# Keylogger Removal



## bella6100 (Feb 7, 2005)

I ran Spyware Doctor and it found the Blazing Tools Perfect Keylogger on my comp. I went into the folder and used the uninstall but it showed me a list of files that it said could not be removed and that I have to remove them manually. I want to make sure I remove every file associated with this program. I don't know how it got on my comp, I just want it completely gone. Please Help


----------



## Byteman (Jan 24, 2002)

Hi, Do this:

go to  *Click here* to download HJTsetup.exe
Save HJTsetup.exe to your *desktop.*
Double click on the *HJTsetup.exe icon* on your desktop.
By default it will install to *C:\Program Files\Hijack This.* 
Continue to click *Next * in the setup dialogue boxes until you get to the *Select Additional Tasks dialogue.*
Put a check by *Create a desktop icon* then click *Next* again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click Finish and it will launch Hijack This.
Click on the *Do a system scan and save a log file* button. It will scan and then save the log and then the log will open in Notepad.
Click on *"Edit > Select All" * then click on *"Edit > Copy" *to copy the entire contents of the log.
Paste the log in your next reply.
DO *NOT* have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

After you send in that log, please do what is below:

AVG ANTISPYWARE
Install and use directions for AVG Antispyware: 
You will need the correct steps to install and run a scan so here they are:
Note:When the trial period expires it becomes feature-limited freeware but is still worth keeping as a good on-demand scanner.

*You need to save these directions either to a Notepad text file, save to your desktop, I suggest as a filename, use steps.txt. Or, print this out.*
*Please note that the actual scan will be run in Safe Mode, directions below*

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder. 
http://free.grisoft.com/doc/20/lng/us/tpl/v5 

Install AVG Anti-Spyware by double clicking the installer. 
 Follow the prompts. Make sure that *Launch AVG Anti-Spyware* is checked. 
On the main screen under *Your Computer's security* 
(These settings may not be used anymore and the defaults of "N/A" are OK)
Click on *Change state *next to *Resident shield*. It should now change to *inactive.* (What shows is n/a =that's OK)
Click on Change state next to Automatic updates. It should now change to *inactive.* (same it should look like n/a) 

Next to *Last Update, click on Update now. *(You will need an active internet connection to perform this) 
Wait until you see the *Update succesfull* message.
 When the progress lines stop, ususally pressing "Start Update" will just 
change back- it's done if you don't get any further Updating activity)

*(Only  If you are having problems with the updater, you can use this link to manually update AVG Anti-spyware.*  < only if you cannot update over the web.
AVG Antispyware Updates
Download the *Full database* to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.) 
______________________________



1. On the main window, click on the "*Scanner*" button and choose the "*Settings*" tab. 
Under "*How to act?*", click on "*Recommended actions*" and choose "*Quarantine*" to set default action for detected malware. 
Under "*How to Scan?*" check all (default). 
Under "*Possibly unwanted software*" check all (default). 
Under "*What to Scan?*" make sure "*Scan every file*" is selected (default). 
Under "*Reports*" select "*Automatically generate report after every scan*" and 
UNcheck "*Only if threats were found*".

2. Click the "*Scan*" tab to return to scanning *options*. You don't scan just yet!
3.*If* you were scanning now, you would Click "*Complete System Scan*" to start. 
4. When the scan finished you'd be presented with a list of infected objects found. Click "*Apply all actions*" to place the files in Quarantine.
 _  HOW TO SCAN- Please note the scan is done in Safe Mode-read on _
 If the computer is running, shut down Windows, and then turn off the power. 
*Reboot your computer* TO *Safe Mode.*  Here's how:
Wait 30 seconds, and then turn the computer on. 
Start tapping the *F8 key.* The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again. 
Ensure that the Safe Mode option is selected. 
Press Enter. The computer then begins to start in Safe mode. 
Login on your *usual account.*
Launch AVG Antispyware
Click "*Complete System Scan*" to start.

*IMPORTANT!* Do not save the report before you have clicked the *Apply all actions* button. If you do, the log that is created will indicate "*No action taken*", making it more difficult to interpret the report. So be sure you save it only AFTER clicking the "Apply all actions" button!

5. Click on "*Save Report*" to view all completed scans. 
Click on the most recent scan you just performed and select "*Save report as*" - the default file name will be in date/time format as follows: *Report-Scan-20072020-142816.txt*.
Save to your desktop. A copy of each report will also be saved in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports\ 
6. Exit AVG Anti-Spyware when done, reboot normally and submit the log report in your next response.


----------



## bella6100 (Feb 7, 2005)

Logfile of HijackThis v1.99.1
Scan saved at 11:08:15 PM, on 3/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\csrss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
F:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\system32\CTsvcCDA.EXE
F:\Program Files\Spyware Doctor\sdhelp.exe
F:\Program Files\Spyware Terminator\sp_rsser.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Common Files\Symantec Shared\ccApp.exe
F:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
F:\Program Files\StompSoft\Digital File Shredder Pro\BrowserWatchControl.exe
F:\WINDOWS\System32\alg.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\WINDOWS\system32\wbem\wmiprvse.exe
F:\PROGRA~1\SPYWAR~2\swdoctor.exe
F:\Program Files\Hijackthis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - F:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - F:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "F:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpywareTerminator] "F:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [BrowserWatch] F:\Program Files\StompSoft\Digital File Shredder Pro\BrowserWatchControl.exe
O4 - HKLM\..\Run: [windowsxp2] F:\WINDOWS\system32\windowsxp2.exe
O4 - HKCU\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Spyware Doctor] "F:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - F:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite.net/dlmanager/versions/activex/dlm-activex-2.0.6.0.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://mwmus.webex.com/client/v_mywebex-mwm/mywebex/ieatgpc.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15026/CTPID.cab
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - F:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: CleanService - Unknown owner - F:\PROGRA~1\STOMPS~1\DIGITA~1\CleanService.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - F:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: iPod Service - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - F:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - F:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Spyware Terminator Clam Service (sp_clamsrv) - Unknown owner - F:\Program Files\WinClamAVShield\sp_clamsrv.exe (file missing)
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - F:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Symantec Core LC - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe


----------



## Byteman (Jan 24, 2002)

Hi, You might want to turn off Spyware Terminator and also Spyware Doctor when you are just going to install AVG Antispyware....

just after you get the download, and want to install AVG A/S

do this:

Spyware Doctor
From within Spyware Doctor, click the "OnGuard" button on the left side. 
Uncheck "Activate OnGuard". (The free version may not have it running, that is what we want anyway)

Spyware Terminator settings to turn off real time protections during the time we are using AVG:

*http://www.spywareterminator.com/help/FAQ.aspx?faqid=1393&faqmod=SpyTerm_Help5*

Do what it says there.

Then, install AVG A/S as in my reply.


----------



## bella6100 (Feb 7, 2005)

Hey,

lol I already installed AVG before I read ur post, but I did actually uninstall spyware terminator, b/c I don't think I need it if I have spydoc. Well, here is the AVG report.

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at:	12:23:22 AM 3/7/2007

+ Scan result:

F:\Program Files\Windows Security files\bpkhk.dll -> Not-A-Virus.Monitor.Win32.Perflogger.163 : Cleaned.
F:\WINDOWS\system32\windowsxp2hk.dll -> Not-A-Virus.Monitor.Win32.Perflogger.163 : Cleaned.
F:\Program Files\Windows Security files\bpk.exe -> Not-A-Virus.Monitor.Win32.Perflogger.ad : Cleaned.
F:\WINDOWS\system32\windowsxp2.exe -> Not-A-Virus.Monitor.Win32.Perflogger.ad : Cleaned.
F:\Documents and Settings\Priya\Local Settings\Temp\bpkun.exe -> Not-A-Virus.Monitor.Win32.Perflogger.bu : Cleaned.
F:\Program Files\Windows Security files\bpkun.exe -> Not-A-Virus.Monitor.Win32.Perflogger.bu : Cleaned.
H:\RECYCLER\S-1-5-21-220523388-1303643608-725345543-1003\Dh1\saaviun.exe -> Not-A-Virus.Monitor.Win32.Perflogger.bu : Cleaned.
F:\Program Files\Windows Security files\bpkr.exe -> Not-A-Virus.Monitor.Win32.Perflogger.bx : Cleaned.
F:\Program Files\Windows Security files\bpkvw.exe -> Not-A-Virus.Monitor.Win32.Perflogger.bx : Cleaned.
F:\WINDOWS\system32\windowsxp2r.exe -> Not-A-Virus.Monitor.Win32.Perflogger.bx : Cleaned.
H:\RECYCLER\S-1-5-21-220523388-1303643608-725345543-1003\Dh1\saavir.exe -> Not-A-Virus.Monitor.Win32.Perflogger.bx : Cleaned.
H:\RECYCLER\S-1-5-21-220523388-1303643608-725345543-1003\Dh1\saavivw.exe -> Not-A-Virus.Monitor.Win32.Perflogger.bx : Cleaned.
F:\Documents and Settings\Priya\Cookies\[email protected][2].txt -> TrackingCookie.2o7 : Cleaned.
F:\Documents and Settings\Priya\Cookies\[email protected][2].txt -> TrackingCookie.2o7 : Cleaned.
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
F:\Documents and Settings\Tara\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
H:\RECYCLER\S-1-5-21-2052111302-1614895754-725345543-1003\Di4\BCM\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.48:F:\Documents and Settings\Priya\Application Data\Mozilla\Firefox\Profiles\eyhzm68h.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
F:\Documents and Settings\Priya\Cookies\[email protected][2].txt -> TrackingCookie.Atdmt : Cleaned.
H:\RECYCLER\S-1-5-21-2052111302-1614895754-725345543-1003\Di4\BCM\Cookies\[email protected][2].txt -> TrackingCookie.Atdmt : Cleaned.
F:\Documents and Settings\Priya\Cookies\[email protected][2].txt -> TrackingCookie.Burstbeacon : Cleaned.
:mozilla.47:F:\Documents and Settings\Priya\Application Data\Mozilla\Firefox\Profiles\eyhzm68h.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.49:F:\Documents and Settings\Priya\Application Data\Mozilla\Firefox\Profiles\eyhzm68h.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt -> TrackingCookie.Burstnet : Cleaned.
F:\Documents and Settings\Priya\Cookies\[email protected][2].txt -> TrackingCookie.Casalemedia : Cleaned.
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt -> TrackingCookie.Com : Cleaned.
:mozilla.50:F:\Documents and Settings\Priya\Application Data\Mozilla\Firefox\Profiles\eyhzm68h.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt -> TrackingCookie.Doubleclick : Cleaned.
H:\RECYCLER\S-1-5-21-2052111302-1614895754-725345543-1003\Di4\BCM\Cookies\[email protected][1].txt -> TrackingCookie.Doubleclick : Cleaned.
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt -> TrackingCookie.Fastclick : Cleaned.
F:\Documents and Settings\Priya\Cookies\[email protected][2].txt -> TrackingCookie.Fastclick : Cleaned.
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt -> TrackingCookie.Mediaplex : Cleaned.
H:\RECYCLER\S-1-5-21-2052111302-1614895754-725345543-1003\Di4\BCM\Cookies\[email protected][1].txt -> TrackingCookie.Mediaplex : Cleaned.
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt -> TrackingCookie.Overture : Cleaned.
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt -> TrackingCookie.Pointroll : Cleaned.
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt -> TrackingCookie.Realmedia : Cleaned.
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt -> TrackingCookie.Statcounter : Cleaned.
F:\Documents and Settings\Priya\Cookies\[email protected][2].txt -> TrackingCookie.Tacoda : Cleaned.
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.51:F:\Documents and Settings\Priya\Application Data\Mozilla\Firefox\Profiles\eyhzm68h.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
F:\Documents and Settings\Priya\Cookies\[email protected][2].txt -> TrackingCookie.Tribalfusion : Cleaned.
H:\RECYCLER\S-1-5-21-2052111302-1614895754-725345543-1003\Di4\BCM\Cookies\[email protected][2].txt -> TrackingCookie.Tribalfusion : Cleaned.
F:\Documents and Settings\Priya\Cookies\[email protected][2].txt -> TrackingCookie.Valueclick : Cleaned.
:mozilla.52:F:\Documents and Settings\Priya\Application Data\Mozilla\Firefox\Profiles\eyhzm68h.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt -> TrackingCookie.Zedo : Cleaned.
F:\RECYCLER\S-1-5-21-220523388-1303643608-725345543-1003\Df2\order.url -> Trojan.Keylog.153 : Cleaned.
H:\RECYCLER\S-1-5-21-220523388-1303643608-725345543-1003\Dh1\order.url -> Trojan.Keylog.153 : Cleaned.
F:\RECYCLER\S-1-5-21-220523388-1303643608-725345543-1003\Df2\downloads.url -> Trojan.Keylog.154 : Cleaned.
H:\RECYCLER\S-1-5-21-220523388-1303643608-725345543-1003\Dh1\downloads.url -> Trojan.Keylog.154 : Cleaned.

