv6rw.Standaardgebruiker1\cookies.txt -> TrackingCookie.Reliablestats : No action taken.
:mozilla.156:C:\Documents and Settings\Bastiaan\Application Data\Mozilla\Firefox\Profiles\4z1iv6rw.Standaardgebruiker1\cookies.txt -> TrackingCookie.Reliablestats : No action taken.
:mozilla.157:C:\Documents and Settings\Bastiaan\Application Data\Mozilla\Firefox\Profiles\4z1iv6rw.Standaardgebruiker1\cookies.txt -> TrackingCookie.Reliablestats : No action taken.
:mozilla.46:C:\Documents and Settings\Bastiaan\Application Data\Mozilla\Firefox\Profiles\4z1iv6rw.Standaardgebruiker1\cookies.txt -> TrackingCookie.Sitestat : No action taken.
:mozilla.64:C:\Documents and Settings\Bastiaan\Application Data\Mozilla\Firefox\Profiles\4z1iv6rw.Standaardgebruiker1\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.65:C:\Documents and Settings\Bastiaan\Application Data\Mozilla\Firefox\Profiles\4z1iv6rw.Standaardgebruiker1\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.66:C:\Documents and Settings\Bastiaan\Application Data\Mozilla\Firefox\Profiles\4z1iv6rw.Standaardgebruiker1\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.67:C:\Documents and Settings\Bastiaan\Application Data\Mozilla\Firefox\Profiles\4z1iv6rw.Standaardgebruiker1\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.70:C:\Documents and Settings\Bastiaan\Application Data\Mozilla\Firefox\Profiles\4z1iv6rw.Standaardgebruiker1\cookies.txt -> TrackingCookie.Trafic : No action taken.
:mozilla.10:C:\Documents and Settings\Bastiaan\Application Data\Mozilla\Firefox\Profiles\4z1iv6rw.Standaardgebruiker1\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.11:C:\Documents and Settings\Bastiaan\Application Data\Mozilla\Firefox\Profiles\4z1iv6rw.Standaardgebruiker1\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.12:C:\Documents and Settings\Bastiaan\Application Data\Mozilla\Firefox\Profiles\4z1iv6rw.Standaardgebruiker1\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.13:C:\Documents and Settings\Bastiaan\Application Data\Mozilla\Firefox\Profiles\4z1iv6rw.Standaardgebruiker1\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.7:C:\Documents and Settings\Bastiaan\Application Data\Mozilla\Firefox\Profiles\4z1iv6rw.Standaardgebruiker1\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.8:C:\Documents and Settings\Bastiaan\Application Data\Mozilla\Firefox\Profiles\4z1iv6rw.Standaardgebruiker1\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.9:C:\Documents and Settings\Bastiaan\Application Data\Mozilla\Firefox\Profiles\4z1iv6rw.Standaardgebruiker1\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.

::Report end

Maybe this will help. Windows gives an error every time I do startup. "An error occured during loading of windows\system32\NvMcTray.dll". When I have Ewido activated during startup it wil give a warning. When I try to clean or cuarantine it with Ewido it won't work. Then next time at startup the file is different. Maybe this info helps?

I notice a few things. It appears there are no service packs installed on your system. Please download and install SP1. Next, you are using an outdated version of HijackThis. Download this version here http://www.thespykiller.co.uk/files...

Once you have SP1 installed, post a new HJT log.

Apologies for late response.

I have a problem. Back home at my parents house we had 4 PC's and 1 XP vesion. I now have one of those older PC's without the upgrades. My dad won't give me the codes to get the upgrades. He thinks it is not possible because we are not on the same IP adress anymore. I think he is right. So that isn't going to work, I think. I know it took a while but I just can't pursuade my father. Can you still help me?

Without having at least SP1 installed, you are wide open for re-infection and we would just be wasting time cleaning up your computer. All i can say is google for SP1. Installing SP2 on an infected machine can create additional problems.