# Solved: Trojan Viruses Won't Go Away



## No XPert (Aug 22, 2005)

Hey Guys, 
Not sure if I'm posting this in the right section. Computer is infected by a couple of trojans, have run scans, detects them but they keep coming back. Any help appreciated. Thanks in advance.
Included HJT file.....

Logfile of HijackThis v1.99.1
Scan saved at 6:56:08 PM, on 23/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Common Files\{B869CC14-08AD-3081-0716-03052403003d}\Update.exe
C:\WINDOWS\9129837.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.ninemsn.com.au/0SEENAU/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.ninemsn.com.au/0SEENAU/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00005.exe"
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ToolBar888 - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{3869CC14-08AE-3081-0716-03052403003d}\MyToolBar.dll
O2 - BHO: (no name) - {CE65D4B2-71BE-4388-B38E-80CBD8EC7717} - C:\Program Files\MSN\horedo.dll (file missing)
O2 - BHO: PrintViewBHO Class - {D4E0C464-30CE-4075-9A10-71FD106C2847} - C:\PROGRA~1\PRINTV~1\PRINTH~1.DLL
O3 - Toolbar: ToolBar888 - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{3869CC14-08AE-3081-0716-03052403003d}\MyToolBar.dll
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PVModule] C:\PROGRA~1\PRINTV~1\pvmodule.exe
O4 - HKLM\..\Run: [uzm2ec00] RUNDLL32.EXE w011be6b.dll,n 0062ebfa0000000a011be6b
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKCU\..\Run: [ttool] C:\WINDOWS\9129837.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} (Installer Class) - http://activex.matcash.com/speedtest2.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe


----------



## Cookiegal (Aug 27, 2003)

Download *AVG Anti-Spyware* from *HERE* and save that file to your desktop.

When the trial period expires it becomes feature-limited freeware but is still worth keeping as a good on-demand scanner.


Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double click it to launch the set up program.
Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
On the main screen select the icon "*Update*" then select the "*Update now*" link.
Next select the "*Start Update*" button. The update will start and a progress bar will show the updates being installed.

Once the update has completed, select the "*Scanner*" icon at the top of the screen, then select the "*Settings*" tab.
Once in the Settings screen click on "*Recommended actions*" and then select "*Quarantine*".
Under "*Reports*"
Select "*Automatically generate report after every scan*"
Un-Select "*Only if threats were found*"

Close AVG Anti-Spyware. Do Not run a scan just yet, we will run it in safe mode.
Reboot your computer into *Safe Mode*. You can do this by restarting your computer and continually tapping the *F8* key until a menu appears. Use your up arrow key to highlight *Safe Mode* then hit enter.

*IMPORTANT:* Do not open any other windows or programs while AVG Anti-Spyware is scanning as it may interfere with the scanning process:

Launch AVG Anti-Spyware by double clicking the icon on your desktop.
Select the "*Scanner*" icon at the top and then the "*Scan*" tab then click on "*Complete System Scan*".
AVG will now begin the scanning process. Please be patient as this may take a little time.
*Once the scan is complete, do the following:*
If you have any infections you will be prompted. Then select "*Apply all actions.*"
Next select the "*Reports*" icon at the top.
Select the "*Save report as*" button in the lower lef- hand of the screen and save it to a text file on your system (make sure to remember where you saved that file. This is important).
Close AVG Anti-Spyware and reboot your system back into Normal Mode.

Please go *HERE* to run Panda's ActiveScan
Once you are on the Panda site click the *Scan your PC* button
A new window will open...click the *Check Now* button
Enter your *Country*
Enter your *State/Province*
Enter your *e-mail address* and click *send*
Select either *Home User* or *Company*
Click the big *Scan Now* button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on *My Computer* to start the scan
When the scan completes, if anything malicious is detected, click the *See Report* button, *then Save Report* and save it to a convenient location. Post the contents of the ActiveScan report

*Come back here and post a new HijackThis log along with the logs from the AVG and Panda scans.*


----------



## No XPert (Aug 22, 2005)

Hi Cookiegal,
Thanks for the reply. Since posting I've Worked out that it's The MSN virus. I'll do a few scans etc, recommended on other threads, plus what you have posted. Will post logs ASAP. May take a while as fixing this comp, is fairly low on my list of priorities atm.
That will free you up to help others more desperate than I. Post soon. Thanks.
Regards Dave


----------



## Cookiegal (Aug 27, 2003)

I would prefer that you follow my instructions only please so that I know what is being done.


----------



## No XPert (Aug 22, 2005)

Ok Cookiegal. I appreciate your help. Prior to you replying last night I ran Alcanshorty. Seems to have cleared some issues. Ran AVG Anti-spyware, at the end the was "No Report Available". Ran Panda scan as requested. I will allocate as much time to this as I can, so please bear with me if replies seem to be slow coming. Thank you.

Logs as requested.

Incident Status Location

Virus:Trj/Spyforms.H Disinfected Operating system 
Adware:adware/look2me Not disinfected c:\windows\system32\guard.tmp 
Potentially unwanted tool:application/funweb Not disinfected c:\windows\downloaded program files\f3initialsetup1.0.0.15.inf 
Virus:trj/torpig.a Disinfected Operating system 
Potentially unwanted tool:application/zango Not disinfected hkey_current_user\software\Zango Messenger 
Potentially unwanted tool:application/mywebsearch Not disinfected hkey_classes_root\clsid\{9AFB8248-617F-460d-9366-D71CDEDA3179} 
Virus:Trj/Spyforms.H Disinfected C:\cvmsfitp.exe 
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Guest\Cookies\[email protected][1].txt 
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Guest\Cookies\[email protected][2].txt 
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Guest\Cookies\[email protected][1].txt  
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Guest\Cookies\[email protected][1].txt 
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Guest\Cookies\[email protected][3].txt 
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Guest\Cookies\[email protected][4].txt 
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Guest\Cookies\[email protected][2].txt 
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Guest\Cookies\[email protected]portal.information[1].txt 
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Guest\Cookies\[email protected][1].txt 
Spyware:Cookie/Xmts Not disinfected C:\Documents and Settings\Guest\Cookies\[email protected][2].txt 
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Hello!.BIGPIECEOF****\Cookies\[email protected][1].txt 
Adware:Adware/CWS Not disinfected C:\Documents and Settings\Hello!.BIGPIECEOF****\drv.exe 
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Documents and Settings\Hello!.BIGPIECEOF****\My Documents\Jade\cartoon pics\ZwinkySetup2.2.50.1.exe 
Adware:Adware/Maxifiles Not disinfected C:\Documents and Settings\Hello!.BIGPIECEOF****\one.exe 
Adware:Adware/YazzleSudoku Not disinfected C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe 
Adware:Adware/DollarRevenue Not disinfected C:\Program Files\Common Files\{3869CC14-08AD-3081-0716-03052403003d}\Uninst.exe 
Adware:Adware/DollarRevenue Not disinfected C:\Program Files\Common Files\{3869CC14-08AE-3081-0716-03052403003d}\Uninst.exe 
Potentially unwanted tool:Application/MSNContentPlus Not disinfected C:\WINDOWS\MSNImport.exe 
Adware:Adware/CWS Not disinfected C:\WINDOWS\system32\drv.exe  
Adware:Adware/Maxifiles Not disinfected C:\WINDOWS\system32\one.exe 
Logfile of HijackThis v1.99.1
Scan saved at 8:49:47 PM, on 24/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.ninemsn.com.au/0SEENAU/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.ninemsn.com.au/0SEENAU/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00005.exe"
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {C004DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O2 - BHO: (no name) - {CE65D4B2-71BE-4388-B38E-80CBD8EC7717} - C:\Program Files\MSN\horedo.dll (file missing)
O2 - BHO: PrintViewBHO Class - {D4E0C464-30CE-4075-9A10-71FD106C2847} - C:\PROGRA~1\PRINTV~1\PRINTH~1.DLL (file missing)
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PVModule] C:\PROGRA~1\PRINTV~1\pvmodule.exe
O4 - HKLM\..\Run: [uzm2ec00] RUNDLL32.EXE w011be6b.dll,n 0062ebfa0000000a011be6b
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} - http://activex.matcash.com/speedtest2.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

Regards David


----------



## Cookiegal (Aug 27, 2003)

*Click here* to download Look2Me-Destroyer.exe and save it to your desktop.

Close all windows before continuing.
Double-click *Look2Me-Destroyer.exe* to run it.
Put a check next to *Run this program as a task.* 
You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click *OK*
When Look2Me-Destroyer re-opens, click the *Scan for L2M* button, your desktop icons will disappear, this is normal.
Once it's done scanning, click the *Remove L2M* button.
You will receive a *Done Scanning* message, click *OK*.
When completed, you will receive this message: *Done removing infected files! Look2Me-Destroyer will now shutdown your computer*, click *OK*.
Your computer will then shutdown.
Turn your computer back on.
Please post the contents of C:\*Look2Me-Destroyer.txt* and a new HiJackThis log.
If Look2Me-Destroyer does not reopen automatically, reboot and try again.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a *runtime error '339'* please download MSWINSCK.OCX from the link below and place it in your *C:\Windows\System32* Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX


----------



## No XPert (Aug 22, 2005)

Thanks Cookiegal, Will do that as soon as I get home. Post soon.
Regards Dave.


----------



## Cookiegal (Aug 27, 2003)

:up:


----------



## No XPert (Aug 22, 2005)

Hello again my "Cyber Heroine", destroyer of all things evil!!! L.O.L. (a.k.a Cookiegal). 
Wife reports that it's running a lot better. Should I stop her from using MSN until we sort this out and protect pc better?? On startup, it's reporting "Error loading w011be6b.dll" and also "Cannot find C:/..........ibm00005.exe

Logs as requested

Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 25/10/2006 6:41:06 PM

Infected! C:\System Volume Information\_restore{835AD6E8-7A58-4DE4-B66D-F0FE80528E86}\RP390\A0073990.dll
Infected! C:\WINDOWS\system32\guard.tmp

Attempting to delete infected files...

Attempting to delete: C:\System Volume Information\_restore{835AD6E8-7A58-4DE4-B66D-F0FE80528E86}\RP390\A0073990.dll
C:\System Volume Information\_restore{835AD6E8-7A58-4DE4-B66D-F0FE80528E86}\RP390\A0073990.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\guard.tmp Deleted successfully!

Making registry repairs.

Restoring Windows certificates.

Replaced hosts file with default windows hosts file

Restoring SeDebugPrivilege for Administrators - Succeeded

Logfile of HijackThis v1.99.1
Scan saved at 6:49:29 PM, on 25/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.ninemsn.com.au/0SEENAU/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.ninemsn.com.au/0SEENAU/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00005.exe"
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {C004DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O2 - BHO: (no name) - {CE65D4B2-71BE-4388-B38E-80CBD8EC7717} - C:\Program Files\MSN\horedo.dll (file missing)
O2 - BHO: PrintViewBHO Class - {D4E0C464-30CE-4075-9A10-71FD106C2847} - C:\PROGRA~1\PRINTV~1\PRINTH~1.DLL (file missing)
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PVModule] C:\PROGRA~1\PRINTV~1\pvmodule.exe
O4 - HKLM\..\Run: [uzm2ec00] RUNDLL32.EXE w011be6b.dll,n 0062ebfa0000000a011be6b
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} - http://activex.matcash.com/speedtest2.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

Await your further instructions. 
P.S. Surprisingly this is our first ever virus, and fixing it through your expertise is ALMOST fun forme!!

Regards Dave


----------



## Cookiegal (Aug 27, 2003)

She can use MSN but just be careful.

Download *WinPFind.exe* to your desktop and double click on it open it and then select extract to extract the files. This will create a folder named *WinPFind* on your desktop.

*Start in Safe Mode Using the F8 method:*


Restart the computer.
As soon as the BIOS is loaded begin tapping the *F8* key until the boot menu appears.
Use the arrow keys to select the *Safe Mode* menu item.
Press the *Enter* key.

Double click on the WinPFind folder on your desktop to open it and then double click on the *WinPFind.exe* file to start the program.


Click Configure scan options
Under Run AdOns select the following:
Policies.def
Security.def

Click apply
Click "*Start Scan*"
*It will scan the entire System, so please be patient and let it complete.*

When the scan is complete reboot normally and post the *WinPFind.txt* file (located in the WinPFind folder) back here along with a new HijackThis log.


----------



## No XPert (Aug 22, 2005)

Hello again Cookiegal,
Ok. Still shows "Error loading w011beb6.dll" and "cannot find C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00005.exe" on startup.
Had minor problem with running WinPFind. On the "configure scan options" page, I could not see the whole page. I checked the buttons which started with the same letters as what you requested and pushed the top button (bar) to apply. I'm pretty sure that alls fine there. Here's logs.

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows sometimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Logfile created on: 26/10/2006 6:19:11 PM
WinPFind v1.5.0	Folder = C:\Documents and Settings\Hello!.BIGPIECEOF****\Desktop\WinPFind\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 6.0.2900.2180)

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
UPX! 22/10/2006 2:05:02 PM 76800 C:\nckige.exe ()

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
PEC2 4/08/2004 10:00:00 PM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc ()
PTech 19/06/2006 4:19:42 PM 571184 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll (Microsoft Corporation)
PECompact2 5/10/2006 6:03:46 AM 9639336 C:\WINDOWS\SYSTEM32\MRT.exe (Microsoft Corporation)
aspack 5/10/2006 6:03:46 AM 9639336 C:\WINDOWS\SYSTEM32\MRT.exe (Microsoft Corporation)
aspack 4/08/2004 10:00:00 PM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll (Microsoft Corporation)
WSUD 4/08/2004 10:00:00 PM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl (Microsoft Corporation)
Umonitor 4/08/2004 10:00:00 PM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll (Microsoft Corporation)
winsync 4/08/2004 10:00:00 PM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu ()
PTech 19/06/2006 4:19:26 PM 304944 C:\WINDOWS\SYSTEM32\WgaTray.exe (Microsoft Corporation)

Checking %System%\Drivers folder and sub-folders...
UPX! 27/09/2006 9:07:34 AM 778656 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys (GRISOFT, s.r.o.)
FSG! 27/09/2006 9:07:34 AM 778656 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys (GRISOFT, s.r.o.)
PEC2 27/09/2006 9:07:34 AM 778656 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys (GRISOFT, s.r.o.)
aspack 27/09/2006 9:07:34 AM 778656 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys (GRISOFT, s.r.o.)

