popups continue despite efforts

[Jaz]

Too much but we must start someware.

Okay, I can understand the URLSearchHook: Incred... above, but below
SpywareGuard proggy (I installed it -- do you not like it?)

DELETE the above.


Delete the above



Delete the above


After cleaning as suggested post the next log, I was not able to set my mind
to see through all cullprits.
I will set it again after the first cleansing.

Thanks again, SFB.

I remove two of the three item you marked -- do you really think I
should remove SpywareGuard?

BHO: SpywareGuard Download Protection -
{4A368E80-174F-4872-96B5-0B27DDD11DB2} -
C:\Programs\SpywareGuard\dlprotect.dll

Shagnasty noticed that there was a bogus svchost.exe running out of
%systemroot% (vs %systemroot%\system32) -- do you think that was the
"CWS variant" that CWSSHredder removed?

Here's a new log:

Logfile of HijackThis v1.97.7
Scan saved at 2:37:38 PM, on 2/26/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Programs\Norton AntiVirus\navapsvc.exe
C:\Programs\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\CTHELPER.EXE
C:\WINNT\system32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Programs\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Documents and Settings\jaz\Application Data\saer.exe
C:\WINNT\system32\wnsintit.exe
C:\Programs\SpywareGuard\sgmain.exe
C:\Programs\SpywareGuard\sgbhp.exe
C:\PROGRAMS\MOZILL~1\MOZILL~1.EXE
C:\Programs\Utils\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://www.searchant.com/sp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://www.searchant.com/sp
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant
= http://www.searchant.com/sp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://www.searchant.com/sp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://www.searchant.com/sp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
= http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant
= http://www.searchant.com/sp
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://www.searchant.com/r=6&s=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak =
about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName
=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant =
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch =
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R3 - URLSearchHook: IncrediFindBHO Class -
{5D60FF48-95BE-4956-B4C6-6BB168A70310} -
C:\Programs\INCRED~1\BHO\INCFIN~1.DLL
O1 - Hosts: 172.16.30.16 ganymede harbell.homeip.net
O2 - BHO: SpywareGuard Download Protection -
{4A368E80-174F-4872-96B5-0B27DDD11DB2} -
C:\Programs\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\Programs\Spybot\SDHelper.dll
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} -
C:\Programs\INCRED~1\BHO\INCFIN~1.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} -
C:\Programs\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus -
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programs\Norton
AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon
initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [FinePrint Dispatcher v5]
C:\WINNT\system32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec
Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [version] C:\WINNT\system32\version.exe
O4 - HKLM\..\Run: [WinEssential] C:\WINNT\system32\Keyhost.exe
O4 - HKLM\..\Run: [updater] C:\Programs\Common
files\updater\wupdater.exe
O4 - HKLM\..\Run: [Zone Labs Client]
C:\Programs\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKCU\..\Run: [ntbalckup.exe] C:\WINNT\system32\ntbalckup.exe
O4 - HKCU\..\Run: [Atro] C:\Documents and Settings\jaz\Application
Data\saer.exe
O4 - HKCU\..\Run: [WNSC] C:\WINNT\system32\wnsintit.exe
O4 - Startup: SpywareGuard.lnk = C:\Programs\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common
Files\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel
present
O10 - Unknown file in Winsock LSP: c:\winnt\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\inetadpt.dll
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} -
http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37997.7060763889
O17 -
HKLM\System\CCS\Services\Tcpip\..\{5A4B41E3-8E4B-4A6B-8C3C-6CF2FFC6C813}:
NameServer = 4.2.2.1,4.2.2.2
O17 -
HKLM\System\CS1\Services\Tcpip\..\{5A4B41E3-8E4B-4A6B-8C3C-6CF2FFC6C813}:
NameServer = 4.2.2.1,4.2.2.2
O17 -
HKLM\System\CS2\Services\Tcpip\..\{5A4B41E3-8E4B-4A6B-8C3C-6CF2FFC6C813}:
NameServer = 4.2.2.1,4.2.2.2

==============================

(Please excuse the 'burp' when replying)

 

[Jaz]

Quoth the raven named Jaz:


Are there supposed to be /two/ svchost.exe files? I've got Win2K SP4
as well, and I do not have a copy in c:\winnt.

To quote C. Lambert, "There can be only one."

