gazz10
20th March, 2008, 07:14 PM
There's plenty of methods, but I used the following when I had a severe case of spyware on my computer, and it helped me get rid of almost everything! It's taken from: http://www.techspot.com/vb/topic17297.html, and slightly modified with updated links and such. Enjoy!
--> Download as .TXT near at the end of this post
Download & install each program in its OWN directory, NOT on your DESKTOP or in TEMP!
HijackThis from http://www.majorgeeks.com/download5554.html (current version 2.02)
-- HJT MUST have its own directory to make Backups of all 'fixes', so you can 'undo' a wrong fix!
Spybot S&D from http://www.safer-networking.org: during install let it immunise your PC!
Adaware Personal Free from http://www.lavasoftusa.com/products/ad_aware_free.php
CWshredder from http://www.intermute.com/spysubtract/cwshr...r_download.html
CoolWWWSearch.SmartKiller from http://www.majorgeeks.com/download4113.html
-- Some CWS-versions prevent anti-spyware apps from opening. In that case run SmartKiller first.
AboutBuster from http://www.majorgeeks.com/download4289.html
ATF Cleaner from http://www.majorgeeks.com/ATF_Cleaner_d4949.html -- Vista, WinXP and Win2K only
(Notes for Windows Vista users:
On Windows Vista that "Windows Temp" is disabled, to empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator")
Run the tools below.
SmitFraudFix from http://siri.geekstogo.com/SmitfraudFix.php -- Take note of the message at the bottom of the page, along with the rest of the page.
Vundofix from http://vundofix.atribune.org/
Look2me Destroyer from http://www.softpedia.com/progDownload/Look2Me-Destroyer-Download-76623.html
VirtumundoBeGone from http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe
rdrivrem.zip from http://files.filefront.com/rdrivremzip/;8055924;/fileinfo.html
^This will remove the sdbot infection.
Before running these programs (now OR later), always make sure you have the LATEST program versions and definitions!
================================================== ===========================
REBOOT in SAFE MODE (press F8 a few times when booting or see how here).
XP/ME only: DISABLE SYSTEM RESTORE, see how here.
In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.
Run SmitFraudFix first.
Next run Vundofix
Next run VirtumundoBeGone
Next run Look2me Destroyer
Next run AboutBuster
Next run CWShredder. If needed, run SmartKiller first.
Next run AdAware, click 'Start', UNcheck 'Scan for negligible risk entries',
select 'Perform full system scan' and click 'Next'. Let AdAware remove anything it finds.
Next, run Spybot and let it remove anything it finds.
================================================== ===========================
Reboot again in Safe Mode.
Run HijackThis with NO other programs open!
Fix means: put a tick-mark in the square in front of that line, when found.
I M P O R T A N T
Open Windows Task Manager by pressing CTRL+ALT+DELETE.
Click the Processes tab, and keep that open!
For EVERY xxx.EXE file that is listed underneath, and that also shows in your HJT-log,
select the Process with that name (if there) and click End Process for it.
Most Running Processes are repeated as O4 - HKxx further down, some are not.
Fix ANYof these:
CHKINIT.EXE
DCOMCFG.EXE
DLLHOST.EXE
DLLSERV.EXE
MSSEARCHNET.EXE
NVCTRL.EXE
REGSERV.EXE
RMCTRL.EXE (UNLESS you have PowerDVD XP)
RUNDLL.EXE
SMSSU.EXE
SPOOISV.EXE <<== mind SPELLING
TMNTSRV32.EXE
Fix ANY programs running from
C:\Documents and Settings\[username]\Local Settings\Temp\WHATEVER.EXE
R0 & R1
Fix ALL if you have an XXXsearch problem
Fix ALL ending with: = about:blank
Fix ALL if listed with undesirable pages.
R3:
Fix ANY with (no name) AND either (no file) or (file missing)
Default URLSearchHook is missing
F2 - REG:
system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe, see AURORA note below.