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
26/10/2006 6:13:20 PM S 2048 C:\WINDOWS\bootstat.dat ()
26/10/2006 3:08:56 PM H 54156 C:\WINDOWS\QTFont.qfn ()
1/10/2006 2:41:00 PM HS 10022 C:\WINDOWS\system32\KGyGaAvL.sys ()
13/09/2006 3:23:54 PM S 9435 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB924191.cat ()
4/09/2006 4:38:52 PM S 11223 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB924496.cat ()
19/09/2006 12:40:26 AM S 8847 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB925486.cat ()
26/10/2006 6:13:08 PM H 8192 C:\WINDOWS\system32\config\default.LOG ()
26/10/2006 6:13:38 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG ()
26/10/2006 6:13:22 PM H 16384 C:\WINDOWS\system32\config\SECURITY.LOG ()
26/10/2006 6:14:00 PM H 73728 C:\WINDOWS\system32\config\software.LOG ()
26/10/2006 6:13:30 PM H 802816 C:\WINDOWS\system32\config\system.LOG ()
15/09/2006 6:00:52 PM H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG ()
23/10/2006 8:27:16 PM S 341 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\303572DF538EDD8B1D606185F1D559B8 ()
23/10/2006 8:27:22 PM S 413 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\79841F8EF00FBA86D33CC5A47696F165 ()
 23/10/2006 8:27:16 PM S 574 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\904590238400AD963F77FAAAADC9BAB5 ()
17/10/2006 6:31:14 AM S 70226 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\F482C95F83F1B59228F1B1E720F2EDF1 ()
23/10/2006 8:27:16 PM S 126 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\303572DF538EDD8B1D606185F1D559B8 ()
23/10/2006 8:27:22 PM S 98 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\79841F8EF00FBA86D33CC5A47696F165 ()
23/10/2006 8:27:16 PM S 136 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\904590238400AD963F77FAAAADC9BAB5 ()
17/10/2006 6:31:14 AM S 128 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\F482C95F83F1B59228F1B1E720F2EDF1 ()
4/10/2006 11:01:52 AM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\9a7ad14a-4c92-4316-bdce-37d949d1f5f6 ()
4/10/2006 11:01:52 AM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\Preferred ()
28/08/2006 10:23:36 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\195a4615-d932-4f2f-a42b-abf853685760 ()
28/08/2006 10:23:36 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred ()
26/10/2006 6:09:48 PM H 6 C:\WINDOWS\Tasks\SA.DAT ()

Checking for CPL files...
4/08/2004 10:00:00 PM 68608 C:\WINDOWS\SYSTEM32\access.cpl (Microsoft Corporation)
4/08/2004 10:00:00 PM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl (Microsoft Corporation)
4/08/2004 10:00:00 PM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl (Microsoft Corporation)
4/08/2004 10:00:00 PM 135168 C:\WINDOWS\SYSTEM32\desk.cpl (Microsoft Corporation)
4/08/2004 10:00:00 PM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl (Microsoft Corporation)
4/08/2004 10:00:00 PM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl (Microsoft Corporation)
4/08/2004 10:00:00 PM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl (Microsoft Corporation)
4/08/2004 10:00:00 PM 129536 C:\WINDOWS\SYSTEM32\intl.cpl (Microsoft Corporation)
4/08/2004 10:00:00 PM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl (Microsoft Corporation)
4/08/2004 10:00:00 PM 68608 C:\WINDOWS\SYSTEM32\joy.cpl (Microsoft Corporation)
10/11/2005 1:03:50 PM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl (Sun Microsystems, Inc.)
4/08/2004 10:00:00 PM 187904 C:\WINDOWS\SYSTEM32\main.cpl (Microsoft Corporation)
4/08/2004 10:00:00 PM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl (Microsoft Corporation)
4/08/2004 10:00:00 PM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl (Microsoft Corporation)
4/08/2004 10:00:00 PM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl (Microsoft Corporation)
4/08/2004 10:00:00 PM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl (Microsoft Corporation)
10/12/2005 3:06:00 AM 73728 C:\WINDOWS\SYSTEM32\nvtuicpl.cpl ()
4/08/2004 10:00:00 PM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl (Microsoft Corporation)
4/08/2004 10:00:00 PM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl (Microsoft Corporation)
3/10/2003 3:14:30 PM 314880 C:\WINDOWS\SYSTEM32\QuickTime.cpl (Apple Computer, Inc.)
4/08/2004 10:00:00 PM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl (Microsoft Corporation)
4/08/2004 10:00:00 PM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl (Microsoft Corporation)
4/08/2004 10:00:00 PM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl (Microsoft Corporation)
4/08/2004 10:00:00 PM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl (Microsoft Corporation)
26/05/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl (Microsoft Corporation)
4/08/2004 10:00:00 PM 68608 C:\WINDOWS\SYSTEM32\dllcache\access.cpl (Microsoft Corporation)
4/08/2004 10:00:00 PM 549888 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl (Microsoft Corporation)
4/08/2004 10:00:00 PM 110592 C:\WINDOWS\SYSTEM32\dllcache\bthprops.cpl (Microsoft Corporation)
4/08/2004 10:00:00 PM 135168 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl (Microsoft Corporation)
4/08/2004 10:00:00 PM 80384 C:\WINDOWS\SYSTEM32\dllcache\firewall.cpl (Microsoft Corporation)
4/08/2004 10:00:00 PM 155136 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl (Microsoft Corporation)
4/08/2004 10:00:00 PM 358400 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl (Microsoft Corporation)
4/08/2004 10:00:00 PM 129536 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl (Microsoft Corporation)
4/08/2004 10:00:00 PM 380416 C:\WINDOWS\SYSTEM32\dllcache\irprops.cpl (Microsoft Corporation)
4/08/2004 10:00:00 PM 68608 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl (Microsoft Corporation)
4/08/2004 10:00:00 PM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl (Microsoft Corporation)
4/08/2004 10:00:00 PM 618496 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl (Microsoft Corporation)
4/08/2004 10:00:00 PM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl (Microsoft Corporation)
4/08/2004 10:00:00 PM 25600 C:\WINDOWS\SYSTEM32\dllcache\netsetup.cpl (Microsoft Corporation)
4/08/2004 10:00:00 PM 257024 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl (Microsoft Corporation)
4/08/2004 10:00:00 PM 32768 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl (Microsoft Corporation)
4/08/2004 10:00:00 PM 114688 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl (Microsoft Corporation)
4/08/2004 10:00:00 PM 155648 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl (Microsoft Corporation)
4/08/2004 10:00:00 PM 298496 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl (Microsoft Corporation)
4/08/2004 10:00:00 PM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl (Microsoft Corporation)
4/08/2004 10:00:00 PM 94208 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl (Microsoft Corporation)
4/08/2004 10:00:00 PM 148480 C:\WINDOWS\SYSTEM32\dllcache\wscui.cpl (Microsoft Corporation)
26/05/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl (Microsoft Corporation)

Checking for Downloaded Program Files...
{8AD9C840-044E-11D1-B3E9-00805F499D93} - Java Plug-in 1.5.0_06 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
{8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - MessengerStatsClient Class - CodeBase = http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
{9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - ActiveScan Installer Class - CodeBase = http://acs.pandasoftware.com/activescan/as5free/asinst.cab
{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - Java Plug-in 1.5.0_06 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - Java Plug-in 1.5.0_06 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
{D27CDB6E-AE6D-11CF-96B8-444553540000} - - CodeBase = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
{E055C02E-6258-40FF-80A7-3BDA52FACAD7} - - CodeBase = http://activex.matcash.com/speedtest2.dll

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
30/08/2005 11:01:34 AM HS 84 C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\desktop.ini ()

Checking files in %ALLUSERSPROFILE%\Application Data folder...
30/08/2005 8:45:04 PM HS 62 C:\Documents and Settings\All Users.WINDOWS\Application Data\desktop.ini ()

Checking files in %USERPROFILE%\Startup folder...
30/08/2005 11:01:34 AM HS 84 C:\Documents and Settings\Hello!.BIGPIECEOF****\Start Menu\Programs\Startup\desktop.ini ()

Checking files in %USERPROFILE%\Application Data folder...
1/10/2006 3:47:04 PM 873 C:\Documents and Settings\Hello!.BIGPIECEOF****\Application Data\AdobeDLM.log ()
30/08/2005 8:45:04 PM HS 62 C:\Documents and Settings\Hello!.BIGPIECEOF****\Application Data\desktop.ini ()
1/10/2006 3:47:04 PM 0 C:\Documents and Settings\Hello!.BIGPIECEOF****\Application Data\dm.ini ()

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

>>> Internet Explorer Settings <<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
\\Start Page - http://www.msn.com
\\Search Page - http://www.google.com
\\Default_Page_URL - http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
\\Default_Search_URL - http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
\\Local Page - %SystemRoot%\system32\blank.htm

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
\\Start Page - http://www.google.com.au/
\\Search Bar - http://g.ninemsn.com.au/0SEENAU/SAOS01?FORM=TOOLBR
\\Search Page - http://www.google.com

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
\\CustomizeSearch - http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
\\SearchAssistant - http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Search]
\\CustomizeSearch - http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
\\SearchAssistant - http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
\\{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Microsoft Url Search Hook = %SystemRoot%\system32\shdocvw.dll (Microsoft Corporation)

>>> BHO's <<<
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - Adobe PDF Reader Link Helper = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
\{53707962-6F74-2D53-2644-206D7942484F} - = C:\PROGRA~1\SPYBOT~1\SDHelper.dll (Safer Networking Limited)
\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - SSVHelper Class = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (Sun Microsystems, Inc.)
\{77701e16-9bfe-4b63-a5b4-7bd156758a37} - = ()
\{9030D464-4C02-4ABF-8ECC-5164760863C6} - Windows Live Sign-in Helper = C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
\{C004DEC2-2623-438e-9CA2-C9043AB28508} - = ()
\{CE65D4B2-71BE-4388-B38E-80CBD8EC7717} - = C:\Program Files\MSN\horedo.dll ()
\{D4E0C464-30CE-4075-9A10-71FD106C2847} - PrintViewBHO Class = C:\PROGRA~1\PRINTV~1\PRINTH~1.DLL ()

>>> Internet Explorer Bars, Toolbars and Extensions <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
\{4D5C8C25-D075-11d0-B416-00C04FB90376} - &Tip of the Day = %SystemRoot%\system32\shdocvw.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
\{21569614-B795-46B1-85F4-E737A8DC09AD} - Shell Search Band = %SystemRoot%\system32\browseui.dll (Microsoft Corporation)
\{EFA24E61-B078-11D0-89E4-00C04FC9E26E} - Favorites Band = %SystemRoot%\system32\shdocvw.dll (Microsoft Corporation)
\{EFA24E62-B078-11D0-89E4-00C04FC9E26E} - History Band = %SystemRoot%\system32\shdocvw.dll (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
\WebBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\system32\browseui.dll (Microsoft Corporation)
\WebBrowser\\{0E5CBF21-D15F-11D0-8301-00AA005B4383} - &Links = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
\WebBrowser\\{C004DEC2-2623-438E-9CA2-C9043AB28508} - = ()

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\CmdMapping]
\\{FB5F1910-F110-11d2-BB9E-00C04F795683} - 8192 = Windows Messenger
\\NEXTID - 8194
\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - 8193 = Sun Java Console

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - MenuText: Sun Java Console = C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll (Sun Microsystems, Inc.)
\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - MenuText: Sun Java Console = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (Sun Microsystems, Inc.)(HKCU CLSID)
\{FB5F1910-F110-11d2-BB9E-00C04F795683} - ButtonText: Messenger = C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)

>>> Approved Shell Extensions (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
\\{42071714-76d4-11d1-8b24-00a0c9068ff3} - Display Panning CPL Extension = deskpan.dll ()
\\{764BF0E1-F219-11ce-972D-00AA00A14F56} - Shell extensions for file compression = ()
\\{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} - Encryption Context Menu = ()
\\{88895560-9AA2-1069-930E-00AA0030EBC8} - HyperTerminal Icon Ext = C:\WINDOWS\system32\hticons.dll (Hilgraeve, Inc.)
\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} - Taskbar and Start Menu = ()
\\{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} - Autoplay for SlideShow = ()
\\{7A9D77BD-5403-11d2-8785-2E0420524153} - User Accounts = ()
\\{4B4604E0-8961-11D4-A0EC-009099164712} - My MultiPASS = C:\Program Files\Canon\MultiPASS4\DTM4.DLL (Canon Inc.)
\\{A70C977A-BF00-412C-90B7-034C51DA2439} - NvCpl DesktopContext Class = C:\WINDOWS\system32\nvcpl.dll (NVIDIA Corporation)
\\{FFB699E0-306A-11d3-8BD1-00104B6F7516} - Play on my TV helper = C:\WINDOWS\system32\nvcpl.dll (NVIDIA Corporation)
\\{1CDB2949-8F65-4355-8456-263E7C208A5D} - Desktop Explorer = C:\WINDOWS\system32\nvshell.dll ()
\\{1E9B04FB-F9E5-4718-997B-B8DA88302A47} - Desktop Explorer Menu = C:\WINDOWS\system32\nvshell.dll ()
\\{1E9B04FB-F9E5-4718-997B-B8DA88302A48} - nView Desktop Context Menu = C:\WINDOWS\system32\nvshell.dll ()
\\{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} - AVG7 Shell Extension = C:\Program Files\Grisoft\AVG Free\avgse.dll (GRISOFT, s.r.o.)
\\{9F97547E-460A-42C5-AE0C-81C61FFAEBC3} - AVG7 Find Extension = C:\Program Files\Grisoft\AVG Free\avgse.dll (GRISOFT, s.r.o.)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
\\{BDEADF00-C265-11d0-BCED-00A0C90AB50F} - = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL ()

>>> Context Menu Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers]
\AVG Anti-Spyware - {8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll (Anti-Malware Development a.s.)
\AVG7 Shell Extension - {9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll (GRISOFT, s.r.o.)
\WinRAR - = ()

[HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers]

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\shellex\ContextMenuHandlers]
\AVG Anti-Spyware - {8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll (Anti-Malware Development a.s.)
\WinRAR - = ()

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\BackGround\shellex\ContextMenuHandlers]
\00nView - {1E9B04FB-F9E5-4718-997B-B8DA88302A48} = C:\WINDOWS\system32\nvshell.dll ()
\NvCplDesktopContext - {A70C977A-BF00-412C-90B7-034C51DA2439} = C:\WINDOWS\system32\nvcpl.dll (NVIDIA Corporation)

[HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers]
\AVG7 Shell Extension - {9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll (GRISOFT, s.r.o.)
\WinRAR - = ()

>>> Column Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
\{F9DB5320-233E-11D1-9F84-707F02C10627} - PDF Column Info = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll (Adobe Systems, Inc.)

>>> Registry Run Keys <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
REGSHAVE - C:\Program Files\REGSHAVE\REGSHAVE.EXE (FUJI PHOTO FILM CO., LTD.)
NvCplDaemon - RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll ()
nwiz - C:\WINDOWS\SYSTEM32\nwiz.exe ()
AVG7_CC - C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe (GRISOFT, s.r.o.)
SmcService - C:\PROGRA~1\Sygate\SPF\smc.exe (Sygate Technologies, Inc.)
QuickTime Task - C:\Program Files\QuickTime\qttask.exe (Apple Computer, Inc.)
PVModule - C:\PROGRA~1\PRINTV~1\pvmodule.exe ()
uzm2ec00 - C:\WINDOWS\SYSTEM32\RUNDLL32.EXE (Microsoft Corporation)
Omnipage - C:\Program Files\ScanSoft\OmniPageSE\opware32.exe (ScanSoft, Inc)
!AVG Anti-Spyware - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe (Anti-Malware Development a.s.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL	Installed = 1
MAPI	Installed = 1
MSFS	Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

>>> Startup Links <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\Common Startup]
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\desktop.ini ()

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\Startup]
C:\Documents and Settings\Hello!.BIGPIECEOF****\Start Menu\Programs\Startup\desktop.ini ()

>>> MSConfig Disabled Items <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Kodak EasyShare software.lnk
path	C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup	C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup
location	Common Startup
command	C:\PROGRA~1\Kodak\KODAKE~1\bin\EASYSH~1.EXE -h
item	Kodak EasyShare software

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Kodak software updater.lnk
path	C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Kodak software updater.lnk
backup	C:\WINDOWS\pss\Kodak software updater.lnkCommon Startup
location	Common Startup
command	C:\PROGRA~1\Kodak\KODAKS~1\7288971\Program\KODAKS~1.EXE 
item	Kodak software updater

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AudioDeck
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	ADeck
hkey	HKLM
command	C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1 
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\CTFMON.EXE
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	ctfmon
hkey	HKCU
command	C:\WINDOWS\system32\ctfmon.exe
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Omnipage
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	opware32
hkey	HKLM
command	C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	qttask
hkey	HKLM
command	"C:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Reminder
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	reminder
hkey	HKCU
command	C:\Program Files\Microsoft Money\System\reminder.exe
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini	0
win.ini	0
bootini	0
services	0
startup	2

[All Users Startup Folder Disabled Items]

[Current User Startup Folder Disabled Items]


----------



## No XPert (Aug 22, 2005)

>>> User Agent Post Platform <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
\\sv1 -

>>> AppInit Dll's <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs]

>>> Image File Execution Options <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
\Your Image File Name Here without a path - Debugger = ntsd -d

>>> Shell Service Object Delay Load <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
\\PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
\\CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
\\WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll (Microsoft Corporation)
\\SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\system32\stobject.dll (Microsoft Corporation)

>>> Shell Execute Hooks <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} - URL Exec Hook = shell32.dll (Microsoft Corporation)
\\{57B86673-276A-48B2-BAE7-C6DBB3020EB8} - CShellExecuteHookImpl Object = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll (Anti-Malware Development a.s.)