::Report end


----------



## Byteman (Jan 24, 2002)

Hi, You had AVG Antispyware installed- that's fine.

But, you didn't read my directions for running a scan-

The way to have it scan is to have it set to *Quarantine* for Actions Taken-

Doesn't matter as it seems to have removed everything.

But, if it had run up against something that it could not clean, it would simply ignore it. Using the "Quarantine" action lets it just remove the item to the Quarantine area.

I need to see a brand new Hijackthis log please, when you have time.

Does not have to be tonite...


----------



## bella6100 (Feb 7, 2005)

Hey, so when I did the settings for the AVG, I had set it to Quarantine but in Safe mode the action showed up as clean, and I didn't change it b/c I wasn't sure if I was supposed to.

Logfile of HijackThis v1.99.1
Scan saved at 9:09:03 AM, on 3/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\csrss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
F:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
F:\WINDOWS\system32\CTsvcCDA.EXE
F:\Program Files\Spyware Doctor\sdhelp.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Common Files\Symantec Shared\ccApp.exe
F:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
F:\Program Files\StompSoft\Digital File Shredder Pro\BrowserWatchControl.exe
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
F:\Program Files\Spyware Doctor\swdoctor.exe
F:\WINDOWS\System32\alg.exe
F:\WINDOWS\system32\wuauclt.exe
F:\WINDOWS\system32\wbem\wmiprvse.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\Hijackthis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - F:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - F:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "F:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BrowserWatch] F:\Program Files\StompSoft\Digital File Shredder Pro\BrowserWatchControl.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Spyware Doctor] "F:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - F:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite.net/dlmanager/versions/activex/dlm-activex-2.0.6.0.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://mwmus.webex.com/client/v_mywebex-mwm/mywebex/ieatgpc.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15026/CTPID.cab
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - F:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: CleanService - Unknown owner - F:\PROGRA~1\STOMPS~1\DIGITA~1\CleanService.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - F:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: iPod Service - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - F:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - F:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Spyware Terminator Clam Service (sp_clamsrv) - Unknown owner - F:\Program Files\WinClamAVShield\sp_clamsrv.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe


----------



## bella6100 (Feb 7, 2005)

Also, I posted another thread about another problem I am having in the Windows XP forums, but I was wondering if mabye you could help. Whenever I try to run a game called Maple Story, I can play it fine for a matter of time but then I will start getting intermittent blue flashes on the screen (just very short flashes) and then after a while the game will just freeze and shut down. Now it gives me a message that the Sisgrv display is not working properly and that I need to reboot to restore full functionality, but I get this same problem every time I try to play the game. What can I do to figure out what exactly the problem is and how I can resolve it?


----------



## Byteman (Jan 24, 2002)

Hi, Just a loose end leftover from the Spyware Terminator program.

Check in *Control Panel> Add/Remove Programs list* for

Spyware Terminator Clam Service (sp_clamsrv) and Uninstall or try to....

Next:

Go Start>Run and type in: services.msc

In the list of Services, check up and down the list for this one:

(I am not sure just how it's name displays...)

Spyware Terminator Clam Service (sp_clamsrv) - Unknown owner -

*If it shows*, right click and select Properties, and set it to *Stop* , if it is not already stopped, and then set the Startup to *Disable.*

Next delete the service:

In the Run space- type in:

sc delete (whatever the service name was).

Restart the computer.

If you would rather use the Registry to delete the service:

Click Start | Run and type regedit in the Open: line. Click OK.

Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

Scroll down the left pane, locate the service name, right click it and select Delete.  be sure you are working only on that Spyware Terminator service!!!

Reboot the system.

We need to have you run this online scan please:

*HERE* to run Panda's ActiveScan
Once you are on the Panda site click the *Scan your PC* button
A new window will open...click the *Check Now* button
Enter your *Country*
Enter your *State/Province*
Enter your *e-mail address* and click *send*
Select either *Home User* or *Company*
Click the big *Scan Now* button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on *My Computer* to start the scan
When the scan completes, if anything malicious is detected, click the *See Report* button, *then Save Report* and save it to a convenient location. Post the contents of the ActiveScan report

Post the log of that scan, called *activescan.txt* in your reply and..

Need to see a *new Hijackthis log.*


----------



## bella6100 (Feb 7, 2005)

Well, here is the new Hijack file but I don't know why the Panda scan is not working.
It scans and then a little after halfway through, it just stops and closes and I have no idea why....there is no error message or anything and I do not have any other programs running in the background and I don't even do anything on the comp, I just let it run but I tried four different times and it closed at the exact same place each time.

Logfile of HijackThis v1.99.1
Scan saved at 6:38:57 PM, on 3/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\csrss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
F:\Program Files\Spyware Doctor\sdhelp.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Common Files\Symantec Shared\ccApp.exe
F:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
F:\Program Files\StompSoft\Digital File Shredder Pro\BrowserWatchControl.exe
F:\WINDOWS\System32\alg.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\PROGRA~1\SPYWAR~2\swdoctor.exe
F:\Program Files\Hijackthis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - F:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - F:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "F:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BrowserWatch] F:\Program Files\StompSoft\Digital File Shredder Pro\BrowserWatchControl.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Spyware Doctor] F:\PROGRA~1\SPYWAR~2\swdoctor.exe /Q
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - F:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite.net/dlmanager/versions/activex/dlm-activex-2.0.6.0.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://mwmus.webex.com/client/v_mywebex-mwm/mywebex/ieatgpc.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15026/CTPID.cab
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - F:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: CleanService - Unknown owner - F:\PROGRA~1\STOMPS~1\DIGITA~1\CleanService.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: iPod Service - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - F:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - F:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Core LC - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe


----------



## Byteman (Jan 24, 2002)

Hi, This can be caused by many things, so we will have to work on a try this then that basis.

I have one computer that will not even start a Panda scan and I could never get it to, it used to....so this is common especially when the computer is still being cleaned up.

Down below I put links to one other good online scan so try it see if it works. Post the log from it....but, do these two things first~

Next: here is a temp file, browser cache cleaner, cookie remover, etc tool:

I use CleanUP!, and find it excellent.

About every 2 or 3 days, as the last thing before shutting down, I run CleanUp.

There is always a message to log off, after using it, but I sometimes do and then sometimes don't and have not noticed anything different.

Probably you should the first time.

And, the first time you run it, you will see a popup about using it in Demo mode, that is a good idea just to see how much junk you have, but then you will have to run CleanUp again, this time, tell it No, so it does it's thing. You won't get the "run in Demo mode" bit after the first time.

Note: Removing all Cookies will mean that all users of the computer who use sites like TSG that require logging in to an account, will have to manually log in with usernames and passwords at ALL places they have an account....so, be sure everyone knows all the login and passwords...

CleanUp also has a Cookie filter, where you can enter the ones you would like to keep- you will see the Cookies tab at the top of it's window.

Download Cleanup from *here*
 

Open *Cleanup!* by double-clicking the icon on your desktop (or from the Start > All Programs menu). 
Click the *Options...* button on the right. 
Move the arrow down to "*Custom CleanUp!*" 
Put a check next to the following (Make sure nothing else is checked!):
Empty Recycle Bins 
Delete Cookies 
Cleanup! All Users 
Click *OK* 
 *DO NOT RUN IT YET*

Now boot to safe mode.

Run Cleanup: 
 Click on the "*Cleanup*" button and let it run.
 Once its done, *close the program*.

Before trying Housecall, I need to have you do something- called emptying the Java cache, it is similar to getting rid of Temp Internet Files, but for the special cache used by Java....look at my pic below as a guide, it's from an older version of Java but yours will be quite similar, find the tab or button for the cache, then Delete the file...pretty straightforward.

The reason is, often things in there are detected as trojans (and sometimes are or exploits of older versions of Java, Windows holes, etc) and also, the Housecall scan has an option for you to run the scan using java, which may complete for you while the Active X is wacko or whatever is causing Panda to not run correctly...

In your Control Panel> find the Java icon and double click it open, then use the pic as a guide

After that is done and CleanUp has been run etc....

http://housecall.trendmicro.com/

Housecall has the option to use the Java scan, choose that one!