O1 - Hosts:
Fix ALL
O2 - BHO:
Fix ANY with (no name) AND either (no file) or (file missing)
C:\WINDOWS\SYSTEM\DSKTRF.DLL
C:\WINDOWS\SYSTEM32\hpXXXX.tmp (where x is a random letter - four random letters after "hp" exactly)
C:\WINDOWS\SYSTEM32\winb2s32.dll
C:\WINDOWS\multimpp.dll
C:\WINDOWS\systb.dll
C:\WINDOWS\cfgmgr52.dll
C:\WINDOWS\xxxx.tmp
C:\WINDOWS\System32\yyyy.tmp
O3 - Toolbar:
Begin2Search.com Bar - {clsid-number} - C:\WINDOWS\SYSTEM\WINB2S32.DLL
O4 - HKxx\..\Run [something]: -> look for the .EXE files <-
RUNDLL32 AUNPS2.DLL,_Run@16
"C:\Program Files\AutoUpdate\AutoUpdate.exe"
bcvsrv32.exe
RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun <<== delete ONLY cfgmgr52.dll
C:\WINDOWS\conscorr.exe
internat.exe
loadqm.exe
C:\WINNT\mmups.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\MsMovies\MsMovies.exe
C:\Program Files\MsUpdate\MsUpdate.exe
oddtreg.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
updatesp2.exe
C:\WINDOWS\system32\svc.exe
C:\Program Files\TV Media\Tvm.exe
C:\WINDOWS\System32\twink64.exe blabla..
C:\WINDOWS\System32\vidctrl\vidctrl.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
C:\Program Files\Winamp\winampA.exe <-- Spelling!
C:\Program Files\Windows ControlAd\WinCtlAd.exe and/or WinCtlAdALT.EXE
winlog.exe
C:\WINDOWS\winupdate.exe
C:\WINDOWS\winupdates.exe
C:\Program Files\winsupdater\winsupdater.exe
C:\WINDOWS\System32\wintask.exe
C:\Program Files\Common Files\WinTools\WToolsA.exe
..\Web Offer\WO.EXE
..\WildTangent\ANYTHING......
'Google' suspicious names like these. Fix if not found or <100 results.
[jmruplg] C:\WINDOWS\Lmddwz.exe
[Rxagik] C:\WINDOWS\Meruoq.exe
O4 - HKLM\..\RunServices:
[Bcvsrv32] bcvsrv32.exe
[sp2update] updatesp2.exe
[] winlog.exe
I M P O R T A N T
If you have any of the above RunServices, click Start > Run, type services.msc and click OK.
Doubleclick it if there, click Stop if it's running, and change the Startup type to Disabled.
O4 - Global Startup:
Reboot.exe
WHATEVER.lnk = ?
O4 - Startup:
PowerReg Scheduler V3.exe
O9 - Extra button:
Fix ANY with (file missing)
WeatherBug - {clsid-number} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O10:
For these see LSPFIX note below.
Broken Internet access because of LSP provider 'xxxx.dll' missing
Unknown file in Winsock LSP: .....
O14 - IERESET.INF:
SEARCH_PAGE_URL= [blank]
START_PAGE_URL= [blank]
O15 - Trusted Zone:
Fix ALL, no matter WHAT names they have
O16 - DPF:
Fix ALL, no matter WHAT names they have, except for Microsoft/Windows entries.
O17 - HKLM...
Fix ALL if IP-addresses are NOT from YOUR ISP.
O23 - Service:
If you find SvcProc.exe, see AURORA note below.
Now, in HijackThis, hit the Fix checked button.
After HJT is finished, while still in Safe Mode, delete any of these bold directories if you have them:
Found in C:\Program Files\
\AutoUpdate
\AWS
\MessengerPlus! 3
\MsMovies
\MsUpdate
\TV Media
\Viewpoint
\Web Offer
\WildTangent
\Windows ControlAd
\winupdate
\winupdates
\Common Files\WinTools
C:\WINDOWS\System32\P2P Networking
C:\WINDOWS\System32\vidctrl
Then delete all individual files/programs that were fixed.