>>> Shared Task Scheduler <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
\\{438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader = %SystemRoot%\system32\browseui.dll (Microsoft Corporation)
\\{8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon = %SystemRoot%\system32\browseui.dll (Microsoft Corporation)

>>> Winlogon <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
\\UserInit = C:\WINDOWS\system32\userinit.exe,
\\Shell = explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00005.exe"
\\System =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
\crypt32chain - crypt32.dll = (Microsoft Corporation)
\cryptnet - cryptnet.dll = (Microsoft Corporation)
\cscdll - cscdll.dll = (Microsoft Corporation)
\ScCertProp - wlnotify.dll = (Microsoft Corporation)
\Schedule - wlnotify.dll = (Microsoft Corporation)
\sclgntfy - sclgntfy.dll = (Microsoft Corporation)
\SensLogn - WlNotify.dll = (Microsoft Corporation)
\termsrv - wlnotify.dll = (Microsoft Corporation)
\WgaLogon - WgaLogon.dll = (Microsoft Corporation)
\wlballoon - wlnotify.dll = (Microsoft Corporation)

>>> DNS Name Servers <<<
{0BD8F503-3355-4A83-AA30-9A2D6F16D2F0} - (D-Link USB Remote NDIS Network Device)
{30347B5A-CE7C-43BD-AE4D-A03BE9D7E224} - ()

>>> All Winsock2 Catalogs <<<
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries]
\000000000001\\LibraryPath - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation)
\000000000002\\LibraryPath - %SystemRoot%\System32\winrnr.dll (Microsoft Corporation)
\000000000003\\LibraryPath - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries]
\000000000001\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000002\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000003\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000004\\PackedCatalogItem - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation)
\000000000005\\PackedCatalogItem - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation)
\000000000006\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000007\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000008\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000009\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000010\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000011\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000012\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000013\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)

>>> Protocol Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler]
\ipp - ()
\msdaipp - ()

>>> Protocol Filters (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter]

>>> Selected AddOn's <<<

>>>>Output for AddOn file Policies.def<<<<
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies - Include SUBKEYS
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]
policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} - 1
policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} - 1073741857
policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} - 32
policies\Ratings\\Key - A2 C4 6D C3 AB 1C 0A CF 0C 8F EA D4 0F B5 3B 20 
policies\Ratings\\FileName0 - C:\WINDOWS\system32\RSACi.rat
policies\Ratings\.Default\\Allow_Unknowns - 0
policies\Ratings\.Default\\PleaseMom - 1
policies\Ratings\.Default\\Enabled - 0
policies\Ratings\.Default\http://www.rsac.org/ratingsv01.html\\l - 4
policies\Ratings\.Default\http://www.rsac.org/ratingsv01.html\\n - 4
policies\Ratings\.Default\http://www.rsac.org/ratingsv01.html\\s - 4
policies\Ratings\.Default\http://www.rsac.org/ratingsv01.html\\v - 1
policies\Ratings\PICSRules\.Default\\NumSys - 0
policies\Ratings\PICSRules\.Default\0\\dwFlags - 0
policies\Ratings\PICSRules\.Default\0\\errLine - 0
policies\Ratings\PICSRules\.Default\0\PRPolicy\\PRNumPolicy - 3
policies\Ratings\PICSRules\.Default\0\PRPolicy\0\\PRPPolicyAttribute - 2
policies\Ratings\PICSRules\.Default\0\PRPolicy\0\PRPPolicySub\\PRNumURLExpressions - 1
policies\Ratings\PICSRules\.Default\0\PRPolicy\0\PRPPolicySub\0\\PRBUInternetPattern - 1
policies\Ratings\PICSRules\.Default\0\PRPolicy\0\PRPPolicySub\0\\PRBUNonWild - 13
policies\Ratings\PICSRules\.Default\0\PRPolicy\0\PRPPolicySub\0\\PRBUSpecified - 31
policies\Ratings\PICSRules\.Default\0\PRPolicy\0\PRPPolicySub\0\\PRBUScheme - http
policies\Ratings\PICSRules\.Default\0\PRPolicy\0\PRPPolicySub\0\\PRBUHost - www.google.com.au
policies\Ratings\PICSRules\.Default\0\PRPolicy\0\PRPPolicySub\0\\PRBUPort - 80
policies\Ratings\PICSRules\.Default\0\PRPolicy\0\PRPPolicySub\0\\PRBUUrl - www.google.com.au
policies\Ratings\PICSRules\.Default\0\PRPolicy\1\\PRPPolicyAttribute - 2
policies\Ratings\PICSRules\.Default\0\PRPolicy\1\PRPPolicySub\\PRNumURLExpressions - 1
policies\Ratings\PICSRules\.Default\0\PRPolicy\1\PRPPolicySub\0\\PRBUInternetPattern - 1
policies\Ratings\PICSRules\.Default\0\PRPolicy\1\PRPPolicySub\0\\PRBUNonWild - 13
policies\Ratings\PICSRules\.Default\0\PRPolicy\1\PRPPolicySub\0\\PRBUSpecified - 31
policies\Ratings\PICSRules\.Default\0\PRPolicy\1\PRPPolicySub\0\\PRBUScheme - http
policies\Ratings\PICSRules\.Default\0\PRPolicy\1\PRPPolicySub\0\\PRBUHost - www.ebay.com.au
policies\Ratings\PICSRules\.Default\0\PRPolicy\1\PRPPolicySub\0\\PRBUPort - 80
policies\Ratings\PICSRules\.Default\0\PRPolicy\1\PRPPolicySub\0\\PRBUUrl - www.ebay.com.au
policies\Ratings\PICSRules\.Default\0\PRPolicy\2\\PRPPolicyAttribute - 2
policies\Ratings\PICSRules\.Default\0\PRPolicy\2\PRPPolicySub\\PRNumURLExpressions - 1
policies\Ratings\PICSRules\.Default\0\PRPolicy\2\PRPPolicySub\0\\PRBUInternetPattern - 1
policies\Ratings\PICSRules\.Default\0\PRPolicy\2\PRPPolicySub\0\\PRBUNonWild - 13
policies\Ratings\PICSRules\.Default\0\PRPolicy\2\PRPPolicySub\0\\PRBUSpecified - 31
policies\Ratings\PICSRules\.Default\0\PRPolicy\2\PRPPolicySub\0\\PRBUScheme - http
policies\Ratings\PICSRules\.Default\0\PRPolicy\2\PRPPolicySub\0\\PRBUHost - au.ebayobjects.com.au
policies\Ratings\PICSRules\.Default\0\PRPolicy\2\PRPPolicySub\0\\PRBUPort - 80
policies\Ratings\PICSRules\.Default\0\PRPolicy\2\PRPPolicySub\0\\PRBUUrl - au.ebayobjects.com.au
policies\system\\dontdisplaylastusername - 0
policies\system\\legalnoticecaption - 
policies\system\\legalnoticetext - 
policies\system\\shutdownwithoutlogon - 1
policies\system\\undockwithoutlogon - 1

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies - Include SUBKEYS
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]
policies\Explorer\\NoDriveTypeAutoRun - 145
policies\Explorer\Run\\{B869CC14-08AD-3081-0716-03052403003d} - "C:\Program Files\Common Files\{B869CC14-08AD-3081-0716-03052403003d}\Update.exe" mc-110-12-0001232
policies\Explorer\Run\\{B869CC14-08AE-3081-0716-03052403003d} - "C:\Program Files\Common Files\{B869CC14-08AE-3081-0716-03052403003d}\Update.exe" mc-110-12-0001232
policies\System\\DisableRegistryTools - 0

>>>>Output for AddOn file Security.def<<<<
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center - Include SUBKEYS
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
Security Center\\FirstRunDisabled - 1
Security Center\\AntiVirusDisableNotify - 0
Security Center\\FirewallDisableNotify - 0
Security Center\\UpdatesDisableNotify - 0
Security Center\\AntiVirusOverride - 0
Security Center\\FirewallOverride - 0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS - Include SUBKEYS
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS]
BITS\\Type - 32
BITS\\Start - 3
BITS\\ErrorControl - 1
BITS\\ImagePath - %SystemRoot%\system32\svchost.exe -k netsvcs
BITS\\DisplayName - Background Intelligent Transfer Service
BITS\\DependOnService - RpcSs;
BITS\\DependOnGroup - 
BITS\\ObjectName - LocalSystem
BITS\\Description - Transfers data between clients and servers in the background. If BITS is disabled, features such as Windows Update will not work correctly.
BITS\\FailureActions - 00 00 00 00 00 00 00 00 00 00 00 00 03 00 00 00 68 E3 0C 00 01 00 00 00 60 EA 00 00 01 00 00 00 60 EA 00 00 01 00 00 00 60 EA 00 00 
BITS\Parameters\\ServiceDll - C:\WINDOWS\system32\qmgr.dll
BITS\Security\\Security - 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 
BITS\Enum\\0 - Root\LEGACY_BITS\0000
BITS\Enum\\Count - 1
BITS\Enum\\NextInstance - 1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess - Include SUBKEYS
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]
SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\C:\Program Files\MSN Messenger\msnmsgr.exe - C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0
SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\C:\Program Files\MSN Messenger\msncall.exe - C:\Program Files\MSN Messenger\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\MSN Messenger\msnmsgr.exe - C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\MSN Messenger\msncall.exe - C:\Program Files\MSN Messenger\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv - Include SUBKEYS
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv]
wuauserv\\Type - 32
wuauserv\\Start - 2
wuauserv\\ErrorControl - 1
wuauserv\\ImagePath - %systemroot%\system32\svchost.exe -k netsvcs
wuauserv\\DisplayName - Automatic Updates
wuauserv\\ObjectName - LocalSystem
wuauserv\\Description - Enables the download and installation of Windows updates. If this service is disabled, this computer will not be able to use the Automatic Updates feature or the Windows Update Web site.
wuauserv\Parameters\\ServiceDll - C:\WINDOWS\system32\wuauserv.dll
wuauserv\Security\\Security - 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 
wuauserv\Enum\\0 - Root\LEGACY_WUAUSERV\0000
wuauserv\Enum\\Count - 1
wuauserv\Enum\\NextInstance - 1

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Logfile of HijackThis v1.99.1
Scan saved at 6:32:59 PM, on 26/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.ninemsn.com.au/0SEENAU/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.ninemsn.com.au/0SEENAU/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00005.exe"
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {C004DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O2 - BHO: (no name) - {CE65D4B2-71BE-4388-B38E-80CBD8EC7717} - C:\Program Files\MSN\horedo.dll (file missing)
O2 - BHO: PrintViewBHO Class - {D4E0C464-30CE-4075-9A10-71FD106C2847} - C:\PROGRA~1\PRINTV~1\PRINTH~1.DLL (file missing)
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PVModule] C:\PROGRA~1\PRINTV~1\pvmodule.exe
O4 - HKLM\..\Run: [uzm2ec00] RUNDLL32.EXE w011be6b.dll,n 0062ebfa0000000a011be6b
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} - http://activex.matcash.com/speedtest2.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

Regards David


----------



## Cookiegal (Aug 27, 2003)

I'm attaching a FixPolicies.zip file. Save it to your desktop. Unzip it and double click on the FixPolicies.reg file and allow it to enter into the registry.

*Click Here* and download Killbox and save it to your desktop but dont run it yet.

Rescan with HijackThis, close all browser windows except HijackThis, put a check mark beside these entries and click *fix checked*.

* 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00005.exe"

O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)

O2 - BHO: (no name) - {C004DEC2-2623-438e-9CA2-C9043AB28508} - (no file)

O2 - BHO: (no name) - {CE65D4B2-71BE-4388-B38E-80CBD8EC7717} - C:\Program Files\MSN\horedo.dll (file missing)

O2 - BHO: PrintViewBHO Class - {D4E0C464-30CE-4075-9A10-71FD106C2847} - C:\PROGRA~1\PRINTV~1\PRINTH~1.DLL (file missing)

O4 - HKLM\..\Run: [PVModule] C:\PROGRA~1\PRINTV~1\pvmodule.exe

O4 - HKLM\..\Run: [uzm2ec00] RUNDLL32.EXE w011be6b.dll,n 0062ebfa0000000a011be6b
*

Then boot to safe mode:

 *How to restart to safe mode*

Double-click on Killbox.exe to run it. 

Put a tick by *Standard File Kill*. 
In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time:

* C:\Program Files\Common Files\{B869CC14-08AD-3081-0716-03052403003d}
C:\Program Files\Common Files\{B869CC14-08AE-3081-0716-03052403003d}
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00005.exe
C:\PROGRAM FILES\PRINTVIEW
C:\WINDOWS\system32\w011be6b.dll
*

Click on the button that has the red circle with the X in the middle after you enter each file. 
It will ask for confirmation to delete the file. 
Click Yes. 
Continue with that procedure until you have pasted all of these in the "Paste Full Path of File to Delete" box.
Killbox may tell you that one or more files do not exist. 
If that happens, just continue on with all the files. Be sure you don't miss any.
Next in Killbox go to *Tools > Delete Temp Files*
In the window that pops up, put a check by *ALL* the options there *except* these three:
XP Prefetch
Recent
History

Now click the *Delete Selected Temp Files* button.
Exit the Killbox.

Boot back to Windows normally and post another HijackThis log along with a new Panda scan log please.


----------



## No XPert (Aug 22, 2005)

Ok Done. AVG detected a virus whilst running Panda Scan. I moved it to the vault. Panda Scan detected 29 nasties, but you will no doubt know that when you check the log/s.

Here they is....

Incident  Status Location

Potentially unwanted tool:application/funweb Not disinfected c:\windows\downloaded program files\f3initialsetup1.0.0.15.inf 
Potentially unwanted tool:application/zango Not disinfected hkey_current_user\software\Zango Messenger 
Potentially unwanted tool:application/mywebsearch Not disinfected hkey_classes_root\clsid\{9AFB8248-617F-460d-9366-D71CDEDA3179} 
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Guest\Cookies\[email protected][1].txt 
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Guest\Cookies\[email protected][2].txt 
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Guest\Cookies\[email protected][1].txt 
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Guest\Cookies\[email protected][1].txt 
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Guest\Cookies\[email protected][3].txt 
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Guest\Cookies\[email protected][4].txt 
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Guest\Cookies\[email protected][2].txt 
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Guest\Cookies\[email protected][1].txt  
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Guest\Cookies\[email protected][1].txt 
Spyware:Cookie/Xmts Not disinfected C:\Documents and Settings\Guest\Cookies\[email protected][2].txt 
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Hello!.BIGPIECEOF****\Cookies\[email protected][2].txt 
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Hello!.BIGPIECEOF****\Cookies\[email protected][1].txt 
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Hello!.BIGPIECEOF****\Cookies\[email protected][1].txt 
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Hello!.BIGPIECEOF****\Cookies\[email protected][1].txt 
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Hello!.BIGPIECEOF****\Cookies\[email protected][2].txt 
Spyware:Cookie/XXXCounter Not disinfected C:\Documents and Settings\Hello!.BIGPIECEOF****\Cookies\[email protected][1].txt 
Adware:Adware/CWS Not disinfected C:\Documents and Settings\Hello!.BIGPIECEOF****\drv.exe 
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Documents and Settings\Hello!.BIGPIECEOF****\My Documents\Jade\cartoon pics\ZwinkySetup2.2.50.1.exe 
Adware:Adware/Maxifiles Not disinfected C:\Documents and Settings\Hello!.BIGPIECEOF****\one.exe  
Adware:Adware/DollarRevenue Not disinfected C:\nckige.exe 
Adware:Adware/YazzleSudoku Not disinfected C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe 
Adware:Adware/DollarRevenue Not disinfected C:\Program Files\Common Files\{3869CC14-08AD-3081-0716-03052403003d}\Uninst.exe 
Adware:Adware/DollarRevenue Not disinfected C:\Program Files\Common Files\{3869CC14-08AE-3081-0716-03052403003d}\Uninst.exe 
Potentially unwanted tool:Application/MSNContentPlus Not disinfected C:\WINDOWS\MSNImport.exe 
Adware:Adware/CWS Not disinfected C:\WINDOWS\system32\drv.exe 
Adware:Adware/Maxifiles Not disinfected C:\WINDOWS\system32\one.exe

Logfile of HijackThis v1.99.1
Scan saved at 8:45:44 PM, on 27/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.ninemsn.com.au/0SEENAU/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.ninemsn.com.au/0SEENAU/SAOS01?FORM=TOOLBR
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} - http://activex.matcash.com/speedtest2.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

Thanks Again
Regards David


----------



## Cookiegal (Aug 27, 2003)

Go *here* to download AlcanShorty_en.exe and save it to your desktop.