After the updates are downloaded and you are set to scan, just let it run. Choose to scan the *entire computer*, not selected folders or drives.

Hopefully I can find the directions for how to save a report from Housecall and post them- check back here, I am doing a scan there right now and will see what they have to save the log- I will post it.

After Housecall scan completes, it will if it found anything, have some items with *+* signs next to them, you can look through them and see what they are....

There is an automatic "Clean all" or similar button way at the bottom of the detected items list, I think that would be the easiest way to go> otherwise, you have to individually select for each item what you want Panda to do with the detected item.


----------



## Byteman (Jan 24, 2002)

Hi, I have added what to do after the Housecall scan completes, into my last reply as an Edit, so refresh the page and go back to my other reply to see what I added.

It's at the bottom of the text, how to clean the infections if Panda shows any.

I didn't see an option to save the log, so if you could copy and paste anything, that would be good.
Or, write them down and include the exact trojan or whatever names in your reply.

Panda is much simpler and makes the log with a bit of help from you....

Post back and include a new HJT log please.


----------



## bella6100 (Feb 7, 2005)

CleanUp! started on 03/07/07 21:40:24.
...
Visited: [email protected]://www.stevengould.org/software/cleanup/download.html - deleted
F:\Documents and Settings\Priya\Cookies\index.dat currently in use. Will be deleted when Windows is restarted.
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][2].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][2].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][2].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][2].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][2].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][2].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][2].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][2].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][2].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][2].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][2].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][3].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][2].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][2].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][2].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][2].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][2].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][2].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][2].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][2].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][2].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][2].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][2].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][2].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][2].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][2].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][2].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][2].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][2].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][2].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected]_DOCTOR[1].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][2].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][2].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][2].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][2].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][2].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][2].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][2].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][2].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][2].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][2].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][2].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][2].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][2].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][2].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][2].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected]co[2].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt - deleted
F:\Documents and Settings\Priya\Cookies\[email protected][2].txt - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/driver/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/SPYWARE_DOCTOR/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/mail - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/activescan/activescan/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/m2/cnet - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/pagead/conversion/1070748332/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/pagead/conversion/1070847646/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ad - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/pagead/conversion/1064030644/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/ - deleted
Cookie: [email protected]/adrevolver/ - deleted
F:\Documents and Settings\Priya\Application Data\Mozilla\Firefox\Profiles\eyhzm68h.default\history.dat - deleted
F:\Documents and Settings\Priya\Application Data\Mozilla\Firefox\Profiles\eyhzm68h.default\cookies.txt.old - deleted
F:\Documents and Settings\Priya\Application Data\Mozilla\Firefox\Profiles\eyhzm68h.default\cookies.txt.old - deleted
F:\Documents and Settings\Priya\Recent\Cookies.lnk - deleted
F:\Documents and Settings\Priya\Recent\Digital File Shredder Pro.lnk - deleted
F:\Documents and Settings\Priya\Recent\Digital File Shredder Update Log.lnk - deleted
F:\Documents and Settings\Priya\Recent\EyeNL04.lnk - deleted
F:\Documents and Settings\Priya\Recent\index.lnk - deleted
F:\Documents and Settings\Priya\Recent\install.lnk - deleted
F:\Documents and Settings\Priya\Recent\KB886185.lnk - deleted
F:\Documents and Settings\Priya\Recent\nasreen.lnk - deleted
F:\Documents and Settings\Priya\Recent\Philips Backup.lnk - deleted
F:\Documents and Settings\Priya\Recent\Report-Scan-20070307-002322.lnk - deleted
F:\Documents and Settings\Priya\Recent\Search Results.lnk - deleted
F:\Documents and Settings\Priya\Recent\sizzling-south-sex-part1.lnk - deleted
F:\Documents and Settings\Priya\Recent\[email protected][1].lnk - deleted
F:\Documents and Settings\Priya\Recent\UserData.lnk - deleted
F:\Documents and Settings\Priya\Recent\Windows Security files.lnk - deleted
F:\Documents and Settings\Priya\Recent\WINDOWS.lnk - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\0d0e0f3c - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\0d170f3c - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\0d190f3c - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\0d1d0f3c - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\0d200f3c - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\0d230e3c - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\0d390e3c - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\582f_appcompat.txt - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\IMT5.xml - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\IMT6.xml - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\IMT7.xml - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\IMT9FB.xml - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\IMT9FC.xml - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\IMT9FD.xml - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\IMT9FE.xml - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\IMT9FF.xml - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\IMTA00.xml - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\IMTBE.xml - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\IMTBF.xml - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\IMTC0.xml - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\IMTCF.xml - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\IMTD0.xml - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\IMTD1.xml - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\install.log - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\is9DD.tmp - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\java_install_reg.log - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\jusched.log - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\MSI2f8dd.LOG - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\np4.tmp - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\np5.tmp - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\np6.tmp - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\np7.tmp - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\np8.tmp - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\np9.tmp - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\npA.tmp - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\npB.tmp - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\npC.tmp - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\npD.tmp - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\npE.tmp - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\Perflib_Perfdata_7c0.dat - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\Perflib_Perfdata_cec.dat - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\RCX4.tmp - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\SET1408.tmp - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\set140B.tmp - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\SET140E.tmp - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\Set1411.tmp - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\TWAIN.LOG - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\Twain001.Mtx - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\Twunk001.MTX - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\Twunk002.MTX - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\wmsetup.log - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\~DF3FB8.tmp - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\~DFB0BC.tmp - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\is-8DGNS.tmp\SecurityUtil.dll - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\is-8DGNS.tmp\ - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\Temporary Directory 1 for Canada_zip.zip\DSC00666.jpg - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\Temporary Directory 1 for Canada_zip.zip\ - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\Temporary Directory 1 for Nasreen Indian Character for V342605.zip\Runtime\Read me Nasreen.txt - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\Temporary Directory 1 for Nasreen Indian Character for V342605.zip\Runtime\ - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\Temporary Directory 1 for Nasreen Indian Character for V342605.zip\ - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\Temporary Directory 13 for Canada_zip.zip\DSC00631.jpg - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\Temporary Directory 13 for Canada_zip.zip\ - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\Temporary Directory 16 for Canada_zip.zip\DSC00634.jpg - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\Temporary Directory 16 for Canada_zip.zip\ - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\Temporary Directory 18 for Canada_zip.zip\DSC00637.jpg - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\Temporary Directory 18 for Canada_zip.zip\ - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\Temporary Directory 2 for Canada_zip.zip\DSC00664.jpg - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\Temporary Directory 2 for Canada_zip.zip\ - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\Temporary Directory 21 for Canada_zip.zip\DSC00651.jpg - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\Temporary Directory 21 for Canada_zip.zip\ - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\Temporary Directory 23 for Canada_zip.zip\DSC00653.jpg - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\Temporary Directory 23 for Canada_zip.zip\ - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\Temporary Directory 3 for Canada_zip.zip\DSC00644.jpg - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\Temporary Directory 3 for Canada_zip.zip\ - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\Temporary Directory 4 for Canada_zip.zip\DSC00659.jpg - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\Temporary Directory 4 for Canada_zip.zip\ - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\Temporary Directory 4 for Nasreen Indian Character for V342605.zip\Runtime\textures\Syltermermaid\Nasreen\Thumbs.db - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\Temporary Directory 4 for Nasreen Indian Character for V342605.zip\Runtime\textures\Syltermermaid\Nasreen\ - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\Temporary Directory 4 for Nasreen Indian Character for V342605.zip\Runtime\textures\Syltermermaid\ - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\Temporary Directory 4 for Nasreen Indian Character for V342605.zip\Runtime\textures\ - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\Temporary Directory 4 for Nasreen Indian Character for V342605.zip\Runtime\ - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\Temporary Directory 4 for Nasreen Indian Character for V342605.zip\ - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\Temporary Directory 5 for Canada_zip.zip\DSC00657.jpg - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\Temporary Directory 5 for Canada_zip.zip\ - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\Temporary Directory 6 for Canada_zip.zip\DSC00658.jpg - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\Temporary Directory 6 for Canada_zip.zip\ - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\Temporary Directory 7 for Canada_zip.zip\DSC00644.jpg - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\Temporary Directory 7 for Canada_zip.zip\ - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\Temporary Directory 8 for Canada_zip.zip\DSC00655.jpg - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\Temporary Directory 8 for Canada_zip.zip\ - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\WER96e5.dir00\Mini030607-01.dmp - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\WER96e5.dir00\sysdata.xml - deleted
F:\DOCUME~1\Priya\LOCALS~1\Temp\WER96e5.dir00\ - deleted
F:\WINDOWS\SET1C.tmp - deleted
F:\WINDOWS\SET1F.tmp - deleted
F:\WINDOWS\SET2B.tmp - deleted
F:\WINDOWS\SET3.tmp - deleted
F:\WINDOWS\SET4.tmp - deleted
F:\WINDOWS\SET8.tmp - deleted
F:\WINDOWS\system.tmp - deleted
F:\WINDOWS\win.tmp - deleted
F:\WINDOWS\~GLH001c.TMP - deleted
F:\WINDOWS\temp\alcrmv.exe - deleted
F:\WINDOWS\temp\alcupd.exe - deleted
F:\WINDOWS\temp\Alcxau.inf - deleted
F:\WINDOWS\temp\Alcxau0.inf - deleted
F:\WINDOWS\temp\Alcxau1.inf - deleted
F:\WINDOWS\temp\Alcxau10.inf - deleted
F:\WINDOWS\temp\Alcxau11.inf - deleted
F:\WINDOWS\temp\Alcxau12.inf - deleted
F:\WINDOWS\temp\Alcxau13.inf - deleted
F:\WINDOWS\temp\Alcxau14.inf - deleted
F:\WINDOWS\temp\Alcxau15.inf - deleted
F:\WINDOWS\temp\Alcxau16.inf - deleted
F:\WINDOWS\temp\Alcxau17.inf - deleted
F:\WINDOWS\temp\Alcxau18.inf - deleted
F:\WINDOWS\temp\Alcxau19.inf - deleted
F:\WINDOWS\temp\Alcxau2.inf - deleted
F:\WINDOWS\temp\Alcxau20.inf - deleted
F:\WINDOWS\temp\Alcxau21.inf - deleted
F:\WINDOWS\temp\Alcxau22.inf - deleted
F:\WINDOWS\temp\Alcxau23.inf - deleted
F:\WINDOWS\temp\Alcxau24.inf - deleted
F:\WINDOWS\temp\Alcxau25.inf - deleted
F:\WINDOWS\temp\Alcxau26.inf - deleted
F:\WINDOWS\temp\Alcxau27.inf - deleted
F:\WINDOWS\temp\Alcxau3.inf - deleted
F:\WINDOWS\temp\Alcxau4.inf - deleted
F:\WINDOWS\temp\Alcxau5.inf - deleted
F:\WINDOWS\temp\Alcxau6.inf - deleted
F:\WINDOWS\temp\Alcxau7.inf - deleted
F:\WINDOWS\temp\Alcxau8.inf - deleted
F:\WINDOWS\temp\Alcxau9.inf - deleted
F:\WINDOWS\temp\alcxwdm.cat - deleted
F:\WINDOWS\temp\alcxwdm.sys - deleted
F:\WINDOWS\temp\Alcxwdm0.cat - deleted
F:\WINDOWS\temp\alsndmgr.cpl - deleted
F:\WINDOWS\temp\alsndmgr.wav - deleted
F:\WINDOWS\temp\ASPNETSetup_00000.log - deleted
F:\WINDOWS\temp\ASPNETSetup_00001.log - deleted
F:\WINDOWS\temp\ChCfg.exe - deleted
F:\WINDOWS\temp\ewc64ee3.TMP - deleted
F:\WINDOWS\temp\ftc8y87p.TMP - deleted
F:\WINDOWS\temp\HP000000.IDX - deleted
F:\WINDOWS\temp\HP000001.PDL - deleted
F:\WINDOWS\temp\HP000002.PDL - deleted
F:\WINDOWS\temp\HP000003.PDL - deleted
F:\WINDOWS\temp\HP000004.PDL - deleted
F:\WINDOWS\temp\MSSSerif120.fon - deleted
F:\WINDOWS\temp\newdev.dll - deleted
F:\WINDOWS\temp\Perflib_Perfdata_4d0.dat - deleted
F:\WINDOWS\temp\PQ_BATCH.004 - deleted
F:\WINDOWS\temp\PQ_BATCH.005 - deleted
F:\WINDOWS\temp\PQ_BATCH.PQB - deleted
F:\WINDOWS\temp\PQ_DEBUG.001 - deleted
F:\WINDOWS\temp\PQ_DEBUG.002 - deleted
F:\WINDOWS\temp\PQ_DEBUG.003 - deleted
F:\WINDOWS\temp\PQ_DEBUG.004 - deleted
F:\WINDOWS\temp\PQ_DEBUG.005 - deleted
F:\WINDOWS\temp\PQ_DEBUG.TXT - deleted
F:\WINDOWS\temp\RtlCPAPI.dll - deleted
F:\WINDOWS\temp\RTLCPL.exe - deleted
F:\WINDOWS\temp\servic000.log - deleted
F:\WINDOWS\temp\soundman.exe - deleted
F:\WINDOWS\temp\TWAIN.LOG - deleted
F:\WINDOWS\temp\Twain001.Mtx - deleted
F:\WINDOWS\temp\Twunk001.MTX - deleted
F:\WINDOWS\temp\Twunk002.MTX - deleted
F:\WINDOWS\temp\_ISTMP1.DIR\001C15F1._MP - deleted
F:\WINDOWS\temp\_ISTMP1.DIR\ - deleted
F:\Documents and Settings\Priya\Cookies\index.dat currently in use. Will be deleted when Windows is restarted.
F:\Documents and Settings\Priya\locals~1\tempor~1\Content.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
F:\Documents and Settings\Priya\Cookies\index.dat currently in use. Will be deleted when Windows is restarted.
F:\Documents and Settings\Priya\Local Settings\History\History.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
F:\Documents and Settings\Priya\Local Settings\Temporary Internet Files\Content.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
F:\Documents and Settings\NetworkService\Cookies\index.dat - deleted
F:\Documents and Settings\NetworkService\locals~1\tempor~1\Content.IE5\index.dat - deleted
F:\Documents and Settings\NetworkService\locals~1\tempor~1\Content.IE5\HCU81TJD\061-2769.English[1].dist - deleted
F:\Documents and Settings\NetworkService\locals~1\tempor~1\Content.IE5\SHAZUZUT\061-2802.English[1].dist - deleted
F:\Documents and Settings\NetworkService\locals~1\tempor~1\Content.IE5\UW8EGA1I\061-3007.English[1].dist - deleted
F:\Documents and Settings\NetworkService\locals~1\tempor~1\Content.IE5\UW8EGA1I\index-windows-1[1].sucatalog - deleted
F:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat - deleted
F:\Documents and Settings\LocalService\Cookies\index.dat - deleted
F:\Documents and Settings\LocalService\locals~1\tempor~1\Content.IE5\index.dat - deleted
F:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat - deleted
F:\Documents and Settings\Default User\Cookies\index.dat - deleted
F:\Documents and Settings\Default User\locals~1\tempor~1\Content.IE5\index.dat - deleted
F:\Documents and Settings\Default User\Local Settings\History\History.IE5\index.dat - deleted
'Run MRU' list - removed from the registry.
Search Assistant MRU list - removed from the registry.
Explorer Open/Save MRU list - removed from the registry.
Explorer Last Visited MRU list - removed from the registry.
Telnet's MRU list - removed from the registry.
CleanUp! 4.5.2 recovered 727.5 MB of disk space from 2674 files.
CleanUp! finished on 03/07/07 21:42:02.