Right, you are! Thanks!
Looks like CWSShredder took care of that one, but I still have a
wnsintit.exe trying to get a dns lookup. Virus/trojan/worm?
(Please excuse the 'burp' when replying)

 

[null]

Okay, Zone Alarm is reporting that "sear1 MFC Application" is trying
to get to the Internet. The process is 'wnsintit.exe' -- this sounds
like a nasty to me. Anyone?

You can Google sear1 MFC application and come up with many hits and
leads. Here's one:

http://www.cexx.org/winservs.htm

Dunno why AdAware/Spybot don't remove it. Maybe new version. You might
might want to try the HijackThis forum.


Art
http://www.epix.net/~artnpeg

 

[Jaz]

Are you sure about the name? WNSINTIT.EXE I think you miss-typed.

Yep, spelling is right. I've search google and NOTHING on WNSINTIT.EXE
-- maybe it's a new worm, but this crap has been bugging me for about
a week, so... hmmm...

I also have SAER.EXE process running -- likely related to Zona Alarm
"sear1 MFC Application" warning?

(Please excuse the 'burp' when replying)

 

[Jaz]

(e-mail address removed) forgot to take the pills and typed:

You can Google sear1 MFC application and come up with many hits and
leads. Here's one:

http://www.cexx.org/winservs.htm

Dunno why AdAware/Spybot don't remove it. Maybe new version. You might
might want to try the HijackThis forum.


Art
http://www.epix.net/~artnpeg

Excellent!! Thanks!

The cexx link was very helpful, and the HijackThis forum is offline
while they 'move to a new server'.

Cheers!
Jaz

(Please excuse the 'burp' when replying)

 

[Jaz]

Are you sure about the name? WNSINTIT.EXE I think you miss-typed.

response from Art was useful -- cexx.org link hass some help on their
front page; the HijackThis forum is offline while they 'move to a new
server'.

Thanks all!
Jaz
(Please excuse the 'burp' when replying)

 

[kurt wismer]

Well, I really want to get to the root of the problem, rather than
installing barriers. The problem is that there are nasties lurking on
my PC and the only real solution is to clean them off.

ummm... no... that's not what popups are... there are browser popups
which are scripts that run when you visit a website that open a new
browser window with an advertisement in it, and there are windows
messaging service popups which are commands sent to the windows
messaging service to pop up rudimentary message boxes with text
advertisements in them...

neither of these reside on your machine...

Since I'm
running non-IE from behind a firewall, the popups are comming from
processes running on my pc, not from messenger service connections
from reomte TCP.

then i can only tell you what you're encountering are not popups and to
call them that will elicit the wrong types of responses...

presumably you called them popups because they resemble popups,
probably because they're advertising something (am i right so far?)...
if so then you have adware of some sort... generally in that case you
should consider running adaware, though i gather your previous
experience with it was less than stellar...

 

[Jaz]

<snip>

Okay, Zone Alarm is reporting that "sear1 MFC Application" is trying
to get to the Internet. The process is 'wnsintit.exe' -- this sounds
like a nasty to me. Anyone?

PS, I'm now running/using:

- NAV 2003
- Zone Alarm Pro
- Spybot S&D
- SpywareBlaster
- SpywareGaurd
- HijackThis
- CWSShredder

ALL of which now say I'm clean (tho Spybot S&D has found and delete
TONS of items. PSS, this is my hacking around system (games, etc.) and
has only been installed for a few months. I guess I don't practice
enough caution on this one.

Okay, almost there...

I found these in Run registry key

nwiz REG_SZ nwiz.exe /install
WinEssential REG_SZ C:\WINNT\System32\keyhost.exe

keyhost.exe is a worm, but what about nwix.exe?

Is there an easy way to print out this key set?

PS, the cexx.org suggests that sear1 is contracted by unclean
websites, but I haven't been to any... really. But I have installed a
mess of freeware utilities, but not necessarily aquired from their
author sites, so perhaps one was injected with a worm.

Jaz
(Please excuse the 'burp' when replying)

 

[null]

PS, the cexx.org suggests that sear1 is contracted by unclean
websites, but I haven't been to any... really. But I have installed a
mess of freeware utilities, but not necessarily aquired from their
author sites, so perhaps one was injected with a worm.

Another "easy" thing you might try, since you're not sure about worms
and other malware, is the Sys-Up download from my web site.


Art
http://www.epix.net/~artnpeg

 

[Jaz]

Okay, almost there...