Double click the *alcanShorty.exe* file and follow prompts. 
It will make a folder on desktop called *Alcan Shorty*
Open the Alcan Shorty folder & double click the *run.bat* file to run it.
This will download a file called BFU.exe and a BFU script. 
If your firewall asks for permission to connect to the Internet you must allow it.
A message box will pop up saying "complete". 
Be patient and wait for the message box to appear as it may take some time.
Press OK then BFU.exe will open. 
Select the option to "Show log after script ends"
Execute the script by clicking the *Execute* button.
Note that you should see a progress bar while the script is being executed.
When the script has finished press "copy" and that will make a copy of the report in your clipboard. 
Paste the log into Notepad and save it to your desktop to post back here later.
*Note*: If you have any questions about the use of BFU please read *here*.

Reboot and post a new HijackThis log and a new Panda scan log please.


----------



## No XPert (Aug 22, 2005)

Ok. Something weird happened. While running Alcanshorty, Screnn went weird saying active desktop encountered a problem. I think I ran it a few times by mistake. Didn't ask for access to net, but I had already ran it previously, and allowed access before following your instructions exclusively.

Log File

BFU v1.00.9
Windows XP SP2 (WinNT 5.01.2600 SP2)
Script started at 10:17:10 PM, on 28/10/2006

Option Unload Explorer: Yes
Failed: DllUnregister C:\WINDOWS\DH.dll|1 (file not found)
Failed: DllUnregister C:\Program Files\Deskbar\deskbar.dll|1 (file not found)
Failed: DllUnregister \asappsrv.dll|1 (file not found)
Failed: DllUnregister \MyToolBar.dll (file not found)
Failed: ServiceStop Network Monitor (service not found)
Failed: ServiceStop cmdService (service not found)
Failed: ServiceDisable Network Monitor (service not found)
Failed: ServiceDisable cmdService (service not found)
Failed: ServiceDelete Network Monitor (service not found)
Failed: ServiceDelete cmdService (service not found)
Failed: RegDelValue HKCU\System\CurrentControlSet\Control\Lsa|p2pnetwork (key not found)
Failed: RegDelValue HKCU\SOFTWARE\Microsoft\OLE|p2pnetwork (key not found)
Failed: RegDelValue HKCU\SOFTWARE\Microsoft\OLE|winlog (key not found)
Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations|LowRiskFileTypes (key not found)
Failed: RegDelValue HKCU\Microsoft\Windows\CurrentVersion\policies\Explorer\Run|WinUpdate.exe (key not found)
Failed: RegDelValue HKCU\software\microsoft\windows\currentversion\policies\explorer\run|{84c4d3ae-0bb0-1033-0729-050001} (key not found)
Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|CU1 (key not found)
Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|CU2 (key not found)
Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|services32 (key not found)
Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|p2pnetwork (key not found)
Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|ms-update (key not found)
Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|p2pnetworking (key not found)
Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|p2p networking (key not found)
Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|virtual-ie (key not found)
Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|MS DATABASE (key not found)
Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|xp (key not found)
Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|winlog (key not found)
Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|wmplayer (key not found)
Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|tetriz3 (key not found)
Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|CQ4d6 (key not found)
Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|SystemTools (key not found)
Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|eventwvr (key not found)
Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|truetype (key not found)
Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|0mcamcap (key not found)
Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|mysvcig38 (key not found)
Option pause between commands: 300 ms
Option pause between commands: 50 ms
Failed: FolderDelete C:\Program Files\MsConfigs (folder not found)
Failed: FolderDelete C:\Program Files\winupdates (folder not found)
Failed: FolderDelete C:\Program Files\winupdate (folder not found)
Failed: FolderDelete C:\Program Files\winsupdater (folder not found)
Failed: FolderDelete C:\Program Files\MsUpdate (folder not found)
Failed: FolderDelete C:\Program Files\MsMovies (folder not found)
Failed: FolderDelete C:\Program Files\wmplayer (folder not found)
Failed: FolderDelete C:\Program Files\outlook (folder not found)
Failed: FileDelete C:\Program Files\Common Files\Windows\mc-*-*.exe (operation failed)
Failed: FileDelete C:\Program Files\Common Files\Download\mc-*-*.exe (operation failed)
Failed: FileDelete C:\Program Files\common files\{*-*-1033-*-*}\update.exe (operation failed)
Failed: FileDelete C:\Program Files\common files\{*-*-1033-*-*}\services.dll (operation failed)
Failed: FileDelete C:\Program Files\common files\{*-*-1033-*-*}\activate.exe (operation failed)
Failed: FileDelete C:\Program Files\common files\{*-*-1033-*-*}\MyToolBar.dll (operation failed)
Failed: FileDelete C:\Program Files\common files\{*-*-2057-*-*}\update.exe (operation failed)
Failed: FileDelete C:\Program Files\common files\{*-*-2057-*-*}\services.dll (operation failed)
Failed: FileDelete C:\Program Files\common files\{*-*-2057-*-*}\activate.exe (operation failed)
Failed: FileDelete C:\Program Files\common files\{*-*-2057-*-*}\MyToolBar.dll (operation failed)
Failed: FolderDelete C:\Program Files\toolbar888 (folder not found)
Failed: FolderDelete C:\Program Files\e-mailpaysu toolbar (folder not found)
Failed: FolderDelete C:\Program Files\EMUSIC TOOLBAR (folder not found)
Failed: FolderDelete C:\Program Files\find dvd toolbar (folder not found)
Failed: FolderDelete C:\Program Files\GULESIDER VERKTøYLINJE (folder not found)
Failed: FolderDelete C:\Program Files\sesam-p4 toolbar (folder not found)
Failed: FolderDelete C:\Program Files\slownik ling (folder not found)
Failed: FolderDelete C:\Program Files\MediaPipe (folder not found)
Failed: FolderDelete C:\Program Files\p2pnetworks (folder not found)
Failed: FileDelete C:\DOCUME~1\HELLO!~1.BIG\LOCALS~1\Temp\~DF3361.tmp (operation failed)
Failed: FolderDelete C:\Program Files\Maxifiles (folder not found)
Failed: FolderDelete C:\Program Files\DNS (folder not found)
Failed: FolderDelete C:\Program Files\EQAdvice (folder not found)
Failed: FolderDelete C:\Program Files\FCAdvice (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\FreeProd1 (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\FreeProd2 (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\InetGet (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\InetGet2 (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\svchostsys (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\simtest (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\misc001 (folder not found)
Failed: FolderDelete C:\Program Files\InetGet2 (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\VCClient (folder not found)
Failed: FolderDelete C:\Program Files\Network Monitor (folder not found)
Failed: FolderDelete C:\WINDOWS\inet20001 (folder not found)
Failed: FolderDelete C:\Program Files\Update06 (folder not found)
Failed: FolderDelete C:\Program Files\Update03 (folder not found)
Failed: FolderDelete C:\Program Files\Update04 (folder not found)
Failed: FolderDelete C:\Program Files\Update08 (folder not found)
Failed: FolderDelete C:\Program Files\W-Update (folder not found)
Failed: FolderDelete C:\Program Files\Yazzle Sudoku (folder not found)
Failed: FolderDelete C:\Program Files\Cas (folder not found)
Failed: FolderDelete C:\Program Files\CasStub (folder not found)
Failed: FolderDelete C:\Program Files\Cas2Stub (folder not found)
Failed: FolderDelete C:\Program Files\ipwins (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\Snowball Wars (folder not found)
Failed: FolderDelete C:\temp (folder not found)
Failed: FolderDelete C:\WINDOWS\mdrive (folder not found)
Failed: FolderDelete C:\WINDOWS\system32\crunner (folder not found)
Failed: FolderDelete C:\Program Files\PECarlin (folder not found)
Failed: FolderDelete C:\Program Files\AXVenore (folder not found)
Failed: FolderDelete C:\Program Files\SDVita (folder not found)
Failed: FolderDelete C:\Program Files\EQBranch (folder not found)
Failed: FolderDelete C:\Program Files\EQArticle (folder not found)
Failed: FolderDelete C:\Program Files\PSHope (folder not found)
Failed: FolderDelete C:\Program Files\Batty (folder not found)
Failed: FolderDelete C:\Program Files\Batty2 (folder not found)
Failed: FolderDelete C:\Program Files\AXFibula (folder not found)
Failed: FolderDelete C:\Program Files\CMFibula (folder not found)
Failed: FolderDelete C:\Program Files\PSLister (folder not found)
Failed: FolderDelete C:\Program Files\PSCloner (folder not found)
Failed: FolderDelete C:\Program Files\PSDream (folder not found)
Failed: FolderDelete C:\Program Files\cmapp (folder not found)
Failed: FolderDelete C:\Program Files\cmman (folder not found)
Failed: FolderDelete C:\Program Files\cmsystem (folder not found)
Failed: FolderDelete C:\Program Files\fcengine (folder not found)
Failed: FolderDelete C:\Program Files\wincmapp (folder not found)
Failed: FolderDelete C:\Program Files\Deskbar\Cache (folder not found)
Failed: FolderDelete C:\Program Files\popupwithcast (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\cloader (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\misc001 (folder not found)
Failed: FolderCreate C:\bintheredunthat (folder already exists)
Failed: FileMove C:\WINDOWS\win*-*.exe|C:\bintheredunthat (source file not found)
Script completed.

Regards David


----------



## Cookiegal (Aug 27, 2003)

> Reboot and post a new HijackThis log and a new Panda scan log please.


----------



## No XPert (Aug 22, 2005)

No problems running this time. logs following.

Incident Status Location

Potentially unwanted tool:application/funweb Not disinfected c:\windows\downloaded program files\f3initialsetup1.0.0.15.inf 
Potentially unwanted tool:application/zango Not disinfected hkey_current_user\software\Zango Messenger 
Potentially unwanted tool:application/mywebsearch Not disinfected hkey_classes_root\clsid\{9AFB8248-617F-460d-9366-D71CDEDA3179} 
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Guest\Cookies\[email protected][1].txt 
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Guest\Cookies\[email protected][2].txt 
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Guest\Cookies\[email protected][1].txt 
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Guest\Cookies\[email protected][1].txt 
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Guest\Cookies\[email protected][3].txt 
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Guest\Cookies\[email protected][4].txt 
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Guest\Cookies\[email protected][2].txt 
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Guest\Cookies\[email protected][1].txt 
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Guest\Cookies\[email protected][1].txt 
Spyware:Cookie/Xmts Not disinfected C:\Documents and Settings\Guest\Cookies\[email protected][2].txt 
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Hello!.BIGPIECEOF****\Cookies\[email protected][2].txt 
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Hello!.BIGPIECEOF****\Cookies\[email protected][1].txt 
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Hello!.BIGPIECEOF****\Cookies\[email protected][1].txt 
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Hello!.BIGPIECEOF****\Cookies\[email protected][4].txt 
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Hello!.BIGPIECEOF****\Cookies\[email protected][1].txt 
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Hello!.BIGPIECEOF****\Cookies\[email protected][1].txt 
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Hello!.BIGPIECEOF****\Cookies\[email protected][1].txt 
Spyware:Cookie/XXXCounter Not disinfected C:\Documents and Settings\Hello!.BIGPIECEOF****\Cookies\[email protected][1].txt 
Adware:Adware/CWS Not disinfected C:\Documents and Settings\Hello!.BIGPIECEOF****\drv.exe 
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Documents and Settings\Hello!.BIGPIECEOF****\My Documents\Jade\cartoon pics\ZwinkySetup2.2.50.1.exe 
Adware:Adware/Maxifiles Not disinfected C:\Documents and Settings\Hello!.BIGPIECEOF****\one.exe 
Adware:Adware/DollarRevenue Not disinfected C:\nckige.exe 
Adware:Adware/YazzleSudoku Not disinfected C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe 
Adware:Adware/DollarRevenue Not disinfected C:\Program Files\Common Files\{3869CC14-08AD-3081-0716-03052403003d}\Uninst.exe 
Adware:Adware/DollarRevenue Not disinfected C:\Program Files\Common Files\{3869CC14-08AE-3081-0716-03052403003d}\Uninst.exe 
Potentially unwanted tool:Application/MSNContentPlus Not disinfected C:\WINDOWS\MSNImport.exe 
Adware:Adware/CWS Not disinfected C:\WINDOWS\system32\drv.exe 
Adware:Adware/Maxifiles Not disinfected C:\WINDOWS\system32\one.exe 
Logfile of HijackThis v1.99.1
Scan saved at 7:46:43 AM, on 29/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.ninemsn.com.au/0SEENAU/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.ninemsn.com.au/0SEENAU/SAOS01?FORM=TOOLBR
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} - http://activex.matcash.com/speedtest2.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

Thanks
Regards Dave


----------



## Cookiegal (Aug 27, 2003)

I'm attaching a FixNoXpert.zip file to this post. Save it to your desktop. Unzip it and double click on the FixNoXpert.reg file and allow it to enter into the registry.

Boot to safe mode and run Killbox on these files.

*c:\windows\downloaded program files\f3initialsetup1.0.0.15.inf 
C:\Documents and Settings\Hello!.BIGPIECEOF****\drv.exe 
C:\Documents and Settings\Hello!.BIGPIECEOF****\My Documents\Jade\cartoon pics\ZwinkySetup2.2.50.1.exe 
C:\Documents and Settings\Hello!.BIGPIECEOF****\one.exe 
C:\nckige.exe 
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe 
C:\Program Files\Common Files\{3869CC14-08AD-3081-0716-03052403003d} 
C:\Program Files\Common Files\{3869CC14-08AE-3081-0716-03052403003d}
C:\WINDOWS\MSNImport.exe 
C:\WINDOWS\system32\drv.exe 
C:\WINDOWS\system32\one.exe *

Reboot and post the results of another Panda scan please


----------



## No XPert (Aug 22, 2005)

Hello again Cookiegal. Thank you for being sooooo patient with me on this. You're a champion.

Here's latest Panda Log.