Delete ALL files and folders from:
C:\Documents and Settings\[username]\Local Settings\Temp
Repeat this for ALL users!
For Vista, XP or 2000, run ATF Cleaner, select all, and clean, and then do the same for the firefox tab.
For other versions of windows, In Internet Explorer, click on Tools/Internet Options and
empty your Temporary Internet Files, all Offline content and delete Cookies.
In Firefox, click on Tools/Options and Clear Cache and Clear Cookies.
Delete all files and directories from: C:\WINDOWS\Temp (except files dated from TODAY).
Finally, boot in normal mode and see how the PC behaves. Run a full AV-scan.
Vista/XP/ME-users, ENable System Restore or see here.
Stop using IE, except for Windows-updates.
Get Firefox instead!
----------NOTES----------
LSPFix
If you have problems with HijackThis entries such as:
O10 - Broken Internet access because of LSP provider 'xxxx.dll' missing
O10 - Unknown file in Winsock LSP: .....
download and run LSPFix from http://cexx.org/lspfix.htm
Use these instructions to remove the bad DLL:
1. Run LSPFix.
2. Check 'I know what I'm doing'.
3. Select 'xfire_lsp_8742.dll' (or substitute with "your" missing file name).
4. Click the right-pointing arrow (moves it to the "remove" page).
5. Click 'Finished'.
6. Restart your computer in "Safe Mode" (F5 or F8 when starting Windows).
7. Delete the file: 'xfire_lsp_8742.dll' (or substitute with "your" missing file name). Do NOT delete ANY other files!
8. Restart your computer and bring it up in normal mode.
-------------------------------------------------------------------------------------------
AURORA
NOTE: this text was copied from TheJoker on the BroadbandReports Forum http://www.broadbandreports.com/forum/remark,13685446
Please download, install, and update the free version of Ewido trojan scanner: http://www.ewido.net/en/download/
- When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
- When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
- From the main Ewido screen, click on update in the left menu, then click the Start update button.
- After the update finishes (the status bar at the bottom will display "Update successful")
- Exit Ewido. DO NOT scan yet.
Download CCleaner from http://www.ccleaner.com/download and install, but do not run it yet.
Please download the Nail/Aurora Spyware Fix: www.spywareedge.net/nf/nailfix.exe
Save it to the desktop but do NOT run yet.
Reboot into Safe Mode. To do this with Windows XP, you can follow these steps from Microsoft:
- Restart your computer and start pressing the F8 key on your keyboard. On a computer that is configured for booting to multiple operating systems, you can press the F8 key when you the Boot Menu appears.
- Select an option when the Windows Advanced Options menu appears, and then press ENTER.
- When the Boot menu appears again, and the words "Safe Mode" appear in blue at the bottom, select the installation that you want to start, and then press ENTER.
Once in Safe Mode, double-click the downloaded NAILFIX.EXE file.
The program runs very quickly, this is normal.
Next, run CCleaner.
- Uncheck "Cookies" under "Internet Explorer".
- If you are running Firefox: ,then click on the "Applications" tab and uncheck "Cookies" under "Firefox".
- Click on Run Cleaner in the lower right-hand corner. This can take quite a while to run.
Now run Ewido again.
- Click on the Scanner button in the left menu, then click on the Start button. This scan can take quite a while to run, so time to go get a drink and a snack....
- If Ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
- When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.
Then run HijackThis, click Scan, and place a checkmark by the following items:
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
ANY O2 - BHO: that has (file missing)
ANY O2 - BHO: that has (no name) AND (no file)
ANY O3 - Toolbar: that has (no name) AND (no file)
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe
OR
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe (file missing).