I found these in Run registry key

nwiz REG_SZ nwiz.exe /install
WinEssential REG_SZ C:\WINNT\System32\keyhost.exe

keyhost.exe is a worm, but what about nwix.exe?

It's NVIDIA nView Control Panel.

(Please excuse the 'burp' when replying)

 

[SFB]

Another "easy" thing you might try, since you're not sure about worms
and other malware, is the Sys-Up download from my web site.

ART.

 

[SFB]

It's NVIDIA nView Control Panel.

(Please excuse the 'burp' when replying)

C'mon Jaz keyhost has nothing to do with Nvidia, ..... Burp. Nwix doesn't
ring any nvidia bells to me also.
Format c:/ and reinstall the whole thing seems a good option.

 

[Jaz]

C'mon Jaz keyhost has nothing to do with Nvidia, ..... Burp. Nwix doesn't
ring any nvidia bells to me also.
Format c:/ and reinstall the whole thing seems a good option.

Whaaaat?! (in the voice of Labatts Beer/Bear mascott)

I'm pretty sure keyhost.exe is a virus/malware. saer.exe too. I
deleted both and removed Run keys.

nwiz.exe is the NVIDIA video card control panel. Silly, yes. But not a
virus.

I'm running Trend Micro's Sysclean thingie - Thanks ART - which is
taking its sweet time. If I see so much as popover I'll reformat,
force feed it caster oil and wash it's removable drives with soap.

Caio.
(Please excuse the 'burp' when replying)

 

[null]

ART.

That's me


Art
http://www.epix.net/~artnpeg

 

[Jaz]

ummm... no... that's not what popups are... there are browser popups
which are scripts that run when you visit a website that open a new
browser window with an advertisement in it, and there are windows
messaging service popups which are commands sent to the windows
messaging service to pop up rudimentary message boxes with text
advertisements in them...

neither of these reside on your machine...


then i can only tell you what you're encountering are not popups and to
call them that will elicit the wrong types of responses...

presumably you called them popups because they resemble popups,
probably because they're advertising something (am i right so far?)...
if so then you have adware of some sort... generally in that case you
should consider running adaware, though i gather your previous
experience with it was less than stellar...

Yes, sorry. They're not browser site-evoked popups, but local mal-ware
processes that open ads in new IE windows. Oops - Thanks.

(Please excuse the 'burp' when replying)

 

[SFB]

Whaaaat?! (in the voice of Labatts Beer/Bear mascott)

I'm pretty sure keyhost.exe is a virus/malware. saer.exe too. I
deleted both and removed Run keys.

nwiz.exe is the NVIDIA video card control panel. Silly, yes. But not a
virus.

I'm running Trend Micro's Sysclean thingie - Thanks ART - which is
taking its sweet time. If I see so much as popover I'll reformat,
force feed it caster oil and wash it's removable drives with soap.

Burrrrrrrrrrppppp So? Got wise anyhow Jaz. Good thing for you.

 

[discogail]

Close all other windows...with only HijackThis running...check off:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://www.searchant.com/sp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://www.searchant.com/sp
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant
= http://www.searchant.com/sp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://www.searchant.com/sp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://www.searchant.com/sp
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant
= http://www.searchant.com/sp
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://www.searchant.com/r=6&s=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak =
about:blank
R3 - URLSearchHook: IncrediFindBHO Class -
{5D60FF48-95BE-4956-B4C6-6BB168A70310} -
C:\Programs\INCRED~1\BHO\INCFIN~1.DLL
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} -
C:\Programs\INCRED~1\BHO\INCFIN~1.DLL
O4 - HKLM\..\Run: [version] C:\WINNT\system32\version.exe
O4 - HKLM\..\Run: [WinEssential] C:\WINNT\system32\Keyhost.exe
O4 - HKLM\..\Run: [updater] C:\Programs\Common
files\updater\wupdater.exe
O4 - HKCU\..\Run: [ntbalckup.exe] C:\WINNT\system32\ntbalckup.exe
O4 - HKCU\..\Run: [Atro] C:\Documents and Settings\jaz\Application
Data\saer.exe
O4 - HKCU\..\Run: [WNSC] C:\WINNT\system32\wnsintit.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel
present

Click "Fix Checked" ...


Download LSPfix here: http://www.cexx.org/lspfix.htm

Launch the application, and click the "I know what I'm doing" checkbox.