Incident Status Location

Potentially unwanted tool:application/mywebsearch Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EAB-A523-4961-B6BB-170DE4475CCA} 
Potentially unwanted tool:application/zango Not disinfected HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{99410cde-6f16-42ce-9d49-3807f78f0287} 
Potentially unwanted tool:application/funweb Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9FF05104-B030-46FC-94B8-81276E4E27DF} 
Adware:Adware/CWS Not disinfected C:\!KillBox\drv.exe 
Adware:Adware/CWS Not disinfected C:\!KillBox\drv.exe( 1) 
Potentially unwanted tool:Application/FunWeb Not disinfected C:\!KillBox\f3initialsetup1.0  
Potentially unwanted tool:Application/MSNContentPlus Not disinfected C:\!KillBox\MSNImport.exe 
Adware:Adware/Maxifiles Not disinfected C:\!KillBox\one.exe 
Adware:Adware/Maxifiles Not disinfected C:\!KillBox\one.exe( 2) 
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\!KillBox\ZwinkySetup2.2 
Adware:Adware/DollarRevenue Not disinfected C:\!KillBox\{3869CC14-08AD-3081-0716-03052403003d}\Uninst.exe 
Adware:Adware/DollarRevenue Not disinfected C:\!KillBox\{3869CC14-08AE-3081-0716-03052403003d}\Uninst.exe 
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Guest\Cookies\[email protected][1].txt 
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Guest\Cookies\[email protected][2].txt 
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Guest\Cookies\[email protected][1].txt 
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Guest\Cookies\[email protected][1].txt 
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Guest\Cookies\[email protected][3].txt  
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Guest\Cookies\[email protected][4].txt 
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Guest\Cookies\[email protected][2].txt 
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Guest\Cookies\[email protected][1].txt 
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Guest\Cookies\[email protected][1].txt 
Spyware:Cookie/Xmts Not disinfected C:\Documents and Settings\Guest\Cookies\[email protected][2].txt 
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Hello!.BIGPIECEOF****\Cookies\[email protected][2].txt 
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Hello!.BIGPIECEOF****\Cookies\[email protected][2].txt 
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Hello!.BIGPIECEOF****\Cookies\[email protected][2].txt 
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Hello!.BIGPIECEOF****\Cookies\[email protected][1].txt 
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Hello!.BIGPIECEOF****\Cookies\[email protected][1].txt 
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Hello!.BIGPIECEOF****\Cookies\[email protected][4].txt  
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Hello!.BIGPIECEOF****\Cookies\[email protected][2].txt 
Spyware:Cookie/PayCounter Not disinfected C:\Documents and Settings\Hello!.BIGPIECEOF****\Cookies\[email protected][1].txt 
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Hello!.BIGPIECEOF****\Cookies\[email protected][1].txt 
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Hello!.BIGPIECEOF****\Cookies\[email protected][2].txt 
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Hello!.BIGPIECEOF****\Cookies\[email protected][2].txt 
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Hello!.BIGPIECEOF****\Cookies\[email protected][2].txt 
Spyware:Cookie/XXXCounter Not disinfected C:\Documents and Settings\Hello!.BIGPIECEOF****\Cookies\[email protected][1].txt 
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Hello!.BIGPIECEOF****\Local Settings\Temporary Internet Files\Content.IE5\W9QFWLQR\popup[1].htm 
Adware:Adware/YazzleSudoku Not disinfected C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe 
Thanks Again
Regards Dave.


----------



## Cookiegal (Aug 27, 2003)

Click *Start - Control Panel - Add/Remove Programs*
 In the list of installed software, look for *PuritySCAN By OIN*, *Cowabanga*, *OuterInfo*, *OIN* or similar
 If you find it:
 Click on it and click *Remove*.
 Reboot and delete the folder *C:\Program Files\PurityScan* (if it's still there).

 If not:
 Download and run the Oiuninstaller
There is a tutorial for the uninstaller available
 When the uninstaller is done, *reboot* and delete the folder *C:\Program Files\PurityScan*


Go to Control Panel - Add/Remove programs and remove these if there:

MyWebSearch
FunWebProducts

I'm attaching a FixNoXpert2.zip file. Save it to your desktop. Unzip it and double click on the FixNoXpert2.reg file and allow it to enter into the registry.

Boot to safe mode and run Killbox on this file:

*C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe *

Reboot and run another Panda scan and post the results please.


----------



## No XPert (Aug 22, 2005)

All Done. None of the files were in Control Panel. After running Oiuninstaller C:\Program Files\PurityScan was not in C drive. The file you ask to run Killbox on "Did Not Exist".
AVG detected a Trojan Horse virus whilst running PandaScan (2 occasions, No action taken).

Latest Log.

Incident Status Location

Potentially unwanted tool:application/mywebsearch Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EAB-A523-4961-B6BB-170DE4475CCA} 
Potentially unwanted tool:application/funweb Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9FF05104-B030-46FC-94B8-81276E4E27DF} 
Potentially unwanted tool:Application/FunWeb Not disinfected C:\!KillBox\f3initialsetup1.0 
Potentially unwanted tool:Application/MSNContentPlus Not disinfected C:\!KillBox\MSNImport.exe 
Adware:Adware/Maxifiles Not disinfected C:\!KillBox\one.exe 
Adware:Adware/Maxifiles Not disinfected C:\!KillBox\one.exe( 2) 
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\!KillBox\ZwinkySetup2.2 
Adware:Adware/DollarRevenue Not disinfected C:\!KillBox\{3869CC14-08AD-3081-0716-03052403003d}\Uninst.exe 
Adware:Adware/DollarRevenue Not disinfected C:\!KillBox\{3869CC14-08AE-3081-0716-03052403003d}\Uninst.exe 
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Guest\Cookies\[email protected][1].txt 
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Guest\Cookies\[email protected][2].txt 
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Guest\Cookies\[email protected][1].txt 
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Guest\Cookies\[email protected][1].txt 
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Guest\Cookies\[email protected][3].txt 
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Guest\Cookies\[email protected][4].txt 
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Guest\Cookies\[email protected][2].txt 
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Guest\Cookies\[email protected][1].txt 
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Guest\Cookies\[email protected][1].txt 
Spyware:Cookie/Xmts Not disinfected C:\Documents and Settings\Guest\Cookies\[email protected][2].txt 
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Hello!.BIGPIECEOF****\Cookies\[email protected][2].txt 
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Hello!.BIGPIECEOF****\Cookies\[email protected][2].txt 
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Hello!.BIGPIECEOF****\Cookies\[email protected][2].txt 
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Hello!.BIGPIECEOF****\Cookies\[email protected][1].txt 
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Hello!.BIGPIECEOF****\Cookies\[email protected][1].txt 
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Hello!.BIGPIECEOF****\Cookies\[email protected][3].txt 
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Hello!.BIGPIECEOF****\Cookies\[email protected][1].txt 
Spyware:Cookie/PayCounter Not disinfected C:\Documents and Settings\Hello!.BIGPIECEOF****\Cookies\[email protected][1].txt 
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Hello!.BIGPIECEOF****\Cookies\[email protected][1].txt 
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Hello!.BIGPIECEOF****\Cookies\[email protected][2].txt 
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Hello!.BIGPIECEOF****\Cookies\[email protected][2].txt 
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Hello!.BIGPIECEOF****\Cookies\[email protected][1].txt 
Spyware:Cookie/XXXCounter Not disinfected C:\Documents and Settings\Hello!.BIGPIECEOF****\Cookies\[email protected][1].txt 
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Hello!.BIGPIECEOF****\Local Settings\Temporary Internet Files\Content.IE5\W9QFWLQR\popup[1].htm 
Adware:Adware/YazzleSudoku Not disinfected C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe 
Regards Dave.


----------



## Cookiegal (Aug 27, 2003)

Are you comfortable editing the registry manually?


----------



## No XPert (Aug 22, 2005)

Never done it ...but hey.... Why not???? What's the worst that can happen??? I format the 'puter and start again right??? Should I back up all my important stuff onto disc first???
Regards Dave.


----------



## Cookiegal (Aug 27, 2003)

It's always a good idea to backup important data even when things are running smoothly. Believe me, I speak from experience.

We will create a backup of the registry that can be restored if necessary. There are two entries to fix that are relatively easy to do so you should be fine.

Go to Start > Run
Type:
*regedit*
Click OK.
On the left side, click to highlight *My Computer* at the top. 
Go up to "*File > Export*"
Make sure in that window there is a tick next to "All" under Export Branch.
Leave the "Save As Type" as "Registration Files".
Under "Filename" put *backup*

Choose to save it to *C:\* or somewhere else safe so that you will remember where you put it (don't put it on the desktop!)
Click save and then go to File > Exit.
This is so the registry can be restored to this point if we need it. It may take a minute. Just let it go until it's done.

Expand the following registry keys/sub-keys by clicking on the + to their left.

+ HKEY_CURRENT_USER
+ Software
+ Microsoft
+ Windows
+ CurrentVersion
+ Ext
+ Stats

Under Stats in the left-hand pane you will see a long list of numbers (these are called CLSIDs). In that list find both of the following and when you find them, right click on them and select "delete." Be careful that the numbers are idential though as there could be valid CLSIDs that would have only one digit different.

*{07B1 8EAB-A523-4961-B6BB-170DE4475CCA}

{9FF0 5104-B030-46FC-94B8-81276E4E27DF}*

Then boot to safe mode and run Killbox but this time with the delete on reboot option, as follows:


 Please double-click *Killbox.exe* to run it.
 Select:
*Delete on Reboot*
 then *Click* on the *All Files* button.

Please *copy the file paths below to the clipboard* by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose copy):

*C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe *

 Return to Killbox, go to the *File* menu, and choose *Paste from Clipboard*.

Click the red-and-white *Delete File* button. Click *Yes* at the Delete on Reboot prompt. Click *OK* at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

_*If your computer does not restart automatically, please restart it manually*_.

Reboot and post a new Panda scan log please.


----------



## No XPert (Aug 22, 2005)

Hi Cookiegal,
Sorry it took so long to do this one. Had issues with burner program, doing backup discs of important files.

All done as instructed. During Killbox operation, I did get the PendingFileRenameOperations prompt, although the computer did not reboot itself. Had to do Manual reboot.

Here's latest PandaScan log.....

Incident Status Location

Potentially unwanted tool:application/mywebsearch Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA1-A523-4961-B6BB-170DE4475CCA} 
Potentially unwanted tool:application/funweb Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3DC201FB-E9C9-499C-A11F-23C360D7C3F8} 
Potentially unwanted tool:Application/FunWeb Not disinfected C:\!KillBox\f3initialsetup1.0 
Potentially unwanted tool:Application/MSNContentPlus Not disinfected C:\!KillBox\MSNImport.exe 
Adware:Adware/Maxifiles Not disinfected C:\!KillBox\one.exe 
Adware:Adware/Maxifiles Not disinfected C:\!KillBox\one.exe( 2) 
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\!KillBox\ZwinkySetup2.2 
Adware:Adware/DollarRevenue Not disinfected C:\!KillBox\{3869CC14-08AD-3081-0716-03052403003d}\Uninst.exe  
Adware:Adware/DollarRevenue Not disinfected C:\!KillBox\{3869CC14-08AE-3081-0716-03052403003d}\Uninst.exe 
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Guest\Cookies\[email protected][1].txt 
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Guest\Cookies\[email protected][2].txt 
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Guest\Cookies\[email protected][1].txt 
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Guest\Cookies\[email protected][1].txt 
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Guest\Cookies\[email protected][3].txt 
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Guest\Cookies\[email protected][4].txt 
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Guest\Cookies\[email protected][2].txt 
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Guest\Cookies\[email protected][1].txt 
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Guest\Cookies\[email protected][1].txt 
Spyware:Cookie/Xmts Not disinfected C:\Documents and Settings\Guest\Cookies\[email protected][2].txt  
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Hello!.BIGPIECEOF****\Cookies\[email protected][2].txt 
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Hello!.BIGPIECEOF****\Cookies\[email protected][2].txt 
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Hello!.BIGPIECEOF****\Cookies\[email protected][2].txt 
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Hello!.BIGPIECEOF****\Cookies\[email protected][1].txt 
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Hello!.BIGPIECEOF****\Cookies\[email protected][1].txt 
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Hello!.BIGPIECEOF****\Cookies\[email protected][3].txt 
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Hello!.BIGPIECEOF****\Cookies\[email protected][1].txt 
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Hello!.BIGPIECEOF****\Cookies\[email protected][1].txt 
Spyware:Cookie/PayCounter Not disinfected C:\Documents and Settings\Hello!.BIGPIECEOF****\Cookies\[email protected][1].txt 
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Hello!.BIGPIECEOF****\Cookies\[email protected][1].txt 
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Hello!.BIGPIECEOF****\Cookies\[email protected][2].txt  
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Hello!.BIGPIECEOF****\Cookies\[email protected][2].txt 
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Hello!.BIGPIECEOF****\Cookies\[email protected][2].txt 
Spyware:Cookie/XXXCounter Not disinfected C:\Documents and Settings\Hello!.BIGPIECEOF****\Cookies\[email protected][1].txt 
I should have more time available (hopefully when you're online) to put into this over the next week or so. Thank you for your patience.
Regards Dave.


----------



## No XPert (Aug 22, 2005)

Hi Cookiegal, 
Just a quick report. Today when I booted up, the computer didn't assign a directory for LAN. When I clicked the window to look at the cause of the problem, the computer shutdown and rebooted. Message come up as "recovered from a serious error". Thought that might be important info after doing Regedit last night. No problems so far since it rebooted.

Kind Regards
Dave


----------



## No XPert (Aug 22, 2005)

Hi Again,
AVG has performed it's scheduled check and found 2 Viruses....Trojan Horse Downloader.Generic2.VBY.... &....Worm/Kelvir.LF Hope this helps.

Regards Dave


----------



## Cookiegal (Aug 27, 2003)

Where did AVG find those viruses?


----------



## No XPert (Aug 22, 2005)

Hi Cookiegal,
Whilst offline I've had a few more incidents with the computer just shutting down and rebooting.
AVG found Trojan in...C:\System Volume Information\_restore{835AD6E8-7A58-4DE4-B66D-F0FE80528E86}\RP398\A0077406.exe

Worm/Kelvir.LF in...C:\Documents and Settings\Hello!\BIGPIECEOF****\Speed.exe
(I think I copied that down right??)

I'm online all afternoon if the computer don't kick me off!!
Regards Dave


----------



## Cookiegal (Aug 27, 2003)

Is that actually the name you gave your user account? Hello!.BIGPIECEOF....?


----------



## No XPert (Aug 22, 2005)

Hi Cookiegal,
Ah yes. Sorry bout that. "Hello" is the user name. "BIGPIECEOFS**T" is what I called the computer, cause that's what it is. She aint flash, and always seems to have niggly problems. I must have formatted it about 10 times before I got internet and found this site. Didn't think about it showing up on forums when I done it.

I like to play on words for usernames and stuff, hence "No XPert". No nothing bout XP!!!
My chatroom user name is "AFoulSmell" so when I enter it announces...AFoulSmell has entered the room, Please say hello! Good for a laugh and conversation starter.

Regards Dave


----------



## No XPert (Aug 22, 2005)

Just a thought. Should I maybe upgrade my protection to stop further infections while we sort this out??? What do you recommend??? Would it be quicker/easier just to format the HDD or is the virus deeper than that???
Regards Dave


----------



## Cookiegal (Aug 27, 2003)

What do yo mean by upgrade your protection?

Download *SDFix* and save it to your desktop.

Please then reboot your computer in *Safe Mode* by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

 In Safe Mode, right click the SDFix.zip folder and choose *Extract All*, 
 Open the extracted folder and double click *RunThis.bat* to start the script. 
 Type *Y* to begin the script.
 It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot. 
 Press any Key and it will restart the PC. 
 Your system will take longer that normal to restart as the fixtool will be running and removing files. 
 When the desktop loads the Fixtool will complete the removal and display *Finished*, then press any key to end the script and load your desktop icons.
 Finally open the SDFix folder on your desktop and copy and paste the contents of the results file *Report.txt* back onto the forum with a new HijackThis log.


----------



## No XPert (Aug 22, 2005)

Hi Cookiegal,
I just thought that the secuity programs I'm running allowed this through, so maybe there is some other programs I should / could run that might be better. Just asking the question. I trust your judgement and advise.

Ran SDFix. When computer booted back to normal, screen to run program was still up so I cancelled that one.

Logs...

SDFix: Version 1.35
-------------------

Scan run on: 
Mon 06/11/2006

Time:
09:27 AM

Microsoft Windows XP [Version 5.1.2600]

Running from: C:\Documents and Settings\Hello!.BIGPIECEOF****\Desktop\SDFix\SDFix

Stage One...

Checking Services...

Name: 
-----

hide_evr2

Path:
----

\??\C:\WINDOWS\hide_evr2.sys

hide_evr2 Deleted...

Repairing Registry...

Restoring Default Hosts File...

Stage One Complete

Rebooting...

HJT Log....

Logfile of HijackThis v1.99.1
Scan saved at 9:31:27 AM, on 6/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.ninemsn.com.au/0SEENAU/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.ninemsn.com.au/0SEENAU/SAOS01?FORM=TOOLBR
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SDFix] C:\Documents and Settings\Hello!.BIGPIECEOF****\Desktop\SDFix\SDFix\RunThis.bat /second
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} - http://activex.matcash.com/speedtest2.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

Regards Dave.