Finally, restart your computer in normal mode and post a new HijackThis log (as an attachment with .txt extension), as well as the log from the Ewido scan.
Good luck!
--> Download as .TXT near at the end of this post
Download & install each program in its OWN directory, NOT on your DESKTOP or in TEMP!
HijackThis from http://www.majorgeeks.com/download5554.html (current version 2.02)
-- HJT MUST have its own directory to make Backups of all 'fixes', so you can 'undo' a wrong fix!
Spybot S&D from http://www.safer-networking.org: during install let it immunise your PC!
Adaware Personal Free from http://www.lavasoftusa.com/products/ad_aware_free.php
CWshredder from http://www.intermute.com/spysubtract/cwshr...r_download.html
CoolWWWSearch.SmartKiller from http://www.majorgeeks.com/download4113.html
-- Some CWS-versions prevent anti-spyware apps from opening. In that case run SmartKiller first.
AboutBuster from http://www.majorgeeks.com/download4289.html
ATF Cleaner from http://www.majorgeeks.com/ATF_Cleaner_d4949.html -- Vista, WinXP and Win2K only
(Notes for Windows Vista users:
On Windows Vista that "Windows Temp" is disabled, to empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator")
Run the tools below.
SmitFraudFix from http://siri.geekstogo.com/SmitfraudFix.php -- Take note of the message at the bottom of the page, along with the rest of the page.
Vundofix from http://vundofix.atribune.org/
Look2me Destroyer from http://www.softpedia.com/progDownload/Look2Me-Destroyer-Download-76623.html
VirtumundoBeGone from http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe
rdrivrem.zip from http://files.filefront.com/rdrivremzip/;8055924;/fileinfo.html
^This will remove the sdbot infection.
Before running these programs (now OR later), always make sure you have the LATEST program versions and definitions!
================================================== ===========================
REBOOT in SAFE MODE (press F8 a few times when booting or see how here).
XP/ME only: DISABLE SYSTEM RESTORE, see how here.
In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.
Run SmitFraudFix first.
Next run Vundofix
Next run VirtumundoBeGone
Next run Look2me Destroyer
Next run AboutBuster
Next run CWShredder. If needed, run SmartKiller first.
Next run AdAware, click 'Start', UNcheck 'Scan for negligible risk entries',
select 'Perform full system scan' and click 'Next'. Let AdAware remove anything it finds.
Next, run Spybot and let it remove anything it finds.
================================================== ===========================
Reboot again in Safe Mode.
Run HijackThis with NO other programs open!
Fix means: put a tick-mark in the square in front of that line, when found.
I M P O R T A N T
Open Windows Task Manager by pressing CTRL+ALT+DELETE.
Click the Processes tab, and keep that open!
For EVERY xxx.EXE file that is listed underneath, and that also shows in your HJT-log,
select the Process with that name (if there) and click End Process for it.
Most Running Processes are repeated as O4 - HKxx further down, some are not.
Fix ANYof these:
CHKINIT.EXE
DCOMCFG.EXE
DLLHOST.EXE
DLLSERV.EXE
MSSEARCHNET.EXE
NVCTRL.EXE
REGSERV.EXE
RMCTRL.EXE (UNLESS you have PowerDVD XP)
RUNDLL.EXE
SMSSU.EXE
SPOOISV.EXE <<== mind SPELLING
TMNTSRV32.EXE
Fix ANY programs running from
C:\Documents and Settings\[username]\Local Settings\Temp\WHATEVER.EXE
R0 & R1
Fix ALL if you have an XXXsearch problem
Fix ALL ending with: = about:blank
Fix ALL if listed with undesirable pages.
R3:
Fix ANY with (no name) AND either (no file) or (file missing)
Default URLSearchHook is missing
F2 - REG:
system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe, see AURORA note below.