Check all instances of inetadapt.dll (and nothing else) , and move them to
the "Remove" pane.
Then click Finish.

Now restart your computer, go to c:\windows\system32 and delete the
inetadpt.dll file.
go to: C:\Programs & delete the INCREDIFIND folder
C:\Programs\Common files & delete the updater folder
C:\WINNT\system32 & delete
version.exe...Keyhost.exe...ntbalckup.exe...wnsintit.exe
C:\Documents and Settings\jaz\ApplicationData & delete saer.exe

 

[Jaz]

(e-mail address removed) forgot to take the pills and typed:

That's me


Art
http://www.epix.net/~artnpeg

Thank you, Art. Your intro to Trend Micro's tools helped quite well --
it found eight BKDR_SANDBOX.A infested files.

I also like your pictures... Ahhh, simpler days those were, eh? When
I was sixteen it was 1980 and I was driving a '69 Cutlass ;^)

(Please excuse the 'burp' when replying)

 

[Sharky]

In alt.privacy.spyware, Jaz says...

Then AdAware, but that seemed to cause an explosion of
self-installers, icons on the desktop, and spyware became rampant.
(Sorry if this is a bad assessment of cause and effect, but that was
my experience)

Ad-aware has never caused anything like this on any computer I've ever run
it on. This may be related to your coolweb infestation, though. Some
coolweb variants will actually disable Ad-aware when you load it into
memory. There is a "stealth" program for Ad-aware, but I'm having trouble
finding the url for the it. What it does is stealths Ad-aware so that it
can run. Maybe someone else here can come up with the url, if not, I'll
check at work tomorrow as I know I have it there.

 

[*Vanguard*]

Don't know why SFB wanted you to delete SpywareGuard (unless SFB can
recognize that the classID of the copy you have running is a sham version).
Did you get SpywareGuard from the JavaCool web site
(http://www.wilderssecurity.net/)?

I'm running Windows XP. Don't recall if you mentioned what version of
Windows that you are using. From the inclusion of "WinNT" in some of the
records you show, I'm guessing you are running Windows 2000, so there will
be some differences between what you see and what I see.

Here's a new log:

Logfile of HijackThis v1.97.7
Scan saved at 2:37:38 PM, on 2/26/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe

Windows NT Session Manager.

C:\WINNT\system32\winlogon.exe

No brainer on this one. Windows NT Login Application.

C:\WINNT\system32\services.exe

You should see only one instance of this process. It manages the
svchost.exe processes in which the NT services are distributed.

C:\WINNT\system32\lsass.exe

Logon security.

C:\WINNT\system32\svchost.exe

A Description of Svchost.exe in Windows XP
http://support.microsoft.com/?kbid=314056

There may be more than one instance of this running. I have 2 copies of
this file under C:\Windows\System32 and C:\Windows\DLLcache. I'm running
Windows XP. Don't recall if you mentioned your version of Windows.

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

Norton's common client event manager.

C:\WINNT\system32\spoolsv.exe

Print spooler.

C:\WINNT\System32\svchost.exe

Yep, another instance. Should be okay. Depends on how many NT services you
have running.

C:\Programs\Norton AntiVirus\navapsvc.exe

Norton Anti-Virus.

C:\Programs\Norton AntiVirus\AdvTools\NPROTECT.EXE

Norton Anti-Virus.

C:\WINNT\System32\nvsvc32.exe

Not found on my system. I'm running Norton AntiVirus 2003 (says version
9.05.15 under the Help -> About menu).

C:\WINNT\system32\regsvc.exe

Remote Registry (an NT service). I don't have this process running. For
the NT service called "Remote Registry", it loads
"C:\WINDOWS\system32\svchost.exe -k LocalService" so it gets rolled under an
instance of svchost.exe.

C:\WINNT\system32\MSTask.exe

Task Scheduler.

C:\WINNT\system32\stisvc.exe

NT service "Windows Image Acquisition" for scanners and cameras. Not
present on my system, but that's because WIA loads using
"C:\WINDOWS\System32\svchost.exe -k imgsvc", go this service got rolled
under an instance of svchost.exe.

C:\WINNT\system32\ZoneLabs\vsmon.exe

Don't have ZoneAlarm on my system. Presumably for ZoneAlarm.

C:\WINNT\System32\WBEM\WinMgmt.exe

Windows Management Instrumentation (WMI). This doesn't show up separately
on my system because, again, it has been rolled under an instance of
svchost.exe.