----------



## Cookiegal (Aug 27, 2003)

How are things running now?


----------



## No XPert (Aug 22, 2005)

Things seem OK. Haven't had any Shutdowns. Still get a popup through Sygate firewall about some file blocked. Trying to catch it's full path so I can check if I should be allowing it. It's got NDIS in it's pathname there somewhere. Does that mean anything to you?? Other than that all seems fine at the moment.
Is everything looking OK by my logs now??? Do you think we've got it sorted???
Regards Dave


----------



## Cookiegal (Aug 27, 2003)

if it's* NDIS User Mode I/O Driver (ndisuio.sys)* then it's not malicious and you should allow it.

Yes, everything looks fine now.

Now you should turn system restore off to flush out all previous system restore points, then turn it back on and create a new restore point:

To turn off system restore, on the Desktop, right click on *My Computer* and click on *Properties.*
Click the *System Restore* tab.
Check *Turn off System Restore.*
Click Apply and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a new restore point, click on *Start*  *All Programs*  *Accessories*  *System Tools* and then select *System Restore*.

In the System Restore wizard, select *Create a restore point* and click the Next button.

Type a name for your new restore point then click on Create.

I also recommend downloading  *SPYWAREBLASTER* for added protection.

*Read here* for info on how to tighten your security.

*Delete your temporary files:*

In safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit - Select All then Edit - Delete to delete the entire contents of the Temp folder.

Go to Start - Run and type *%temp%* in the Run box. The Temp folder will open. Click *Edit - Select All* then hit *Delete* to delete the entire contents of the Temp folder.

Finally go to Control Panel - Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

*Empty the recycle bin*.


----------



## No XPert (Aug 22, 2005)

OK all done. Everything still appears to be running fine. I'll give a couple of days before I sign it off as solved, but for now, THANK YOU so much Cookiegal. I appreciate your patience with me on this one.

Onward cyber SUPERHEROINE, you have more evil to destroy!!! LOL!

THANK YOU! THANK YOU!

Kindest Regards
David.


----------



## No XPert (Aug 22, 2005)

Nope, all is not fine. Just had another "auto shutdown". The saga continues. LOL
Await your further instructions. I'll have the petrol (gasoline) and a match ready, just say when!!! LOL
Regards David


----------



## Cookiegal (Aug 27, 2003)

Download GMER from http://www.gmer.net

Save it somewhere safe & unzip it to desktop

Double click the gmer.exe to run it and select the rootkit tab, press scan and when it has finished press save and copy the log back here please.


----------



## No XPert (Aug 22, 2005)

Hi Cookiegal, I haven't forgotten you, just haven't been able to get througgh the gmer scan yet without Computer Shutting down. Stiil Trying for ya.
Regards Dave.


----------



## Cookiegal (Aug 27, 2003)

If you can't get that one to run, try this one:

Download RootkitRevealer from *here* (link is at the very bottom of the page).
Unzip it to your desktop.
Open the RootkitRevealer folder and double-click *rootkitrevealer.exe*
Click the *Scan* button (bottom right)
It may take a while to scan (don't do anything while it's running)
When it's done, go up to *File - Save*. Choose to save it to your desktop.
Open *RootkitRevealer.txt* on your desktop and copy the entire contents and paste them here.


----------



## No XPert (Aug 22, 2005)

Ok tried gmer 4 times today....All shutdown. Tried Rootkitrevealer twice... both times shutdown. Gmer showed message before scan highlighting this file in red.
Type - Service. 
Name - C:\Windows\system32:lzx32.sys(***hidden***) 
Value - [system]pe386

Does that help any????
Regards Dave

P.S. Active desktop has gone AWOL again too.


----------



## Cookiegal (Aug 27, 2003)

Yes it does help a lot.

1. Please *download* *The Avenger* by Swandog46 to your *Desktop*.
Click on Avenger.zip to open the file
Extract *avenger.exe* to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (*Ctrl+C*):



> Drivers to unload:
> pe386
> lzx32


_*
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.*_

3. Now, *start The Avenger program* by clicking on its icon on your desktop.
 Under "*Script file to execute*" choose "*Input Script Manually*".
Now click on the *Magnifying Glass icon* which will open a new window titled "*View/edit script*" 
 Paste the text copied to clipboard into this window by pressing (*Ctrl+V*).
 Click *Done* 
 Now click on the *Green Light* to begin execution of the script 
 Answer "*Yes*" twice when prompted.
4. *The Avenger will automatically do the following*:
It will *Restart your computer*. ( In cases where the code to execute contains "*Drivers to Unload*", The Avenger will actually *restart your system twice.*) 
On reboot, it will briefly *open a black command window* on your desktop, this is normal.
After the restart, it *creates a log file* that should open with the results of Avengers actions. This log file will be located at *C:\avenger.txt*
 The Avenger will also have *backed up all the files, etc., that you asked it to delete*, and will have zipped them and moved the zip archives to *C:\avenger\backup.zip*.
5. Please *copy/paste* the content of *c:\avenger.txt* into your reply *along with a fresh HijackThis log. Also, see if you can get GMER to complete a scan now. *


----------



## No XPert (Aug 22, 2005)

Ok Done. Came up with an error the first time I tried to run it. Ran fine on second attempt.

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\frkhkehb

*******************

Script file located at: \??\C:\WINDOWS\system32\ggrtjjjx.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Registry key \Registry\Machine\System\CurrentControlSet\Services\pe386 not found!
Unload of driver pe386 failed!

Could not process line:
pe386
Status: 0xc0000034

Registry key \Registry\Machine\System\CurrentControlSet\Services\lzx32 not found!
Unload of driver lzx32 failed!

Could not process line:
lzx32
Status: 0xc0000034

Completed script processing.

*******************

Finished! Terminate.

Logfile of HijackThis v1.99.1
Scan saved at 9:33:36 AM, on 9/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.ninemsn.com.au/0SEENAU/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.ninemsn.com.au/0SEENAU/SAOS01?FORM=TOOLBR
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SDFix] C:\Documents and Settings\Hello!.BIGPIECEOF****\Desktop\SDFix\SDFix\RunThis.bat /second
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} - http://activex.matcash.com/speedtest2.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: GESUI - Sysinternals - www.sysinternals.com - C:\DOCUME~1\HELLO!~1.BIG\LOCALS~1\Temp\GESUI.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

Off to try Cmer scan now. Will post results soon.
Regards Dave


----------



## Cookiegal (Aug 27, 2003)

:up:


----------



## No XPert (Aug 22, 2005)

Finally got Gmer to work. Heres log....

No crashes so far today!! WOO HOO!!!

Regards Dave


----------



## Cookiegal (Aug 27, 2003)

I don't know what you did but it's not showing now.

What program did you run from Systinternals? It's not bad, I'm just wondering because that service wasn't in your log before.


----------



## No XPert (Aug 22, 2005)

Lost me on that one. What's not showing now?? Don't know anything about "Systinternals". I never heard of it before. Nothing like that has shown on screen whilst running programs(I sit here and watch every scan run...boring). I have only run the programs you requested me to.

Have had 2 crashes today, but none yesterday. Confusing??? 
Regards Dave.


----------



## Cookiegal (Aug 27, 2003)

What's not showing are the entries that you spotted while GMER was running that indicated the presence of a rootkit.

I realize now that the Systinternals entry is from RootKitRevealer.

Download *Combofix* to your desktop.

Doubleclick *combo.exe*and follow the prompts.

*Do NOT click on the window while the fix is running because that will cause your system to hang.*

When finished and after reboot, it should open a log, combofix.txt.

Post this log in your next reply together with a new Hijackthis log.


----------



## No XPert (Aug 22, 2005)

Ok All Done,

Hello! - 06-11-10 12:47:33.03 Service Pack 2
ComboFix 06.11.9 - Running from: "C:\Documents and Settings\Hello!.BIGPIECEOF****\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-10-10 to 2006-11-10 ))))))))))))))))))))))))))))))))))

2006-11-07	13:27	80	--a------	C:\WINDOWS\gmer_uninstall.cmd
2006-11-03	19:20	81,920	--a------	C:\WINDOWS\system32\viscomwave.dll
2006-11-03	19:20	643,072	--a------	C:\WINDOWS\system32\DVDProX2.dll
2006-11-03	19:20	344,064	--a------	C:\WINDOWS\system32\msvcr70.dll
2006-11-03	19:20	339,968	--a------	C:\WINDOWS\system32\MP3EncX.dll
2006-11-03	19:20	28,672	--a------	C:\WINDOWS\system32\SmartMenuXP.dll
2006-11-03	19:20	139,264	--a------	C:\WINDOWS\system32\voltoCDX.dll
2006-11-03	19:20	1,110,016	--a------	C:\WINDOWS\system32\NMSDVDXU.dll
2006-10-24	18:18	3,968	--a------	C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-10-22	14:06	1,259	--a------	C:\WINDOWS\system32\uzm2ec00.sys
2006-10-22	14:04	113,664	--a------	C:\WINDOWS\system32\goll.exe
2006-10-22	13:34	113,664	--a------	C:\Documents and Settings\Hello!.BIGPIECEOF****\goll.exe
2006-10-18	12:42	6,032	-ra------	C:\WINDOWS\system32\drivers\flatmdfl.sys
2006-10-18	12:41	87,360	-ra------	C:\WINDOWS\system32\drivers\flatmdm.sys
2006-10-18	12:41	6,112	-ra------	C:\WINDOWS\system32\drivers\flatcmnt.sys
2006-10-18	12:41	6,112	-ra------	C:\WINDOWS\system32\drivers\flatcm.sys
2006-10-18	12:41	52,480	-ra------	C:\WINDOWS\system32\drivers\flatbus.sys
2006-10-18	12:41	5,776	-ra------	C:\WINDOWS\system32\drivers\flatwhnt.sys
2006-10-18	12:41	5,776	-ra------	C:\WINDOWS\system32\drivers\flatwh.sys

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-11-09 15:45	24820	--a------	C:\WINDOWS\system32\drivers\MxlW2k.sys
2006-11-09 09:33	--------	d--------	C:\Program Files\Hijackthis
2006-11-06 13:31	--------	d--------	C:\Program Files\SpywareBlaster
2006-11-04 09:42	10022	--ahs----	C:\WINDOWS\system32\KGyGaAvL.sys
2006-11-04 09:30	--------	d--------	C:\Program Files\Windows Media Player
2006-11-03 22:55	--------	d--------	C:\Program Files\QuickTime
2006-11-03 22:51	--------	d--------	C:\Program Files\Internet Explorer
2006-11-03 19:36	--------	d--h-----	C:\Program Files\InstallShield Installation Information
2006-11-03 19:35	--------	d--------	C:\Program Files\Java
2006-11-03 19:35	--------	d--------	C:\Program Files\Common Files
2006-11-03 19:10	--------	d--------	C:\Program Files\ahead
2006-10-30 05:42	--------	d--------	C:\Documents and Settings\Hello!.BIGPIECEOF****\Application Data\FrostWire
2006-10-29 19:50	--------	d--------	C:\Program Files\FrostWire
2006-10-27 20:17	--------	d--------	C:\Program Files\MSN Messenger
2006-10-24 19:34	--------	d--------	C:\Program Files\ComPlus Applications
2006-10-24 18:18	--------	d--------	C:\Program Files\Grisoft
2006-10-23 18:25	--------	d--------	C:\Program Files\ewido anti-malware
2006-10-22 20:16	--------	d--------	C:\Program Files\Common Files\ScanSoft Shared
2006-10-22 20:16	--------	d--------	C:\Documents and Settings\Hello!.BIGPIECEOF****\Application Data\ScanSoft
2006-10-22 20:15	--------	d--------	C:\Program Files\ScanSoft
2006-10-22 17:19	--------	d--------	C:\Program Files\MSN
2006-10-16 07:46	--------	d---s----	C:\Documents and Settings\Hello!.BIGPIECEOF****\Application Data\Microsoft
2006-10-16 07:46	--------	d--------	C:\Program Files\MSN Games
2006-10-01 15:50	--------	d--------	C:\Documents and Settings\Hello!.BIGPIECEOF****\Application Data\AdobeUM
2006-10-01 15:47	873	--a------	C:\Documents and Settings\Hello!.BIGPIECEOF****\Application Data\AdobeDLM.log
2006-10-01 15:47	0	--a------	C:\Documents and Settings\Hello!.BIGPIECEOF****\Application Data\dm.ini
2006-10-01 15:40	--------	d--------	C:\Program Files\Common Files\Adobe
2006-10-01 14:54	--------	d--------	C:\Documents and Settings\Hello!.BIGPIECEOF****\Application Data\Adobe
2006-10-01 14:53	--------	d--------	C:\Program Files\Adobe
2006-09-27 09:07	778656	--a------	C:\WINDOWS\system32\drivers\avg7core.sys
2006-09-21 21:31	--------	d--------	C:\Program Files\Common Files\Microsoft Shared
2006-09-21 16:52	--------	d--------	C:\Documents and Settings\Hello!.BIGPIECEOF****\Application Data\LimeWire
2006-09-21 16:32	--------	d--------	C:\Program Files\EndItAll
2006-09-13 15:01	1084416	--a------	C:\WINDOWS\system32\msxml3.dll
2006-08-26 01:45	617472	--a------	C:\WINDOWS\system32\comctl32.dll
2006-08-21 22:21	16896	--a------	C:\WINDOWS\system32\fltlib.dll
2006-08-21 19:14	23040	--a------	C:\WINDOWS\system32\fltmc.exe
2006-08-16 21:58	100352	--a------	C:\WINDOWS\system32\6to4svc.dll
2006-08-13 16:36	356352	--a------	C:\WINDOWS\eSellerateEngine.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"REGSHAVE"="C:\\Program Files\\REGSHAVE\\REGSHAVE.EXE /AUTORUN"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"SmcService"="C:\\PROGRA~1\\Sygate\\SPF\\smc.exe -startgui"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Omnipage"="C:\\Program Files\\ScanSoft\\OmniPageSE\\opware32.exe"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"NeroCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"SDFix"="C:\\Documents and Settings\\Hello!.BIGPIECEOF****\\Desktop\\SDFix\\SDFix\\RunThis.bat /second"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="C:\\Program Files\\ComPlus Applications\\kyze.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="C:\\Program Files\\Windows Media Player\\howyny.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
"path"="C:\\Documents and Settings\\All Users.WINDOWS\\Start Menu\\Programs\\Startup\\Kodak EasyShare software.lnk"
"backup"="C:\\WINDOWS\\pss\\Kodak EasyShare software.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Kodak\\KODAKE~1\\bin\\EASYSH~1.EXE -h"
"item"="Kodak EasyShare software"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Kodak software updater.lnk]
"path"="C:\\Documents and Settings\\All Users.WINDOWS\\Start Menu\\Programs\\Startup\\Kodak software updater.lnk"
"backup"="C:\\WINDOWS\\pss\\Kodak software updater.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Kodak\\KODAKS~1\\7288971\\Program\\KODAKS~1.EXE "
"item"="Kodak software updater"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AudioDeck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ADeck"
"hkey"="HKLM"
"command"="C:\\Program Files\\VIAudioi\\SBADeck\\ADeck.exe 1 "
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctfmon"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\ctfmon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Omnipage]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="opware32"
"hkey"="HKLM"
"command"="C:\\Program Files\\ScanSoft\\OmniPageSE\\opware32.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="reminder"
"hkey"="HKCU"
"command"="C:\\Program Files\\Microsoft Money\\System\\reminder.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]	
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 06-11-10 12:49:47.56 
C:\ComboFix.txt ... 06-11-10 12:49

Logfile of HijackThis v1.99.1
Scan saved at 12:59:44 PM, on 10/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.ninemsn.com.au/0SEENAU/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.ninemsn.com.au/0SEENAU/SAOS01?FORM=TOOLBR
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SDFix] C:\Documents and Settings\Hello!.BIGPIECEOF****\Desktop\SDFix\SDFix\RunThis.bat /second
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} - http://activex.matcash.com/speedtest2.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: GESUI - Unknown owner - C:\DOCUME~1\HELLO!~1.BIG\LOCALS~1\Temp\GESUI.exe (file missing)
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

No further crashes so far today.
Regards dave.