HouseCall Files:

SPYWARE_TRAK_MSNSPYMONITOR

cookie_doubleclick
cookie_profiling

(MS05-004) ASP>NET Path Validation Vulnerability (887219)....there was just information on this no option to clean or remove.


----------



## bella6100 (Feb 7, 2005)

Logfile of HijackThis v1.99.1
Scan saved at 11:21:09 PM, on 3/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\csrss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
F:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
F:\Program Files\Spyware Doctor\sdhelp.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\alg.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Common Files\Symantec Shared\ccApp.exe
F:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
F:\Program Files\StompSoft\Digital File Shredder Pro\BrowserWatchControl.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\Hijackthis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - F:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - F:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "F:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BrowserWatch] F:\Program Files\StompSoft\Digital File Shredder Pro\BrowserWatchControl.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Spyware Doctor] F:\PROGRA~1\SPYWAR~2\swdoctor.exe /Q
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - F:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite.net/dlmanager/versions/activex/dlm-activex-2.0.6.0.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://mwmus.webex.com/client/v_mywebex-mwm/mywebex/ieatgpc.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15026/CTPID.cab
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - F:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: CleanService - Unknown owner - F:\PROGRA~1\STOMPS~1\DIGITA~1\CleanService.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: iPod Service - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - F:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - F:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Core LC - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe


----------



## Byteman (Jan 24, 2002)

Hi, That CleanUP log you posted, though it was not asked for....shows a lot of things that were deleted, some are pictures!

F:\DOCUME~1\Priya\LOCALS~1\Temp\Temporary Directory 1 for Canada_zip.zip\*DSC00666.jpg* - deleted

There were quite a few .jpg files deleted and I really hope you have copies of them someplace safe, like My Pictures folder, or, an album or on a memory chip!

SPYWARE_TRAK_MSNSPYMONITOR

I am not sure just what that this is, and there is only a little decent info about it, it may have come in with the keylogger you had, seems to be a way to spy on whatever the pc user does....keylogger.

If you let Housecall remove the items, that is OK.

Next:

Download ComboFix from *Here* or *Here* to your Desktop. 

Double click *combofix.exe * and follow the prompts.
When finished, it shall produce a log for you. Post that log and a *HiJackthis* log in your next reply
*Note: Do not mouseclick combofix's window while its running. That may cause it to stall*


----------



## bella6100 (Feb 7, 2005)

It's ok I didn't need any of those jpg files, they are all backed up elsewhere, but thank you

07-03-08 1:13:29 Service Pack 2
ComboFix 07-03-08 - Running from: "F:\Documents and Settings\Priya\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

F:\WINDOWS\system32\vbzip11.dll
F:\DOCUME~1\Priya\Desktop\Internet.lnk
F:\WINDOWS\DOWNLO~1.\MyWebEx

((((((((((((((((((((((((((((((( Files Created from 2007-02-08 to 2007-03-08 ))))))))))))))))))))))))))))))))))

2007-03-07 22:03 d--------	F:\DOCUME~1\Priya\.housecall6.6
2007-03-07 21:24 d--------	F:\DOCUME~1\Priya\APPLIC~1\Sun
2007-03-07 18:46 d--------	F:\DOCUME~1\Priya\APPLIC~1\Corel
2007-03-07 16:09 d--------	F:\DOCUME~1\Priya\APPLIC~1\Creative
2007-03-07 15:25 d--------	F:\WINDOWS\system32\ActiveScan
2007-03-06 23:29	3,968	--a------	F:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-03-06 21:24	51,072	--a------	F:\WINDOWS\system32\drivers\ikhlayer.sys
2007-03-06 21:24	30,592	--a------	F:\WINDOWS\system32\drivers\ikhfile.sys
2007-03-06 21:24 d-a------	F:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-03-06 21:24 d--------	F:\Program Files\Spyware Doctor
2007-03-06 21:24 d--------	F:\DOCUME~1\Priya\APPLIC~1\PC Tools
2007-03-05 21:54 d--------	F:\WINDOWS\system32\dt
2007-03-04 20:25 d--------	F:\WINDOWS\SxsCaPendDel
2007-03-04 14:33 d--------	F:\Program Files\Microsoft ActiveSync
2007-03-04 08:35 d--h-----	F:\DfSp_DoB
2007-03-04 07:49 d--------	F:\Program Files\StompSoft
2007-02-20 21:33 d--------	F:\WINDOWS\network diagnostic
2007-02-15 22:41	626,960	-ra------	F:\WINDOWS\system32\hpvaut32.dll
2007-02-15 22:41	487,424	-ra------	F:\WINDOWS\system32\hpvcp70.dll
2007-02-15 22:41	44,544	-ra------	F:\WINDOWS\system32\MSXML4a.dll
2007-02-15 22:41	344,064	-ra------	F:\WINDOWS\system32\hpvcr70.dll
2007-02-15 22:40 d--------	F:\Program Files\Common Files\Hewlett-Packard
2007-02-12 19:32	195	--a------	F:\WINDOWS\PowerReg.dat
2007-02-09 18:19 d--------	F:\Program Files\Corel
2007-02-09 06:22 d--------	F:\Program Files\Windows Security files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-03-07 18:14	--------	d--------	F:\Program Files\norton antivirus
2007-03-07 18:14	--------	d--------	F:\Program Files\Common Files\symantec shared
2007-03-07 17:22	--------	d--------	F:\DOCUME~1\Priya\APPLIC~1\adobe
2007-03-07 16:51	--------	d--h-----	F:\Program Files\installshield installation information
2007-03-07 16:50	--------	d--------	F:\Program Files\creative
2007-03-07 16:47	--------	d---s----	F:\DOCUME~1\Priya\APPLIC~1\microsoft
2007-03-04 08:10	--------	d--------	F:\Program Files\ahead
2007-03-04 06:42	--------	d--------	F:\Program Files\symantec
2007-03-03 18:17	--------	d--------	F:\Program Files\yahoo!
2007-02-24 11:57	--------	d--------	F:\Program Files\windows nt
2007-02-07 21:46	2298	--a------	F:\WINDOWS\sdn32reg.dll
2007-02-04 10:53	--------	d--------	F:\Program Files\Common Files\acd systems
2007-02-03 07:23	10368	--a------	F:\WINDOWS\system32\drivers\pfc.sys
2007-01-27 10:44	--------	d--------	F:\Program Files\Common Files\adobe
2007-01-23 13:13	--------	d--------	F:\DOCUME~1\Priya\APPLIC~1\murasu
2007-01-21 11:41	--------	d--------	F:\Program Files\kuralsoft
2007-01-20 12:59	77900	--a------	F:\WINDOWS\uinst001.exe
2007-01-19 18:47	--------	d--------	F:\Program Files\real
2007-01-15 12:55	--------	dr-h-----	F:\DOCUME~1\Priya\APPLIC~1\yahoo!
2007-01-08 20:56	4464640	--a------	F:\WINDOWS\sspro.exe
2007-01-02 19:17	24576	--a------	F:\WINDOWS\spbalert.exe
2007-01-02 19:15	24576	--a------	F:\WINDOWS\spsplsh.exe
2007-01-02 19:14	720896	--a------	F:\WINDOWS\spinsavc.exe
2007-01-02 19:14	430080	--a------	F:\WINDOWS\runprf32.exe
2007-01-02 19:14	126976	--a------	F:\WINDOWS\winfrgsys.dll
2006-12-26 21:18	48776	--a------	F:\WINDOWS\system32\s32evnt1.dll
2006-12-12 18:35	671	--a------	F:\WINDOWS\mozver.dat