C:\WINNT\system32\svchost.exe

Yet another instance of svchost. I sometimes have up to 5 instances of this
process.

C:\WINNT\Explorer.EXE

Windows Explorer.

C:\WINNT\system32\CTHELPER.EXE

Creative Labs Soundblaster utility. "... it helps detect when the Sound
Blaster Extigy is plugged in and removed, when headphones are
attached/removed, and so on.", according to a reply from Creative.

C:\WINNT\system32\spool\DRIVERS\W32X86\3\fpdisp5a.exe

Don't know this one.

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

Norton common client application (part of NIS and NAV).

C:\Programs\ZONELA~1\ZONEAL~1\zlclient.exe

Probably ZoneAlarm stuff.

C:\Documents and Settings\jaz\Application Data\saer.exe

Don't know this one.

C:\WINNT\system32\wnsintit.exe

Don't have this file. Could be something for Windows 2000 (I have Windows
XP) or for some application you installed that pollutes the OS paths (and
Microsoft actually promotes this pollution). Right-click on the file and
look under Properties -> Version. If that's unhelpful, use FileSnoop, a hex
editor, or even Notepad to look inside to see if you can catch some text
strings indicating what it is for.

C:\Programs\SpywareGuard\sgmain.exe
C:\Programs\SpywareGuard\sgbhp.exe

JavaCool's SpywareGuard. This doesn't contain spyware or create popups. If
you want to check, get BHO Demon and disable the BHOs (browser helper
objects) installed for IE.

C:\PROGRAMS\MOZILL~1\MOZILL~1.EXE Mozilla.

C:\Programs\Utils\HijackThis.exe

You know this one.


In the registry keys listed by HijackThis, those pointing to
www.searchant.com look to be a hijack to supplant your search options in IE
(unless you modified the default list of available search engines to include
this site).

For the registry keys with "IncrediFind", that looks to be another hijack.
A Google search on "IncrediFind" found several articles, like
http://www.kephyr.com/spywarescanner/library/incredifind/index.phtml. One
of the registry keys listed indicates IncrediFind also runs as a BHO, so you
should be able to see it (and disable it) using BHO Demon.

A lot of the registry keys regard Symantec products, ZoneAlarm,
SpywareGuard, Spybot (because you've enabled its BHO for IE), Creative
helper, TweakUI, Windows Update

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon
initialize

So, you decided to overclock? Looks like some nVidia tweaker utility, maybe
to alter the coolbit values.

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

nVidia virtual desktop manager?

O4 - HKLM\..\Run: [FinePrint Dispatcher v5]
C:\WINNT\system32\spool\DRIVERS\W32X86\3\fpdisp5a.exe

Got an app you installed called "FinePrint"?

O4 - HKLM\..\Run: [version] C:\WINNT\system32\version.exe

Huh? What's this? Looks to be part of the keyhost infection; see
http://www.reger24.de/prozesse/Keyhost.exe.php.

O4 - HKLM\..\Run: [WinEssential] C:\WINNT\system32\Keyhost.exe

Yep, you're still infected.

O4 - HKCU\..\Run: [ntbalckup.exe] C:\WINNT\system32\ntbalckup.exe

Don't know this one. Maybe an infection (because of the misspeleed
"ntbackup" that inserted an "l")? The real NT Backup program has a filename
of "ntbackup.exe", not "ntbalckup.exe".

O4 - HKCU\..\Run: [Atro] C:\Documents and Settings\jaz\Application
Data\saer.exe

You know what this is for? Might it go to www.saer.ws (Lima, Peru)? I
didn't look much at this site but did use Lynx (text-only browser) and saw
it was in Spanish (maybe) and looked to be about sex. Take a look inside
the .exe file using FileSnoop, a hex editor, or even Notepad to see if you
can find a hardcoded URL to a web site.

O4 - HKCU\..\Run: [WNSC] C:\WINNT\system32\wnsintit.exe

Unknown to me.

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common
Files\Adobe\Calibration\Adobe Gamma Loader.exe

Part of Adobe Photoshop maybe?

O10 - Unknown file in Winsock LSP: c:\winnt\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\inetadpt.dll

STOP downloading that freeware crap! No level of security can bypass what
the *user* allows. Another infection (see
http://www.kephyr.com/spywarescanner/library/targetsoft.inetadpt/index.phtml).