----------



## Cookiegal (Aug 27, 2003)

Go to the following link and upload each of the following files for analysis and let me know what the results are please:

http://virusscan.jotti.org/

*C:\WINDOWS\system32\drivers\flatmdfl.sys
C:\WINDOWS\system32\drivers\flatmdm.sys
C:\WINDOWS\system32\drivers\flatcmnt.sys
C:\WINDOWS\system32\drivers\flatcm.sys
C:\WINDOWS\system32\drivers\flatbus.sys
C:\WINDOWS\system32\drivers\flatwhnt.sys
C:\WINDOWS\system32\drivers\flatwh.sys*


----------



## No XPert (Aug 22, 2005)

Hi Cookiegal,
Done them all. All said "Nothing Found".
I haven't checked with the other users, but since I've been on thecomputer, NO crashes so far!

Regards David.


----------



## Cookiegal (Aug 27, 2003)

Fix this with HijackThis. There's no need to have it running.

*O4 - HKLM\..\Run: [SDFix] C:\Documents and Settings\Hello!.BIGPIECEOF****\Desktop\SDFix\SDFix\RunThis.bat /second*

Boot to safe mode and run Killbox on these files:

*C:\WINDOWS\system32\uzm2ec00.sys
C:\WINDOWS\system32\goll.exe
C:\Documents and Settings\Hello!.BIGPIECEOF****\goll.exe*

How many other users are there on this computer?


----------



## No XPert (Aug 22, 2005)

Hi Cookiegal,
Ok all done. No dramas or errors to report. All files found and deleted. 

Some weird stuffs been happening today, before I done what you requested. Last night when I turned the computer off, it rebooted again. Then when I turned it on this morning (normal startup) it came up with the same "recovered from a serios error" message. Also I had to allow 3 files access to internet again AVG Spyware, NDIS & Ewido.

There are two other users of the computer, my wife, and my daughter. They're on it more than me. Still only use the one account though...."Hello!" (That's the account name). Having said that, when booting into safe mode it does show "Administrator" and "Hello!" accounts. I've been working from the "Hello!" account in safemode.

Regards Dave.


----------



## Cookiegal (Aug 27, 2003)

You shouldn't have Ewido on the system now. It was replaced by AVG Anti-Spyware. Did you remove it?

So everything's been fine today?

Let's see how it is after another shutdown and restart in the morning.


----------



## No XPert (Aug 22, 2005)

Ewido does not show up in Add/ Remove programs, but I still have a folder in Program Files for it that has files in it. I Don't know if it still functioning in the background or not, but that's the only evidence I could find of it. No problems or shutdowns since the first startup when it displayed the "serious error message". It's been about 2 hrs or so now. We'll just wait and see. Will post again if we have any incidents OK?


----------



## No XPert (Aug 22, 2005)

Just checked Sygate Firewall. Somewhere, somehow the applications list of blocked/allowed programs has been cleared. I currently am only showing the 4 programs that I allowed access today. Does that mean I could have the "gate" open to further infections??? Especially if the girls log on to MSN??? Just concerned... don't want to waste all our (YOUR) hard work.

The files allowed were: AVG Antispyware, Generic host for Win32 services,Internet Explorer, and NDIS. Don't know where I saw Ewido in there earlier, maybe I was still half asleep. LOL. Sorry.


----------



## No XPert (Aug 22, 2005)

Just surfing Ebay, Internet explorer encountered problem with "Flash9.ocx", and needed to close. Something to do with Adobe Flash Player. ?????


----------



## Cookiegal (Aug 27, 2003)

Check Sygate's settings of allowed programs to be sure you're not allowing anything you shouldn't be and be sure it's set to ask so if something comes up you can tell it what to do.

As for EBay and flash, does IE crash every time you try to access Ebay or just on a certain page? I'm reading that there are some compatibility issues with version 9 and some have had to revert back to version 8.


----------



## No XPert (Aug 22, 2005)

Hi Cookiegal,
All seems to be fine now. Small prob with Ebay hasn't occurred again. Even opened the same page with no issues. Ran PC for 16 hrs yesterday.... NO problems at all. It's been on for about 2hrs so far today....NO Problems.
I think this time we (YOU!!) have got it sorted. I'll leave it for a couple of days before checking it as problem solved.
Thank you sooooo much!! You are one patient lady!!

Kindest Regards
David.


----------



## Cookiegal (Aug 27, 2003)

That's great. Let me know if any problems show up over the next few days.

Now you should turn system restore off to flush out all previous system restore points, then turn it back on and create a new restore point:

To turn off system restore, on the Desktop, right click on *My Computer* and click on *Properties.*
Click the *System Restore* tab.
Check *Turn off System Restore.*
Click Apply and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a new restore point, click on *Start*  *All Programs*  *Accessories*  *System Tools* and then select *System Restore*.

In the System Restore wizard, select *Create a restore point* and click the Next button.

Type a name for your new restore point then click on Create.

I also recommend downloading  *SPYWAREBLASTER* for added protection.

*Read here* for info on how to tighten your security.

*Delete your temporary files:*

In safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit - Select All then Edit - Delete to delete the entire contents of the Temp folder.

Go to Start - Run and type *%temp%* in the Run box. The Temp folder will open. Click *Edit - Select All* then hit *Delete* to delete the entire contents of the Temp folder.

Finally go to Control Panel - Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

*Empty the recycle bin*.


----------



## No XPert (Aug 22, 2005)

According to the wife, it shut down on her whilst she was on MSN this morning. Hasn't happened on any other time so maybe just a problem with MSN now. Will wait and see.
I'll do what you recommend in last post and see how it goes over next coupla days.
Regards Dave


----------



## Cookiegal (Aug 27, 2003)

OK, keep me posted please.


----------



## No XPert (Aug 22, 2005)

AAAhhhhhh! It's still doing it. Active desktop went AWOL again. Three crashes today. Not in MSN only this time. Even done it while sitting idle. No-one touching it. Could this problem be hardware maybe? Wasn't doing it before the virus although I'd added a memory stick around the the time we got the virus. Just thoughts.
Regards Dave


----------



## Cookiegal (Aug 27, 2003)

It could well be hardware related.

Please go to Start - Run - type in eventvwr.msc and click OK.

Look under "application" and "system" and see if there are any errors from today that are shown in red. If so, double click to open it and then click on the icon that looks like two pieces of paper. That will copy it to the clipboard. Then paste it here please.


----------



## No XPert (Aug 22, 2005)

Lots of Yellow Wanings & Red Errors in there.

Sygate logged some nasties too!!!

15/11/2006 8:56:57 AM	Application Hijacking	Critical	Outgoing	TCP	guru.grisoft.com [193.86.3.36]	00-15-E9-22-EA-DE	10.1.1.2	00-15-E9-22-EA-E0	C:\Program Files\Grisoft\AVG Free\avgamsvr.exe	Hello!	BIGPIECEOF****	Normal	1	15/11/2006 8:55:53 AM	15/11/2006 8:55:53 AM	
14/11/2006 8:16:47 PM	Application Hijacking	Critical	Outgoing	TCP	www.incredimail.com [206.82.140.162]	00-15-E9-22-EA-DE	10.1.1.2	00-15-E9-22-EA-E0	C:\Program Files\IncrediMail\bin\IncMail.exe	Hello!	BIGPIECEOF****	Normal	1	14/11/2006 8:15:45 PM	14/11/2006 8:15:45 PM

The "Incredimail" program has been uninstalled already, after the incident.

Regards Dave.


----------



## Cookiegal (Aug 27, 2003)

I only wanted errors in red (although I mistyped it as "read" hence the confusion). Please go back and open the errors shown in red and follow the instructions in my previous post to copy them to the clipboard and paste their contents here.


----------



## No XPert (Aug 22, 2005)

Sorry about that. Nothing wrong with your directions. My fault. I think I've got it sussed this time.

Application errrors....for 16/11/06 onwards

Event Type:	Error
Event Source:	Application Error
Event Category:	None
Event ID:	1000
Date: 15/11/2006
Time: 9:47:11 PM
User: N/A
Computer:	BIGPIECEOF****
Description:
Faulting application iexplore.exe, version 6.0.2900.2180, faulting module flash9.ocx, version 9.0.16.0, fault address 0x000711b0.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 69 65 78 ure iex
0018: 70 6c 6f 72 65 2e 65 78 plore.ex
0020: 65 20 36 2e 30 2e 32 39 e 6.0.29
0028: 30 30 2e 32 31 38 30 20 00.2180 
0030: 69 6e 20 66 6c 61 73 68 in flash
0038: 39 2e 6f 63 78 20 39 2e 9.ocx 9.
0040: 30 2e 31 36 2e 30 20 61 0.16.0 a
0048: 74 20 6f 66 66 73 65 74 t offset
0050: 20 30 30 30 37 31 31 62 000711b
0058: 30 0d 0a 0..

System Errors for....16/11/06 onwards
Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7023
Date: 16/11/2006
Time: 7:02:27 AM
User: N/A
Computer:	BIGPIECEOF****
Description:
The Computer Browser service terminated with the following error: 
This operation returned because the timeout period expired.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type:	Error
Event Source:	System Error
Event Category:	(102)
Event ID:	1003
Date: 16/11/2006
Time: 7:29:43 AM
User: N/A
Computer:	BIGPIECEOF****
Description:
Error code 1000000a, parameter1 00000004, parameter2 00000002, parameter3 00000000, parameter4 804e6617.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 53 79 73 74 65 6d 20 45 System E
0008: 72 72 6f 72 20 20 45 72 rror Er
0010: 72 6f 72 20 63 6f 64 65 ror code
0018: 20 31 30 30 30 30 30 30 1000000
0020: 61 20 20 50 61 72 61 6d a Param
0028: 65 74 65 72 73 20 30 30 eters 00
0030: 30 30 30 30 30 34 2c 20 000004, 
0038: 30 30 30 30 30 30 30 32 00000002
0040: 2c 20 30 30 30 30 30 30 , 000000
0048: 30 30 2c 20 38 30 34 65 00, 804e
0050: 36 36 31 37 6617 
Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7023
Date: 16/11/2006
Time: 7:34:13 AM
User: N/A
Computer:	BIGPIECEOF****
Description:
The Computer Browser service terminated with the following error: 
This operation returned because the timeout period expired.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type:	Error
Event Source:	System Error
Event Category:	(102)
Event ID:	1003
Date: 16/11/2006
Time: 8:47:37 AM
User: N/A
Computer:	BIGPIECEOF****
Description:
Error code 1000000a, parameter1 00000004, parameter2 00000002, parameter3 00000000, parameter4 804e6617.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 53 79 73 74 65 6d 20 45 System E
0008: 72 72 6f 72 20 20 45 72 rror Er
0010: 72 6f 72 20 63 6f 64 65 ror code
0018: 20 31 30 30 30 30 30 30 1000000
0020: 61 20 20 50 61 72 61 6d a Param
0028: 65 74 65 72 73 20 30 30 eters 00
0030: 30 30 30 30 30 34 2c 20 000004, 
0038: 30 30 30 30 30 30 30 32 00000002
0040: 2c 20 30 30 30 30 30 30 , 000000
0048: 30 30 2c 20 38 30 34 65 00, 804e
0050: 36 36 31 37 6617 
Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7023
Date: 16/11/2006
Time: 8:52:07 AM
User: N/A
Computer:	BIGPIECEOF****
Description:
The Computer Browser service terminated with the following error: 
This operation returned because the timeout period expired.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type:	Error
Event Source:	Dhcp
Event Category:	None
Event ID:	1002
Date: 16/11/2006
Time: 9:41:53 PM
User: N/A
Computer:	BIGPIECEOF****
Description:
The IP address lease 10.1.1.2 for the Network Card with network address 0015E922EAE0 has been denied by the DHCP server 10.1.1.1 (The DHCP Server sent a DHCPNACK message).

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type:	Error
Event Source:	Dhcp
Event Category:	None
Event ID:	1002
Date: 16/11/2006
Time: 10:15:42 PM
User: N/A
Computer:	BIGPIECEOF****
Description:
The IP address lease 10.1.1.2 for the Network Card with network address 0015E922EAE0 has been denied by the DHCP server 10.1.1.1 (The DHCP Server sent a DHCPNACK message).

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7023
Date: 17/11/2006
Time: 7:05:00 AM
User: N/A
Computer:	BIGPIECEOF****
Description:
The Computer Browser service terminated with the following error: 
This operation returned because the timeout period expired.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7023
Date: 17/11/2006
Time: 8:12:53 AM
User: N/A
Computer:	BIGPIECEOF****
Description:
The Computer Browser service terminated with the following error: 
This operation returned because the timeout period expired.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

There you go... I got it right this time. Hope that all means something to you!
Regards Dave.


----------



## Cookiegal (Aug 27, 2003)

I would think those items detected by Sygate were normal activity. AVG is connecting to AVG but in the Czech Republic. Is that where you are located?


----------



## No XPert (Aug 22, 2005)

Umm NO!! I'm in "the lucky country"....Australia. Couldn't ya tell mate??
Regards Dave

P.S. Updated my profile to reflect that.


----------



## Cookiegal (Aug 27, 2003)

OK, I found out AVG is in the Czech Republic so that is normal activity when updating AVG.

Run this please and post the results:

http://noahdfear.geekstogo.com/FindAWF.exe

I'd also like to see a HijackThis log taken from each of the other user accounts please.


----------



## No XPert (Aug 22, 2005)

Hi Cookiegal,
Although there are three users of the PC, we only run it on the one account..."Hello!". Only when I boot into "safe mode" do I get another option, and that is "administrator". PC is still crashing and active desktop still AWOL, but apart from those isssues everything else seems to fine. No other weird stuff.

Logs as requested.... HJT log is from "Hello!" account.

Find AWF report by noahdfear ©2006

21504 byte files found
~~~~~~~~~~~~~

21504 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~

25600 byte files found
~~~~~~~~~~~~~

25600 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~

26450 byte files found
~~~~~~~~~~~~~

26450 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~

bak folders found
~~~~~~~~~~~

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

end of report

Logfile of HijackThis v1.99.1
Scan saved at 9:19:44 AM, on 19/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.ninemsn.com.au/0SEENAU/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.ninemsn.com.au/0SEENAU/SAOS01?FORM=TOOLBR
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} - http://activex.matcash.com/speedtest2.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: GESUI - Unknown owner - C:\DOCUME~1\HELLO!~1.BIG\LOCALS~1\Temp\GESUI.exe (file missing)
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

Regards Dave


----------



## Cookiegal (Aug 27, 2003)

Let's try running this IEFix tool:

http://www.majorgeeks.com/download4467.html


----------



## No XPert (Aug 22, 2005)

OK done. Took three attempts to get it to go. First time got the dreaded shutdown. Second time it did not want recognise the drive that the XP CD was in to load the files. Third time, no problems.
Rgards Dave


----------



## Cookiegal (Aug 27, 2003)

Let me know how things are running now.


----------



## No XPert (Aug 22, 2005)

Seems Ok for most part. Has had at least one crash in last 24hrs that I know of.
Regards Dave


----------



## Cookiegal (Aug 27, 2003)

Let's see how it goes over the next 24 hours.


----------



## No XPert (Aug 22, 2005)

Crash count......4
Regards Dave


----------



## Cookiegal (Aug 27, 2003)

Please check the event viewer again and post any errors in red that appeared over the past 24 hours (application and system).