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"QuickTime Task"="\"F:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Spyware Doctor"="F:\\PROGRA~1\\SPYWAR~2\\swdoctor.exe /Q"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ccApp"="\"F:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"osCheck"="\"F:\\Program Files\\Norton AntiVirus\\osCheck.exe\""
"SunJavaUpdateSched"="\"F:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
"TkBellExe"="\"F:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"BrowserWatch"="F:\\Program Files\\StompSoft\\Digital File Shredder Pro\\BrowserWatchControl.exe"
"!AVG Anti-Spyware"="\"F:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\F:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="F:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="F:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="F:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\F:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"path"="F:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk"
"backup"="F:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="F:\\PROGRA~1\\MICROS~2\\Office10\\OSA.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\F:^Documents and Settings^All Users^Start Menu^Programs^Startup^Murasu Anjal2000.lnk]
"path"="F:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Murasu Anjal2000.lnk"
"backup"="F:\\WINDOWS\\pss\\Murasu Anjal2000.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MURASU~1\\ANJAL2~1\\anjal.exe "
"item"="Murasu Anjal2000"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="apdproxy"
"hkey"="HKLM"
"command"="\"F:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares ultra]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Ares Ultra"
"hkey"="HKCU"
"command"="\"F:\\Program Files\\Ares Ultra\\Ares Ultra.exe\" -h"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CTDetect"
"hkey"="HKCU"
"command"="\"F:\\Program Files\\Creative\\MediaSource\\Detector\\CTDetect.exe\" /R"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTRegRun]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CTRegRun"
"hkey"="HKLM"
"command"="F:\\WINDOWS\\CTRegRun.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FireflyMini]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="FireflyMini"
"hkey"="HKLM"
"command"="\"F:\\Program Files\\SnapStream Media\\Firefly Mini\\FireflyMini.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wcescomm"
"hkey"="HKCU"
"command"="\"F:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Hide IP Platinum]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hideippla"
"hkey"="HKCU"
"command"="F:\\Program Files\\Hide IP Platinum\\hideippla.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"F:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\keyman.exe-thamizha]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="keyman"
"hkey"="HKCU"
"command"="F:\\Program Files\\Tavultesoft\\Keyman-thamizha\\keyman.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kural 3.2]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Kural"
"hkey"="HKLM"
"command"="\"F:\\Program Files\\KuralSoft\\3.2\\Kural.exe\" -min"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kural 3.3]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Kural"
"hkey"="HKLM"
"command"="\"F:\\Program Files\\KuralSoft\\3.3\\Kural.exe\" -min"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="F:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mssysmgr"
"hkey"="HKCU"
"command"="F:\\PROGRA~1\\Ahead\\Ahead\\data\\Xtras\\mssysmgr.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RaidTool]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="raid_tool"
"hkey"="HKLM"
"command"="F:\\Program Files\\VIA\\RAID\\raid_tool.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SOUNDMAN"
"hkey"="HKLM"
"command"="SOUNDMAN.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"F:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="YAHOOM~1"
"hkey"="HKCU"
"command"="\"F:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Spyware Doctor"="\"F:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"Spyware Doctor"="\"F:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter	REG_MULTI_SZ HTTPFilter\0\0
LocalService	REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService	REG_MULTI_SZ DnsCache\0\0
DcomLaunch	REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss	REG_MULTI_SZ RpcSs\0\0
imgsvc	REG_MULTI_SZ StiSvc\0\0
termsvcs	REG_MULTI_SZ TermService\0\0
WudfServiceGroup	REG_MULTI_SZ WUDFSvc\0\0

Contents of the 'Scheduled Tasks' folder
F:\WINDOWS\tasks\AppleSoftwareUpdate.job
F:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - BCM.job

********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-03-08 1:15:51

Logfile of HijackThis v1.99.1
Scan saved at 1:18:38 AM, on 3/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\csrss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
F:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
F:\Program Files\Spyware Doctor\sdhelp.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\alg.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Common Files\Symantec Shared\ccApp.exe
F:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
F:\Program Files\StompSoft\Digital File Shredder Pro\BrowserWatchControl.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\WINDOWS\system32\NOTEPAD.EXE
F:\Program Files\Hijackthis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - F:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - F:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "F:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BrowserWatch] F:\Program Files\StompSoft\Digital File Shredder Pro\BrowserWatchControl.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Spyware Doctor] F:\PROGRA~1\SPYWAR~2\swdoctor.exe /Q
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - F:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite.net/dlmanager/versions/activex/dlm-activex-2.0.6.0.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://mwmus.webex.com/client/v_mywebex-mwm/mywebex/ieatgpc.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15026/CTPID.cab
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - F:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: CleanService - Unknown owner - F:\PROGRA~1\STOMPS~1\DIGITA~1\CleanService.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: iPod Service - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - F:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - F:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Core LC - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe


----------



## Byteman (Jan 24, 2002)

Hi, The Combo Fix log shows another keylogger installed-

I need to see this:

Open Hijack This and click on the "Open the Misc Tools section" button. Click on the "Open Uninstall Manager" button. Click the "Save List" button. After you click the "Save List" button, you will be asked where to save the file. Pick a place to save it then the list should open in notepad. Copy and paste that list here.


----------



## bella6100 (Feb 7, 2005)

Adobe Flash Player 9 ActiveX
Adobe Reader 7.0.5 Language Support
Adobe Reader 7.0.9
AppCore
Apple Software Update
AV
AVG Anti-Spyware 7.5
Beyond TV DVD Burning Foundation
ccCommon
CleanUp!
Corel Painter IX
File Shredder
Hijackthis 1.99.1
HijackThis 1.99.1
Hotfix for Windows XP (KB909394)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
HyperTerminal Private Edition v6.3
Internet Worm Protection
iPod for Windows 2005-03-23
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 9
Kural 3.3
MapleStory
MaxBlast 4
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional
Microsoft User-Mode Driver Framework Feature Pack 1.0
Mozilla Firefox (2.0.0.2)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 Parser and SDK
Nero 6 Ultra Edition
NeroVision Express 2
Norton AntiVirus
Norton AntiVirus (Symantec Corporation)
Norton AntiVirus Help
Norton AntiVirus Parent MSI
Norton AntiVirus SYMLT MSI
Norton Protection Center
Panda ActiveScan
PowerQuest PartitionMagic 8.0
RealPlayer
Realtek AC'97 Audio
S801TFN
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
SPBBC 32bit
Spyware Doctor 4.0
Symantec
SymNet
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB931836)
VIA Platform Device Manager
VIA Rhine-Family Fast Ethernet Adapter
Windows Installer 3.1 (KB893803)
Windows Media 8 Encoding Utility
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Media Tools 4.0
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781


----------



## Byteman (Jan 24, 2002)

Hi, The second keylogger is a commercial one, that is why it was not detected and removed by any of the antispyware programs, or scans.

Someone may have paid for it, I just need you to tell me it doesn't belong on the computer and we will try to have you remove it.

These things can hide, so bear with me as I have to get you to hunt for an uninstaller for *System Security Pro *, which is the name of this keylogging program.

Here is a description of it, what files you may have to find and delete, as well.

http://www3.ca.com/au/securityadvisor/pest/pest.aspx?id=453101898

These are the files I can see from ComboFix log, relating to this keylogger, but, you may have any of those at the site listed, so you will have to look for them, more about this later.

2007-01-08 20:56 4464640 --a------ F:\WINDOWS\sspro.exe
2007-01-02 19:17 24576 --a------ F:\WINDOWS\spbalert.exe
2007-01-02 19:15 24576 --a------ F:\WINDOWS\spsplsh.exe
2007-01-02 19:14 720896 --a------ F:\WINDOWS\spinsavc.exe
2007-01-02 19:14 430080 --a------ F:\WINDOWS\runprf32.exe
2007-01-02 19:14 126976 --a------ F:\WINDOWS\winfrgsys.dll

You will have to wait just a bit while I run out and do a few things...I will be back in an hour, sorry...

The general idea is to delete those and any of the files you can find that are listed at the site I have above....and, to definitely use *Safe Mode to delete them!*

I will have better help in just an hour or so. I just got back in town from a medical appointment...