O1 - Hosts:
Fix ALL
O2 - BHO:
Fix ANY with (no name) AND either (no file) or (file missing)
C:\WINDOWS\SYSTEM\DSKTRF.DLL
C:\WINDOWS\SYSTEM32\hpXXXX.tmp (where x is a random letter - four random letters after "hp" exactly)
C:\WINDOWS\SYSTEM32\winb2s32.dll
C:\WINDOWS\multimpp.dll
C:\WINDOWS\systb.dll
C:\WINDOWS\cfgmgr52.dll
C:\WINDOWS\xxxx.tmp
C:\WINDOWS\System32\yyyy.tmp
O3 - Toolbar:
Begin2Search.com Bar - {clsid-number} - C:\WINDOWS\SYSTEM\WINB2S32.DLL
O4 - HKxx\..\Run [something]: -> look for the .EXE files <-
RUNDLL32 AUNPS2.DLL,_Run@16
"C:\Program Files\AutoUpdate\AutoUpdate.exe"
bcvsrv32.exe
RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun <<== delete ONLY cfgmgr52.dll
C:\WINDOWS\conscorr.exe
internat.exe
loadqm.exe
C:\WINNT\mmups.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\MsMovies\MsMovies.exe
C:\Program Files\MsUpdate\MsUpdate.exe
oddtreg.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
updatesp2.exe
C:\WINDOWS\system32\svc.exe
C:\Program Files\TV Media\Tvm.exe
C:\WINDOWS\System32\twink64.exe blabla..
C:\WINDOWS\System32\vidctrl\vidctrl.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
C:\Program Files\Winamp\winampA.exe <-- Spelling!
C:\Program Files\Windows ControlAd\WinCtlAd.exe and/or WinCtlAdALT.EXE
winlog.exe
C:\WINDOWS\winupdate.exe
C:\WINDOWS\winupdates.exe
C:\Program Files\winsupdater\winsupdater.exe
C:\WINDOWS\System32\wintask.exe
C:\Program Files\Common Files\WinTools\WToolsA.exe
..\Web Offer\WO.EXE
..\WildTangent\ANYTHING......
'Google' suspicious names like these. Fix if not found or <100 results.
[jmruplg] C:\WINDOWS\Lmddwz.exe
[Rxagik] C:\WINDOWS\Meruoq.exe
O4 - HKLM\..\RunServices:
[Bcvsrv32] bcvsrv32.exe
[sp2update] updatesp2.exe
[] winlog.exe
I M P O R T A N T
If you have any of the above RunServices, click Start > Run, type services.msc and click OK.
Doubleclick it if there, click Stop if it's running, and change the Startup type to Disabled.
O4 - Global Startup:
Reboot.exe
WHATEVER.lnk = ?
O4 - Startup:
PowerReg Scheduler V3.exe
O9 - Extra button:
Fix ANY with (file missing)
WeatherBug - {clsid-number} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O10:
For these see LSPFIX note below.
Broken Internet access because of LSP provider 'xxxx.dll' missing
Unknown file in Winsock LSP: .....
O14 - IERESET.INF:
SEARCH_PAGE_URL= [blank]
START_PAGE_URL= [blank]
O15 - Trusted Zone:
Fix ALL, no matter WHAT names they have
O16 - DPF:
Fix ALL, no matter WHAT names they have, except for Microsoft/Windows entries.
O17 - HKLM...
Fix ALL if IP-addresses are NOT from YOUR ISP.
O23 - Service:
If you find SvcProc.exe, see AURORA note below.
Now, in HijackThis, hit the Fix checked button.
After HJT is finished, while still in Safe Mode, delete any of these bold directories if you have them:
Found in C:\Program Files\
\AutoUpdate
\AWS
\MessengerPlus! 3
\MsMovies
\MsUpdate
\TV Media
\Viewpoint
\Web Offer
\WildTangent
\Windows ControlAd
\winupdate
\winupdates
\Common Files\WinTools
C:\WINDOWS\System32\P2P Networking
C:\WINDOWS\System32\vidctrl
Then delete all individual files/programs that were fixed.
