Downloader.agent.uj

Did you setup your startpage to use the below?
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm


You need to run this: WareOut Removal and attach the requested log.


Are the below tools free versions or paid versions?
Ewido Anti-spyware 4.0
Spy Sweeper
X-Cleaner
XoftSpy

 

Okay we will fix it.

Running too many realtime antispyware blocking tools can be as bad as malware itself. It can severely slow your PC down, it causes conflicts between the programs making each less effective, and it can make it impossible to fix problems when you do have them.

Uninstall Ewido and Windows Defender! Do this now before continuing!

If X-Cleaner performs blocking functions like Spy Sweeper you should really only use one. The same goes for the XoftSpy SE. But I'm not sure if it is a blocking tool. I think it may only be a scanner. Adding Trojan Hunter as a fourth may even add more problems. It is up to you what you want to do here but this level of paid protection is totally unnecessary and could even be less effective than having just one. I use only one realtime blocker (and some free protection which is not realtime blocking - like Spyware Blaster and Spybot's Immunize and SDhelper) and I never have any problems and I surf more than most people of the internet. However I am careful about where I surf, what I download, where I download from, and what I click on.


Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O17 - HKLM\System\CCS\Services\Tcpip\..\{01C4D210-428B-4E61-9825-8FD367A0D0AA}: NameServer = 85.255.116.165,85.255.112.141
O17 - HKLM\System\CCS\Services\Tcpip\..\{946B9676-EA2A-4748-AAFC-6FC53418989A}: NameServer = 85.255.116.165,85.255.112.141
O17 - HKLM\System\CCS\Services\Tcpip\..\{B0C41FDF-0885-4A7C-BD8E-41F682A250F0}: NameServer = 85.255.116.165,85.255.112.141
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.165 85.255.112.141
O17 - HKLM\System\CS1\Services\Tcpip\..\{01C4D210-428B-4E61-9825-8FD367A0D0AA}: NameServer = 85.255.116.165,85.255.112.141
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.165 85.255.112.141
O17 - HKLM\System\CS2\Services\Tcpip\..\{01C4D210-428B-4E61-9825-8FD367A0D0AA}: NameServer = 85.255.116.165,85.255.112.141
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.165 85.255.112.141

After clicking Fix, exit HJT.
Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Note for IE 7 users: You need to select Internet Options then the Advanced tab and then Reset Internet Explorer Settings!

Look for and delete the below files if found:
C:\WINDOWS\SYSTEM32\csdfr.exe
C:\WINDOWS\SYSTEM32\thxcfg.ini

Also delete the below folder if found:
C:\Program Files\Common Files\{D88532AB-0576-1033-0830-040917030001}


Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

According to your ShowNew log (the newfiles.txt file), GotoMyPC is still installed. You need to uninstall it. Fixing with HJT should be the last step. In addition, an active service (the O23) line cannot normally just be fixed by selecting the line and fixing it.

Also I see something in the ShowNew log named Network Diagrams. Is this where NetMarks Manager came from. If so, you should uninstall it. Otherwise yes, you can have HJT fix those lines.

The Symantec items have nothing to do with an installed (or once installed) application. They are active X controls from using there online scanning tools. And yes, you can simple fix those O16 entries. They would just download again if you ever access the site to use those tools again.


Your current log is clean. Just let me know the results of the above.