----------



## bella6100 (Feb 7, 2005)

Well, it definitely does not belong on my computer, so I will find each of those files and delete them in safe mode, and I will let you know when I finish that and I will post a new Hijack This log. Take your time, there is no rush- I just really appreciate all your help and you have been so fast with all your replies


----------



## Byteman (Jan 24, 2002)

You should make a new Restore Point before going to Safe Mode and deleting those files>

I'm not sure but there may even be an uninstaller for the keylogger somewhere- 

If you check in the folder it has listed at that site, there may be one. 

If someone really knew what they were doing they would not leave the uninstaller on the computer though! 

Make a Restore Point:

To create a restore point:

Single-click Start and point to All Programs.
Mouse over Accessories, then System Tools, and select System Restore.
In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point. Click Create and you're done.


----------



## Byteman (Jan 24, 2002)

Hi, I've added info about creating a Restore Point, to my last reply so posted this to let you know....


----------



## bella6100 (Feb 7, 2005)

Files I deleted:

runprf32.exe
spinsavc.exe
spbalert.exe
sspro.exe
spsplsh.exe
sdn32reg.dll
sspr

Files I couldn't locate:

sspro_48.exe
spr32p.chm
systemsurvpro.htm
%programs%\system surveillance pro 4.8\help manual.lnk
%programs%\system surveillance pro 4.8\sspro data viewer.lnk
%programs%\system surveillance pro 4.8\uninstall sspro.lnk

Also, I didn't delete the file F:\WINDOWS\winfrgsys.dll because it wasn't listed on the site you provided, did u want me to delete it anways?

Logfile of HijackThis v1.99.1
Scan saved at 9:05:56 PM, on 3/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\csrss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
F:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
F:\Program Files\Spyware Doctor\sdhelp.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Common Files\Symantec Shared\ccApp.exe
F:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
F:\Program Files\StompSoft\Digital File Shredder Pro\BrowserWatchControl.exe
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
F:\PROGRA~1\SPYWAR~2\swdoctor.exe
F:\WINDOWS\System32\alg.exe
F:\Program Files\internet explorer\iexplore.exe
F:\WINDOWS\system32\wbem\wmiprvse.exe
F:\Program Files\Hijackthis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - F:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - F:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "F:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BrowserWatch] F:\Program Files\StompSoft\Digital File Shredder Pro\BrowserWatchControl.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Spyware Doctor] F:\PROGRA~1\SPYWAR~2\swdoctor.exe /Q
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - F:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite.net/dlmanager/versions/activex/dlm-activex-2.0.6.0.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://mwmus.webex.com/client/v_mywebex-mwm/mywebex/ieatgpc.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15026/CTPID.cab
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - F:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: CleanService - Unknown owner - F:\PROGRA~1\STOMPS~1\DIGITA~1\CleanService.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: iPod Service - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - F:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - F:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Core LC - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe


----------



## Byteman (Jan 24, 2002)

Hi, That one file F:\WINDOWS\winfrgsys.dll is an "unknown"----which usually means it is bad, but let's try to make sure.

Scan the entire comptuer at Panda: (see if it will work now)

(if you don't have about an hour, skip it till you have time)

*HERE* to run Panda's ActiveScan
Once you are on the Panda site click the *Scan your PC* button
A new window will open...click the *Check Now* button
Enter your *Country*
Enter your *State/Province*
Enter your *e-mail address* and click *send*
Select either *Home User* or *Company*
Click the big *Scan Now* button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on *My Computer* to start the scan
When the scan completes, if anything malicious is detected, click the *See Report* button, *then Save Report* and save it to a convenient location. Post the contents of the ActiveScan report

It may be that one of your protective programs is the reason you cannot do a scan at Panda, I have one computer that will not run it either....

Try this one which should work:


* Go here and do the BitDefender online virus scan.
Click "I Agree" to agree to the EULA.
Allow the ActiveX control to install when prompted.
Click "Click here to scan" to begin the scan.
Please refrain from using the computer until the scan is finished.
When the scan is finished, click on "Click here to export the scan results"
Save the report to your desktop so you can *attach* it to your next reply to this thread.


----------



## Byteman (Jan 24, 2002)

Hi, I added a second online scan site for you in case the Panda one still does not work.....

it's in my last reply, added by editing it....


----------



## bella6100 (Feb 7, 2005)

I did the BitDefender scan and it opened up into a web browser and this is what I got when I copy pasted it I hope you can read it ok as I tried to clean it up a little. Basically its the file and then under that the status...


Scanned File 
Status

C:\WINDOWS\inst_iexplore.exe=>(RAR Sfx o)=>windowsxp2hk.dll=>(Quarantine-PE)
Infected with: Generic.Perfloger.CC4530A7
C:\WINDOWS\inst_iexplore.exe=>(RAR Sfx o)=>windowsxp2hk.dll=>(Quarantine-PE)
Disinfection failed
C:\WINDOWS\inst_iexplore.exe=>(RAR Sfx o)=>windowsxp2hk.dll=>(Quarantine-PE)
Deleted
C:\WINDOWS\inst_iexplore.exe=>(RAR Sfx o)
Update failed
C:\WINDOWS\inst_iexplore.exe=>(RAR Sfx o)=>rinst.exe
Infected with: Generic.Malware.P!VPk!.EAE444B5
C:\WINDOWS\inst_iexplore.exe=>(RAR Sfx o)=>rinst.exe
Disinfection failed
C:\WINDOWS\inst_iexplore.exe=>(RAR Sfx o)=>rinst.exe
Deleted
C:\WINDOWS\inst_iexplore.exe=>(RAR Sfx o)
Update failed
C:\WINDOWS\inst_iexplore.exe=>(RAR Sfx o)=>windowsxp2.exe=>(Quarantine-PE)
Infected with: Generic.Keylogger.973E2DBF
C:\WINDOWS\inst_iexplore.exe=>(RAR Sfx o)=>windowsxp2.exe=>(Quarantine-PE)
Disinfection failed
C:\WINDOWS\inst_iexplore.exe=>(RAR Sfx o)=>windowsxp2.exe=>(Quarantine-PE)
Deleted
C:\WINDOWS\inst_iexplore.exe=>(RAR Sfx o)
Update failed
F:\System Volume Information\_restore{E292E2A8-2BF3-4D88-9226-6D49D95AC1EE}\RP178\A0050011.exe
Infected with: Generic.Perfloger.EEEFE1B3
F:\System Volume Information\_restore{E292E2A8-2BF3-4D88-9226-6D49D95AC1EE}\RP178\A0050011.exe
Disinfection failed
F:\System Volume Information\_restore{E292E2A8-2BF3-4D88-9226-6D49D95AC1EE}\RP178\A0050011.exe
Deleted
F:\System Volume Information\_restore{E292E2A8-2BF3-4D88-9226-6D49D95AC1EE}\RP178\A0050013.exe
Infected with: Generic.Keylogger.973E2DBF
F:\System Volume Information\_restore{E292E2A8-2BF3-4D88-9226-6D49D95AC1EE}\RP178\A0050013.exe
Disinfection failed
F:\System Volume Information\_restore{E292E2A8-2BF3-4D88-9226-6D49D95AC1EE}\RP178\A0050013.exe
Deleted
F:\System Volume Information\_restore{E292E2A8-2BF3-4D88-9226-6D49D95AC1EE}\RP178\A0050014.exe
Infected with: Generic.Keylogger.973E2DBF
F:\System Volume Information\_restore{E292E2A8-2BF3-4D88-9226-6D49D95AC1EE}\RP178\A0050014.exe
Disinfection failed
F:\System Volume Information\_restore{E292E2A8-2BF3-4D88-9226-6D49D95AC1EE}\RP178\A0050014.exe
Deleted
F:\System Volume Information\_restore{E292E2A8-2BF3-4D88-9226-6D49D95AC1EE}\RP178\A0050015.dll
Infected with: Generic.Perfloger.CC4530A7
F:\System Volume Information\_restore{E292E2A8-2BF3-4D88-9226-6D49D95AC1EE}\RP178\A0050015.dll
Disinfection failed
F:\System Volume Information\_restore{E292E2A8-2BF3-4D88-9226-6D49D95AC1EE}\RP178\A0050015.dll
Deleted
F:\System Volume Information\_restore{E292E2A8-2BF3-4D88-9226-6D49D95AC1EE}\RP178\A0050016.dll
Infected with: Generic.Perfloger.CC4530A7
F:\System Volume Information\_restore{E292E2A8-2BF3-4D88-9226-6D49D95AC1EE}\RP178\A0050016.dll
Disinfection failed
F:\System Volume Information\_restore{E292E2A8-2BF3-4D88-9226-6D49D95AC1EE}\RP178\A0050016.dll
Deleted
F:\System Volume Information\_restore{E292E2A8-2BF3-4D88-9226-6D49D95AC1EE}\RP178\A0050017.exe
Infected with: Generic.Malware.P!VPk!.EAE444B5
F:\System Volume Information\_restore{E292E2A8-2BF3-4D88-9226-6D49D95AC1EE}\RP178\A0050017.exe
Disinfection failed
F:\System Volume Information\_restore{E292E2A8-2BF3-4D88-9226-6D49D95AC1EE}\RP178\A0050017.exe
Deleted
F:\System Volume Information\_restore{E292E2A8-2BF3-4D88-9226-6D49D95AC1EE}\RP178\A0050018.exe
Infected with: Generic.Perfloger.AA8D53CB
F:\System Volume Information\_restore{E292E2A8-2BF3-4D88-9226-6D49D95AC1EE}\RP178\A0050018.exe
Disinfection failed
F:\System Volume Information\_restore{E292E2A8-2BF3-4D88-9226-6D49D95AC1EE}\RP178\A0050018.exe
Deleted
F:\System Volume Information\_restore{E292E2A8-2BF3-4D88-9226-6D49D95AC1EE}\RP178\A0050019.exe
Infected with: Generic.Malware.P!VPk!.EAE444B5
F:\System Volume Information\_restore{E292E2A8-2BF3-4D88-9226-6D49D95AC1EE}\RP178\A0050019.exe
Disinfection failed
F:\System Volume Information\_restore{E292E2A8-2BF3-4D88-9226-6D49D95AC1EE}\RP178\A0050019.exe
Deleted
H:\System Volume Information\_restore{E292E2A8-2BF3-4D88-9226-6D49D95AC1EE}\RP178\A0050012.exe
Infected with: Generic.Perfloger.EEEFE1B3
H:\System Volume Information\_restore{E292E2A8-2BF3-4D88-9226-6D49D95AC1EE}\RP178\A0050012.exe
Disinfection failed
H:\System Volume Information\_restore{E292E2A8-2BF3-4D88-9226-6D49D95AC1EE}\RP178\A0050012.exe
Deleted
H:\System Volume Information\_restore{E292E2A8-2BF3-4D88-9226-6D49D95AC1EE}\RP178\A0050020.exe
Infected with: Generic.Malware.P!VPk!.EAE444B5
H:\System Volume Information\_restore{E292E2A8-2BF3-4D88-9226-6D49D95AC1EE}\RP178\A0050020.exe
Disinfection failed
H:\System Volume Information\_restore{E292E2A8-2BF3-4D88-9226-6D49D95AC1EE}\RP178\A0050020.exe
Deleted
H:\System Volume Information\_restore{E292E2A8-2BF3-4D88-9226-6D49D95AC1EE}\RP178\A0050021.exe
Infected with: Generic.Perfloger.AA8D53CB
H:\System Volume Information\_restore{E292E2A8-2BF3-4D88-9226-6D49D95AC1EE}\RP178\A0050021.exe
Disinfection failed
H:\System Volume Information\_restore{E292E2A8-2BF3-4D88-9226-6D49D95AC1EE}\RP178\A0050021.exe
Deleted


----------



## Byteman (Jan 24, 2002)

Hi, I think most those files were found in AVG's backups, and not new items, it's good that they were deleted.