----------



## No XPert (Aug 22, 2005)

Hi Cookiegal, There was apparently a couple more crashes I wasn' t told about. No "Red" errors in application, just the one warning. These are the errors logged in system....
Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7023
Date: 20/11/2006
Time: 8:19:17 PM
User: N/A
Computer:	BIGPIECEOF****
Description:
The Computer Browser service terminated with the following error: 
This operation returned because the timeout period expired.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	System Error
Event Category:	(102)
Event ID:	1003
Date: 20/11/2006
Time: 9:34:24 PM
User: N/A
Computer:	BIGPIECEOF****
Description:
Error code 1000008e, parameter1 c0000005, parameter2 804fb2d0, parameter3 b94bdc78, parameter4 00000000.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 53 79 73 74 65 6d 20 45 System E
0008: 72 72 6f 72 20 20 45 72 rror Er
0010: 72 6f 72 20 63 6f 64 65 ror code
0018: 20 31 30 30 30 30 30 38 1000008
0020: 65 20 20 50 61 72 61 6d e Param
0028: 65 74 65 72 73 20 63 30 eters c0
0030: 30 30 30 30 30 35 2c 20 000005, 
0038: 38 30 34 66 62 32 64 30 804fb2d0
0040: 2c 20 62 39 34 62 64 63 , b94bdc
0048: 37 38 2c 20 30 30 30 30 78, 0000
0050: 30 30 30 30 0000

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7023
Date: 20/11/2006
Time: 9:38:41 PM
User: N/A
Computer:	BIGPIECEOF****
Description:
The Computer Browser service terminated with the following error: 
This operation returned because the timeout period expired.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7023
Date: 21/11/2006
Time: 6:27:11 AM
User: N/A
Computer:	BIGPIECEOF****
Description:
The Computer Browser service terminated with the following error: 
This operation returned because the timeout period expired.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	System Error
Event Category:	(102)
Event ID:	1003
Date: 21/11/2006
Time: 8:03:48 AM
User: N/A
Computer:	BIGPIECEOF****
Description:
Error code 1000000a, parameter1 833509f4, parameter2 00000002, parameter3 00000001, parameter4 804e9d5f.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 53 79 73 74 65 6d 20 45 System E
0008: 72 72 6f 72 20 20 45 72 rror Er
0010: 72 6f 72 20 63 6f 64 65 ror code
0018: 20 31 30 30 30 30 30 30 1000000
0020: 61 20 20 50 61 72 61 6d a Param
0028: 65 74 65 72 73 20 38 33 eters 83
0030: 33 35 30 39 66 34 2c 20 3509f4, 
0038: 30 30 30 30 30 30 30 32 00000002
0040: 2c 20 30 30 30 30 30 30 , 000000
0048: 30 31 2c 20 38 30 34 65 01, 804e
0050: 39 64 35 66 9d5f

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7023
Date: 21/11/2006
Time: 8:08:10 AM
User: N/A
Computer:	BIGPIECEOF****
Description:
The Computer Browser service terminated with the following error: 
This operation returned because the timeout period expired.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7023
Date: 21/11/2006
Time: 4:32:16 PM
User: N/A
Computer:	BIGPIECEOF****
Description:
The Computer Browser service terminated with the following error: 
This operation returned because the timeout period expired.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

That's it. Hope there's something in that for you.
Regards Dave


----------



## Cookiegal (Aug 27, 2003)

I'm going to ask someone else to take a look at those errors.


----------



## Rollin' Rog (Dec 9, 2000)

Have you been having any connectivity or firewall issues to go with this error:



> The Computer Browser service terminated with the following error:
> This operation returned because the timeout period expired.


This is all I can find on that:

http://support.microsoft.com/default.aspx/kb/889320

The other errors are indicative of Blue screen crashes or unexpected restarts. Have you been seeing any STOP errors or having performance problems associated with these?

I can look a little further at those if you do this:

1 > create a new folder on the desktop and call it "dumpcheck" or whatever you like
2 > navigate to c:\windows\minidump and copy the last 2 or 3 minidump files to that folder. They are numbered by date.
3 > close the folder and right click on it and select "Send to (folder name).zip"
4 > use the "manage attachments" in the "advanced" reply window to upload that zip file here as an attachment.

This might point us to a 3rd party driver causing the error, if one exists for it.


----------



## No XPert (Aug 22, 2005)

Hi Rollin',
Must have worn Cookiegal out on this one eh?? Pass on my thanks for her patience and effort, they have been very much appreciated.

Have been experiencing random performance. Sometimes it seems to be running fine, next minute sloooooowwwww as a wet week. I/E seems to run slow fairly often (we have broadband connection) like dial-up, with time outs on sites regular.

Absolutely no warnings to when it's going to crash. Just goes black and PC reboots itself. Just as though you had switched of the power. Doesn't matter what you're doing, had one just before as I read your post. Started PC, went straight to check this thread. BANG!! PC wouldn't have been on 2 minutes, so I don't think its hardware overheating.

Dumpster attached...

Regards Dave.


----------



## Rollin' Rog (Dec 9, 2000)

> BugCheck 1000000A, {8334fb84, 2, 1, 804eef75}
> 
> Probably caused by : memory_corruption ( nt!MmSetAddressRangeModified+67 )
> 
> ...


Two of the bugchecks are similar to the first.

The key *might* be the second.

The driver is apparently associated with Alcohol 120%

I would start by uninstalling that program and see if the Bluescreens stop. If not, I would test the memory as the first can often be caused by hardware issues:

Since almost all bugchecks can be caused by faulty ram, I would recommend you perform memory tests.

Beginners Guides: Diagnosing Bad Memory

Windows Memory Diagnostic 
Memtest86 - A Stand-alone Memory Diagnostic

It might also be helpful to answer the following "performance" related questions (overheating might be something in particular to look into):

1 > is it very slow to boot up?
2 > do programs open slowly?
3 > does the same behavior occur both offline and on?
4 > does it matter how long the system has been on, and does a restart improve things?

Slow performance issues can often be due to overheating, so if the system is faster after it has been shutdown for a while and then restarted -- that would be especially suspect. To check for possible problems here, shutdown, open the case and blow out any accumulated dust. Then turn it
on and check to see that the fan is working. Sometimes it helps to physically clean the fan.

If a laptop, check to see that the vent is clear of dust and verify the fan is working. Temps and fan speed can usually be monitored with SpeedFan (except on Dell desktops), a free utility.

5 > if you do a ctrl-alt-del, do any processes show excess cpu usage, other than System Idle Process?

6 > If you open the Device Manager (run * devmgmt.msc*) and select the entry for IDE ATA/Atapi and select the Primary IDE > Advanced Settings, does it say the "current transfer mode" is DMA or PIO?

If it says PIO, first ensure "Use DMA if Available" is selected, then select the driver tab and uninstall the driver and reboot. Then check again. 
____________________________________________________________________________
COMMIT CHARGE

Do ctrl-alt-del to open up the task manager. Select the "performance" tab. Let me know what you see under:

*Physical Memory*

*Total:* this is your total installed ram -- "physical" memory
*Available:* this is the amt of real "physical" memory presently uncommitted

*Commit Charge*

*Total:* this is the combination of total physical and virtual memory currently in use
*Limit:* this is the total physical and virtual memory available
*Peak:* this is the most you have had in use in this session


----------



## No XPert (Aug 22, 2005)

Sorry for the slow reply. I actually done all this yesterday, but the PC crashed during the process of posting my reply. Lost the whole post, which frustrated me enough to give up for the day. Try again!!!

Alcohol 120 was installed at one stage. I checked in Add / Remove, it doesn't show there, and I cannot find any file or folder in C: Drive, Program Files, Windows, or Document & Settings.

To answer your questions
1> Yes it is slow in my opinion to boot up. It would take around 1-2 minutes to bootup.
2> Programs "hang" from time to time. Sometimes they open as normal, other times very Sloooowwwww!!!
3>Yes. Doesnt matter what you're doing.
4> No. It doesn't matter how long it's been on for. Have had crashes occur in the time it takes to load I/E and find this thread (less than a minute from first bootup for the day). Rebooting normally fixes I/E if its slow.
5> System idle using 90+ %, others 2-3 %. All normal there.
6>Device Manager has IDE set at "DMA if available"

Physical Memory
Total = 523760
Available = 256240 approx (varying)

Commit Charge
Total = 271300
Limit = 1278928
Peak = 350488

Have not done a memory check as yet. Will post results ASAP.

Regards Dave


----------



## Rollin' Rog (Dec 9, 2000)

On question 6 -- does it say the "Current Transfer Mode" is Ultra DMA 5 or similar -- and not PIO?

In your Scanlog I see this, which looks odd, do you know what it is? If not I would remove it with the command in bold:

O23 - Service: GESUI - Unknown owner - C:\DOCUME~1\HELLO!~1.BIG\LOCALS~1\Temp\GESUI.exe (file missing)

If you ran System Internals rootkit revealer, I think it might be a residue of that.

Start > Run: *cmd* and at the prompt enter:

*sc delete GESUI*

The minidump which shows the vax347b.sys file was made on 11/21. Was Alcohol removed before or after that time?

Do a search for the file, probably in the system32 folder.

Also run *regedit* and do a search of the key

HKEY_LOCAL_MACHINE\SYSTEM

for it. Where is it found there if at all?


----------



## No XPert (Aug 22, 2005)

Hi Rog,
Re question 6 "Current Transfer Mode" IS Ultra DMA 5.
Deleted GESUI. Don't know what the hell that was. Means nothing to me!!
vax247b.sys shows up in C:\WINDOWS\system32\drivers
Am I supposed to search for vax347b.sys in HKEY_LOCAL_MACHINE\SYSTEM or for Alcohol120% in that folder. I did find a folder for Alcohol120% in HKEY_CURRENT_USER\Software\Alcohol Soft Does that mean anything? Do I need to get rid of that maybe??

If I am suppose to search for vax347b.sys in HKEY is there a quick way to do it?? i.e. some kind of search engine.

Regards Dave


----------



## Rollin' Rog (Dec 9, 2000)

I would create a System Restore checkpoint and delete any references in the registry to that file name. Then reboot and rename or delete the file itself.

If Alcohol 120 has been removed you can also clean the registry of any references to it.


----------



## No XPert (Aug 22, 2005)

Ok, I've deleted both vax347b.sys and Alcohol120% from registry. 
Call me stupid if you like but I'm stuffed if I can work out how to do this memory test thing.
So far have no crashes since deleting them, but it's only been a couple of hours. Will see how it goes.
Regards Dave


----------



## No XPert (Aug 22, 2005)

Bugger!!! Still crashing!!! Might be time to look at getting........... 
a) Some new memory (upgrade) or 
b) A new PC altogether!!!!

P.S. Every time it crashes we lose active desktop. Does that mean anything??


----------



## Rollin' Rog (Dec 9, 2000)

Disable the active desktop:

http://www.computerhope.com/issues/ch000593.htm

Let me know what problems you are having with the memory test. Are you trying to use a CD version or a floppy disk?

Whichever you use, that device has to be first in the BIOS boot order. The CD version must be created with burning software that specifically supports the burning of ISO files. You must use the software's interface for it. You cannot just copy the .iso file to a CD as you would some other file.

Also, if any new minidump files have been created upload them in zip format as you did before.


----------



## No XPert (Aug 22, 2005)

Hey Mate,
Killed active desktop. Back to normal.
Can't understand what the instructions for memcheck all mean. Basically I don't have a clue on that one. Can't get my head around it neither. Will be easier to just go buy a new 512mb or 1g memory stick. Worse cause scenario I've upgraded unecessarilly. Best case scenario, Fixes the problem and upgrades as well.

Just in case there's something in it, heres the Dumpster from tha last two days.
Regards Dave


----------



## Rollin' Rog (Dec 9, 2000)

I am still seeing "memory corruption" errors as well as others that are or could be "memory" related. Overheating might also be something to consider if the errors only occur after the computer has been on for a bit.

Just let me know where you are hanging up on the "memtest" creation.

Is it in creating the CD or Floppy? Which are you trying to create? 

Once it is created you just boot with it and it will run automatically if it has been created correctly and the device you are running it from is first in the boot order.

If you happen to have two memory modules -- physically remove one at a time and just run with one individual module and see what happens. Test different slots as well.


----------



## No XPert (Aug 22, 2005)

Sorry Rollin'
I'm away from that computer for a couple of days. Yes it's the whole creating the disk, and then putting it in the right order and stuff that I don't get. Basically the instruction they give might as well be written in Chinese, cause I don't have a clue what they mean.
Regards Dave


----------



## Rollin' Rog (Dec 9, 2000)

Just let me know whether you have a floppy drive and want to use that. Or have CD burning software such as Nero or Roxio and want to create a CD.


----------



## No XPert (Aug 22, 2005)

Got floppy and cdrw drive running Nero. Doing CD is probably better cause I've got blank CDs. 
Regards Dave


----------



## Rollin' Rog (Dec 9, 2000)

If you have Nero the creation process should be fairly simple.

Download and UNzip this file:

http://www.memtest.org/download/1.65/memtest86+-1.65.iso.zip

Put a writable CD in the drive and then "run" the .iso file. Nero should arise and prompt you through the rest.

Once the CD is created IF you have the CD drive first in the BIOS boot order all you should need do is reboot with it and it will boot not to Windows, but to the Memtest program which will run automatically.

If it reboots to Windows your CD drive is not first in the BIOS order. Some systems, like Dells allow you to choose the IDE to boot from from an F12 boot menu. If you don't have this then you have to see which key to press to enter the BIOS setup pages.

Often this is F2.

Once there look at the screen to see where the boot order is changed. It is usually "toggled" using page up and down or +/- keys.

Once the CD drive is first look for the option to SAVE and EXIT.

If you feel you have mucked things up exit without saving and try again.

If you realy screw up -- just look for the option to reload the setup defaults.

The first 5 steps in this link may are may not reflect your specific BIOS options -- but it gives you the idea:

http://www.whitecanyon.com/how-to-change-boot-order.php


----------



## No XPert (Aug 22, 2005)

Hi Rollin'
Many things happened since last post. Bought 512mb memory stick. Installed it. Played up in Slot1, worked fine in Slot2, for about 15 min, then CRASH as usual. This time the machine wouldn't even boot up, it was "bluescreening" just after the Windows logo. Anyways, desperation set in and I thought reload windows. After multiple attempts getting kicked off cause I couldn't remember (or it wouldn't accept) my administrator password it decided for ITSELF to run a scandisk. It fixed four or five errors, then booted up as normal. Once desktop came up it, it gave me a notice about my graphics card, and recommended loading latest driver. Done that and so far all seems sweet. Only been a couple of hours though. Will wait and see. Oh and for the record, during all the won't bootup scenarios, I reinstalled the old memory chips. They are what it's running now, NOT the new stick.

Regards Dave


----------



## Rollin' Rog (Dec 9, 2000)

Okedoke, sounds like disk corruption might have been the problem then. You should periodically run *eventvwr.msc* and look for "disk" errors under the system log.

If you get them still, I would go to the drive vendor's site and get a diagnostic utility to see if the drive is still healthy.


----------



## No XPert (Aug 22, 2005)

24hrs .... Crash count.... 0, zip, nada, not a one!
Touch wood it might be fixed. Will let you know after a couple of days to a week.
Regards Dave


----------



## No XPert (Aug 22, 2005)

Ok been a couple of days now, with no crashes or hiccups. I think we can put this one to bed and call it fixed. Thank You for your help Rollin', and again pass on my thanks to Cookiegal. Great site I love it!!!

Kind Regards
Dave


----------



## Cookiegal (Aug 27, 2003)

Nice work Rog! :up:

You're welcome No XPert. 

Now you should turn system restore off to flush out all previous system restore points, then turn it back on and create a new restore point:

To turn off system restore, on the Desktop, right click on *My Computer* and click on *Properties.*
Click the *System Restore* tab.
Check *Turn off System Restore.*
Click Apply and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a new restore point, click on *Start*  *All Programs*  *Accessories*  *System Tools* and then select *System Restore*.

In the System Restore wizard, select *Create a restore point* and click the Next button.

Type a name for your new restore point then click on Create.

I also recommend downloading  *SPYWAREBLASTER* for added protection.

*Read here* for info on how to tighten your security.

*Delete your temporary files:*

In safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit - Select All then Edit - Delete to delete the entire contents of the Temp folder.

Go to Start - Run and type *%temp%* in the Run box. The Temp folder will open. Click *Edit - Select All* then hit *Delete* to delete the entire contents of the Temp folder.

Finally go to Control Panel - Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK (this option does not exist in IE7). Click Apply then OK.

*Empty the recycle bin*.


----------