Delete ALL files and folders from:
C:\Documents and Settings\[username]\Local Settings\Temp
Repeat this for ALL users!
For Vista, XP or 2000, run ATF Cleaner, select all, and clean, and then do the same for the firefox tab.
For other versions of windows, In Internet Explorer, click on Tools/Internet Options and
empty your Temporary Internet Files, all Offline content and delete Cookies.
In Firefox, click on Tools/Options and Clear Cache and Clear Cookies.
Delete all files and directories from: C:\WINDOWS\Temp (except files dated from TODAY).
Finally, boot in normal mode and see how the PC behaves. Run a full AV-scan.
Vista/XP/ME-users, ENable System Restore or see here.
Stop using IE, except for Windows-updates.
Get Firefox instead!
----------NOTES----------
LSPFix
If you have problems with HijackThis entries such as:
O10 - Broken Internet access because of LSP provider 'xxxx.dll' missing
O10 - Unknown file in Winsock LSP: .....
download and run LSPFix from http://cexx.org/lspfix.htm
Use these instructions to remove the bad DLL:
1. Run LSPFix.
2. Check 'I know what I'm doing'.
3. Select 'xfire_lsp_8742.dll' (or substitute with "your" missing file name).
4. Click the right-pointing arrow (moves it to the "remove" page).
5. Click 'Finished'.
6. Restart your computer in "Safe Mode" (F5 or F8 when starting Windows).
7. Delete the file: 'xfire_lsp_8742.dll' (or substitute with "your" missing file name). Do NOT delete ANY other files!
8. Restart your computer and bring it up in normal mode.
-------------------------------------------------------------------------------------------
AURORA
NOTE: this text was copied from TheJoker on the BroadbandReports Forum http://www.broadbandreports.com/forum/remark,13685446
Please download, install, and update the free version of Ewido trojan scanner: http://www.ewido.net/en/download/
- When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
- When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
- From the main Ewido screen, click on update in the left menu, then click the Start update button.
- After the update finishes (the status bar at the bottom will display "Update successful")
- Exit Ewido. DO NOT scan yet.
Download CCleaner from http://www.ccleaner.com/download and install, but do not run it yet.
Please download the Nail/Aurora Spyware Fix: www.spywareedge.net/nf/nailfix.exe
Save it to the desktop but do NOT run yet.
Reboot into Safe Mode. To do this with Windows XP, you can follow these steps from Microsoft:
- Restart your computer and start pressing the F8 key on your keyboard. On a computer that is configured for booting to multiple operating systems, you can press the F8 key when you the Boot Menu appears.
- Select an option when the Windows Advanced Options menu appears, and then press ENTER.
- When the Boot menu appears again, and the words "Safe Mode" appear in blue at the bottom, select the installation that you want to start, and then press ENTER.
Once in Safe Mode, double-click the downloaded NAILFIX.EXE file.
The program runs very quickly, this is normal.
Next, run CCleaner.
- Uncheck "Cookies" under "Internet Explorer".
- If you are running Firefox: ,then click on the "Applications" tab and uncheck "Cookies" under "Firefox".
- Click on Run Cleaner in the lower right-hand corner. This can take quite a while to run.
Now run Ewido again.
- Click on the Scanner button in the left menu, then click on the Start button. This scan can take quite a while to run, so time to go get a drink and a snack....
- If Ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
- When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.
Then run HijackThis, click Scan, and place a checkmark by the following items:
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
ANY O2 - BHO: that has (file missing)
ANY O2 - BHO: that has (no name) AND (no file)
ANY O3 - Toolbar: that has (no name) AND (no file)
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe
OR
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe (file missing).
Finally, restart your computer in normal mode and post a new HijackThis log (as an attachment with .txt extension), as well as the log from the Ewido scan.
Good luck!