(Some were in System Restore, and they also were deleted.)

You can check, by starting AVG Antispyware, and looking at the Quarantined items....

If you'd rather, just do a new scan with AVG and see what it finds.

But, there were a few that look new, and they were deleted.

*rinst.exe * is part of the first keylogger we removed (Perfect Keylogger).

Just the name of the file, suggests "reinstall" to me, as the files for the keyloggers can be renamed by whoever installs it, in an effort to disguise what they have done.

It's either being reinstalled by someone at where the computer is, or some sort of protected malware that can't simply be deleted until we find out what it is.

There is the possibility that your computer has been hacked, that is, a trojan has established a connection for someone to actually control the computer.... this is common these days, and we will have to look for what that could be.

Even changing passwords, might not help, until the infection if it is that, is cleared up as the new passwords would be "seen" by anyone on the receiving end.

I really hate to suggest this, but do you believe that a person where you are, is responsible and could be reinstalling anything?


----------



## bella6100 (Feb 7, 2005)

To answer your question, yes I think it is possible. I did another AVG scan and all it found was tracking cookies.....


----------



## Byteman (Jan 24, 2002)

Hi, Good, perhaps this will end it!

You should try a scan after letting the computer alone, I have to go offline soon.


Try and keep track of who uses the computer- I can't tell you what to do if you do find that later today, a new scan shows that one or more of these keyloggers is back, if someone is reinstalling them.

You did a new AVG scan, with nothing found. Later, do another Bit Defender scan and see what turns up.

Whoever is doing this may catch on, and wait a while before reinstalling keyloggers- so, you will have to continue to scan and also have to deal with somehow anyone who is doing this.

The only purpose of a keylogger is to watch what you or other users do, they show where you go, what you type, almost everything.

I don't know if you want to or can go as far as locking everyone out of the computer- that certainly can be done, but they will more than likely then try other ways to gain access. 
Definitely, quite a predicament to be in. 

If someone near you is responsible, by now they already know that you are removing their spyware.


----------



## bella6100 (Feb 7, 2005)

Ok, I understand that and I will run another scan today and see what happens. Also, what is the best antivirus program that I can have that is freeware because the Norton subscription is ending soon. 
One more thing lol, if I already have AVG Anti-Spware, do I also need Spyware doctor?

Ok I just ran another AVG scan and it only found tracking cookies, and then I ran a Spyware Doc scan and it found a Trojan called Trojan.PWS.Tanspy and it gave me two registry entries, but I only have the free version so it can't delete or quarantine them. Should I delete them manually?

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\load 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\load##


----------



## Byteman (Jan 24, 2002)

Hi, I like AVG Free Edition 7.5-

*http://www.grisoft.com/doc/products-avg-anti-virus-free-edition/us/crp/0*

Download the program, but do not install it just yet!

You should of course completely uninstall Norton and all parts of it first, from the Add/Remove programs list...there are all these:

Norton AntiVirus
Norton AntiVirus (Symantec Corporation)
Norton AntiVirus Help
Norton AntiVirus Parent MSI
Norton AntiVirus SYMLT MSI
Norton Protection Center
Symantec
SymNet < I can't tell you what order to go about uninstalling all these, do the best you can, for some of them, they will give you a message when you try to uninstall a component that depends on another in the wrong sequence....so, you retry the other one first, etc.>

*You also have to delete the Scheduled Task job, that Norton has before you go to uninstall the components.*

To modify a scheduled task, click Start, click All Programs, point to Accessories, point to System Tools, and then click Scheduled Tasks. The Scheduled Tasks window opens so that you can modify the settings. Find the scheduled antivirus scan or scans, and delete them-

To delete a task, right-click the task in the Scheduled Tasks window, and then click Delete.

Looks like the Corporate Version, too, so we cannot use the Symantec removal tool they provide online, it is not meant for use with your version.

You sometimes get a message during the uninstall for Norton products, "Do you want to keep or delete the Shared Files...?" 
**KEEP** these, as removing them, can cause some really bad system errors sometimes.

Spyware Doctor- You can keep it along with AVG Antispyware, if it is the free version. 
There may be settings within Spyware Doctor, so that it does not start up when the computer does...the free version doesn't have Real Time protection so it should not interfere with anything.

You can also use AdAware SE, SpyBot, and Spywareblaster.

I currently have SUPERantispyware, AVG Antispyware, AdAware SE, SpyBot, Spywareblaster, on my PC.

Since I am "trying out" SUPER A/S, I have AVG Antispyware set to not be running at startup.

RE: Those two Registry items, yes, you can delete them

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\*load *
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\*load## *


----------



## bella6100 (Feb 7, 2005)

Ok, I completely uninstalled Norton and I dl AVG Free. I will do scans on a regular basis from now on. Also, at what times do I have to go into safe mode to run scans, as for programs such as Cleanup, is it ok to run it in normal mode? Anyway,I want to thank you so much for all your help and your quick and easy to understand instructions


----------



## Byteman (Jan 24, 2002)

Hi, I only post to run CleanUP in Safe Mode, *during a malware removal procedure, since half the time the scans are also done in Safe Mode....well, it just seems to work best and that is the way I was taught. We are interested in removing temp files, as that's often where a lot of the bad files are, so in Safe Mode everything is less active and they will remove easier. This is most often also the first time any temp file cleaning has been done, so we were taught to expect the unexpected, and use temp file cleaners in Safe Mode, at least the first usage*

After your computer is cleaned up, you can do CleanUp in Normal Mode.

Some people, like to be more careful, and only use it in Safe Mode, I use it all the time in Normal Mode, every two days, since I am a heavy Net user. Office users, folks who do a lot of document creating with large suites that use databases....often find that too much temp file cleaning is not good- as these temp files can still be "In Use" when you hit the CleanUp button and you can have problems...they would be more apt to boot to Safe Mode, or wait until a day or so has gone by, to run heavy duty file cleanup.....so they may want to use something like CleanUP, first thing the next day rather than the last thing at end of the day, like I do. My work consists of just general surfing so my computers pick up tons of temporary Internet Files, and little else, so I can just go ahead and do the cleanup as my last step before shutting down.

******Before you scan, with any antivirus or antispyware program, always check for detection updates for each program, as you start it up, the first thing to do, if the program doesn't have an automatic updater built in, is to check for the latest Updates so it can deal with the newest malware*******

Also--- AVG Antispyware probably should always be used in Safe Mode, since you are scanning for active trojans....they seem to be dealt with much easier, and the system is less busy in Safe Mode....

I use Adaware and SpyBot in Normal Mode, but if the computer I am fixing is very infected, sometimes, the programs will not complete a scan in Normal Mode....

For your normal, once in a while scans, Normal Mode is fine.

AVG Antivirus: Normal Mode is usually OK> but again, it depends on what the infection is, for everyday use Normal Mode should be fine for you to scan.

The computer may not even be able to boot to Normal Mode in some cases, so in that case, almost every one of these programs, will work just fine in Safe Mode....though, the settings buttons can be difficult to see if your system in Safe Mode makes the screen resolution a lot lower than normal, so the windows are bigger and harder to reach and see everything.

A good thing to do, if at any point you suspect malware has gotten in the computer, is do a Panda online scan> that does not clean ad and spyware, but it shows exactly what and where the files are so you know what you are dealing with, then you run your other programs, that do clean ad and spyware....

If it's a trojan that Panda doesn't clean, you run AVG Antispyware....and, always use AdAware and SpyBot, and between all of these, you will catch pretty much every thing you need to clean.


----------



## bella6100 (Feb 7, 2005)

Ok, that's a lot of good information to know. Right now, I have AVG Free, AVG ANti-SPyware, Ad-aware, as well as Spyware Doc. The only thing is that if Spware doctor is not on , it activates everytime I open up any IE page, and it takes a while to load. Is it ok to uninstall Spyware Doc, or is it necessary?

I ran all scans and I am just posting another Hijack Log as well as a Bit Defender Scan report

Logfile of HijackThis v1.99.1
Scan saved at 12:27:11 PM, on 3/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\csrss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
F:\Program Files\Spyware Doctor\sdhelp.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
F:\WINDOWS\System32\alg.exe
F:\Program Files\StompSoft\Digital File Shredder Pro\BrowserWatchControl.exe
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
F:\Program Files\Grisoft\AVG7\avgcc.exe
F:\Program Files\Hijackthis\HijackThis.exe
F:\Program Files\internet explorer\iexplore.exe
F:\PROGRA~1\SPYWAR~2\swdoctor.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - F:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - F:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BrowserWatch] F:\Program Files\StompSoft\Digital File Shredder Pro\BrowserWatchControl.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - F:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite.net/dlmanager/versions/activex/dlm-activex-2.0.6.0.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://mwmus.webex.com/client/v_mywebex-mwm/mywebex/ieatgpc.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15026/CTPID.cab
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - F:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: CleanService - Unknown owner - F:\PROGRA~1\STOMPS~1\DIGITA~1\CleanService.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: iPod Service - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - F:\Program Files\Spyware Doctor\sdhelp.exe

BIT DEFENDER:

C:\WINDOWS\inst_iexplore.exe=>(RAR Sfx o)=>windowsxp2hk.dll=>(Quarantine-PE)
Infected with: Generic.Perfloger.CC4530A7
C:\WINDOWS\inst_iexplore.exe=>(RAR Sfx o)=>windowsxp2hk.dll=>(Quarantine-PE)
Disinfection failed
C:\WINDOWS\inst_iexplore.exe=>(RAR Sfx o)=>windowsxp2hk.dll=>(Quarantine-PE)
Deleted
C:\WINDOWS\inst_iexplore.exe=>(RAR Sfx o)
Update failed
C:\WINDOWS\inst_iexplore.exe=>(RAR Sfx o)=>rinst.exe
Infected with: Generic.Malware.P!VPk!.EAE444B5
C:\WINDOWS\inst_iexplore.exe=>(RAR Sfx o)=>rinst.exe
Disinfection failed
C:\WINDOWS\inst_iexplore.exe=>(RAR Sfx o)=>rinst.exe
Deleted
C:\WINDOWS\inst_iexplore.exe=>(RAR Sfx o)
Update failed
C:\WINDOWS\inst_iexplore.exe=>(RAR Sfx o)=>windowsxp2.exe=>(Quarantine-PE)
Infected with: Generic.Keylogger.973E2DBF
C:\WINDOWS\inst_iexplore.exe=>(RAR Sfx o)=>windowsxp2.exe=>(Quarantine-PE)
Disinfection failed
C:\WINDOWS\inst_iexplore.exe=>(RAR Sfx o)=>windowsxp2.exe=>(Quarantine-PE)
Deleted
C:\WINDOWS\inst_iexplore.exe=>(RAR Sfx o)
Update failed
F:\Program Files\iTunes\iTunes.Resources\it.lproj\iPod Help.chm=>exploit
Infected with: Exploit.Itss.A
F:\Program Files\iTunes\iTunes.Resources\it.lproj\iPod Help.chm=>exploit
Disinfection failed
F:\Program Files\iTunes\iTunes.Resources\it.lproj\iPod Help.chm=>exploit
Deleted
F:\Program Files\iTunes\iTunes.Resources\it.lproj\iPod Help.chm
Update failed


----------



## Byteman (Jan 24, 2002)

Hi, Spyware Doctor, unless it is the paid version, is just a scanner, you can do the same thing with an online scan at Panda and a scan with your AVG for the most part. It can go.

I see the keylogger was put back, and has now been removed once more.

Let's have a log from this tool, and maybe something else will be shown:

Silent Runners
Download :  Silent Runners, and choose Save Target As. In the Save As window, go to a folder that you can find easily. Such as, My Documents. After the download has completed, go to the directory where the script was saved. 
To launch the script, double-click it. 
You may get a warning from your anti-virus program.The script may take as little as 30 seconds or as much as several minutes to complete. When it's finished, it'll display a little window for 5 seconds and say "All Done!" and show you where the log it made is...the location is in the same folder, for example My Documents, if you used that folder. 
The name will always start with the words, Startup Programs and will be followed by the name of your PC in parentheses, followed by the date. The date format is the year, then the month, then the day.
Copy and paste the contents of the log in a reply please.


----------



## bella6100 (Feb 7, 2005)

Ok, here is the Silent Runners log. I tried uninstalling Spyware Doctor, and the uninstall opens up and one little progress bar comes but it goes no further than that. I tried it in safe mode, and I get the same problem.

"Silent Runners.vbs", revision R50, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"QuickTime Task" = ""F:\Program Files\QuickTime\qttask.exe" -atboottime" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"SunJavaUpdateSched" = ""F:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"TkBellExe" = ""F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"BrowserWatch" = "F:\Program Files\StompSoft\Digital File Shredder Pro\BrowserWatchControl.exe" [null data]
"!AVG Anti-Spyware" = ""F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized" ["Anti-Malware Development a.s."]
"AVG7_CC" = "F:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"KernelFaultCheck" = "F:\WINDOWS\system32\dumprep 0 -k"

HKLM\Software\Microsoft\Active Setup\Installed Components\
<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}\(Default) = "IE7 Uninstall Stub"
\StubPath = "F:\WINDOWS\system32\ieudinit.exe" [MS]
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express"
\StubPath = "F:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" [file not found]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "F:\Program Files\Java\jre1.5.0_10\bin\ssv.dll" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "F:\PROGRA~1\WINDOW~1\HYPERT~1\hticons.dll" ["Hilgraeve, Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "F:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "F:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "F:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {HKLM...CLSID} = "AVG7 Find Extension Class"
\InProcServer32\(Default) = "F:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["Anti-Malware Development a.s."]

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "F:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "F:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "F:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
StompSoftShredder\(Default) = "{551F9EFA-A0E5-462B-875F-B98BD116613C}"
-> {HKLM...CLSID} = "CopyPathContextMenu Class"
\InProcServer32\(Default) = "F:\Program Files\StompSoft\Digital File Shredder Pro\ShellMenu.dll" ["StompSoft"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]
StompSoftShredder\(Default) = "{551F9EFA-A0E5-462B-875F-B98BD116613C}"
-> {HKLM...CLSID} = "CopyPathContextMenu Class"
\InProcServer32\(Default) = "F:\Program Files\StompSoft\Digital File Shredder Pro\ShellMenu.dll" ["StompSoft"]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "F:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]

Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"DisableRegistryTools" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|System|
Prevent access to registry editing tools}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "F:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "F:\Documents and Settings\Priya\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Enabled Scheduled Tasks:
------------------------

"AppleSoftwareUpdate" -> launches: "F:\Program Files\Apple Software Update\SoftwareUpdate.exe -Task" ["Apple Computer, Inc."]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, "F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe" ["Anti-Malware Development a.s."]
AVG E-mail Scanner, AVGEMS, "F:\PROGRA~1\Grisoft\AVG7\avgemc.exe" ["GRISOFT, s.r.o."]
AVG7 Alert Manager Server, Avg7Alrt, "F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe" ["GRISOFT, s.r.o."]

Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
hpzsnt09\Driver = "hpzsnt09.dll" ["HP"]

----------
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 66 seconds, including 18 seconds for message boxes)


----------



## Byteman (Jan 24, 2002)

Hi, I found a bit of help with uninstalling Spyware Doctor

*http://www.triggernews.com/supportadv*

You may have better results by REinstalling the same version of SpyWare Doctor, and then doing an uninstall. This is often the case where a registry cleaner for example, has taken something out.

There is a download link at that page above. Just might do the trick!

The last log is OK, nothing bad in that.

I think I posted this already, but I would advise you to scan at various times to see if these keyloggers are returning.

If they do, during a time period when you are 100% sure that no one else has touched the computer, if that is possible for you to be sure about, then the program is being reinstalled by something else and we will have to dig around and find out what that is.

Good luck!


----------



## bella6100 (Feb 7, 2005)

Hi there,

I was just wondering: when I the Bit Defender scan and it shows infected files but it says in Quarantine, is that ok or do I have to do something else? I am running scans but have not found anything else so far, but the same files show up but they have (Quarantine) and I thought you said that was ok, so I just wanted to make sure.


----------



## Byteman (Jan 24, 2002)

Hi, Post a couple of examples if you can, but it does sound like files detected in another programs Quarantine...the files are backed up by whatever program removes them, this is standard procedure in case of a false detection, or if the user has the program set to "Quarantine" I would need to know which program's Quarantine, you are meaning, and what you are scanning with.

If it was Kaspersky online scan> then it would most likely be finding files in AVG Antispyware or your antivirus program Quarantined files area.

Files that are quarantined, are separated from the operating system etc and cannot that I know of, do anything but........they can be restored out of quarantine back to where they were, if for example you or someone slips and hits the wrong button while examining what is in the Quarantine of any given program.....you can normally Delete all items in there but it is best to wait several days, and I think you have done that, so as soon as I know which program they were located in, I can help you....


----------



## bella6100 (Feb 7, 2005)

Well here are the results of my latest BitDefender online scan:
Also, do you know how I can fix the fact that when I try to play this game Maple Story on my comp, at times it will shut down on its own and I'll get a msg saying that the Sisgrv display is not working properly?

C:\WINDOWS\inst_iexplore.exe=>(RAR Sfx o)=>windowsxp2hk.dll=>(Quarantine-PE)
Infected with: Generic.Perfloger.CC4530A7
C:\WINDOWS\inst_iexplore.exe=>(RAR Sfx o)=>windowsxp2hk.dll=>(Quarantine-PE)
Disinfection failed
C:\WINDOWS\inst_iexplore.exe=>(RAR Sfx o)=>windowsxp2hk.dll=>(Quarantine-PE)
Deleted
C:\WINDOWS\inst_iexplore.exe=>(RAR Sfx o)
Update failed
C:\WINDOWS\inst_iexplore.exe=>(RAR Sfx o)=>rinst.exe
Infected with: Generic.Malware.P!VPk!.EAE444B5
C:\WINDOWS\inst_iexplore.exe=>(RAR Sfx o)=>rinst.exe
Disinfection failed
C:\WINDOWS\inst_iexplore.exe=>(RAR Sfx o)=>rinst.exe
Deleted
C:\WINDOWS\inst_iexplore.exe=>(RAR Sfx o)
Update failed
C:\WINDOWS\inst_iexplore.exe=>(RAR Sfx o)=>windowsxp2.exe=>(Quarantine-PE)
Infected with: Generic.Keylogger.973E2DBF
C:\WINDOWS\inst_iexplore.exe=>(RAR Sfx o)=>windowsxp2.exe=>(Quarantine-PE)
Disinfection failed
C:\WINDOWS\inst_iexplore.exe=>(RAR Sfx o)=>windowsxp2.exe=>(Quarantine-PE)
Deleted
C:\WINDOWS\inst_iexplore.exe=>(RAR Sfx o)
Update failed


----------



## Byteman (Jan 24, 2002)

Hi, I am very sorry but I still cannot tell which program has the files in Quarantine!!!

Run AVG Antipsyware please and post the log from that, when you see the same keylogger found by it, or any other scan, except this maddening BitDefender scan.


----------



## bella6100 (Feb 7, 2005)

Hi again

Ok, I am posting a new Hijack This log and I am also including a list of some running processes, because I don't think all of them are necessary. I will be doing some other scans later today to see if everything is clean still.

Processes:

msiexec.exe
wmiprvse.exe
spoolsv.exe
symlcsvc.exe
AppSvc32.exe
CCSVCHST.exe
BrowserWatchControl.exe
lsass.exe
csrss.exe
smss.exe
alg.exe

Logfile of HijackThis v1.99.1
Scan saved at 7:52:30 AM, on 5/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
F:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
F:\Program Files\StompSoft\Digital File Shredder Pro\BrowserWatchControl.exe
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
F:\PROGRA~1\Grisoft\AVG7\avgcc.exe
F:\Program Files\Common Files\AOL\1175744380\ee\AOLSoftware.exe
F:\WINDOWS\system32\windowsxp2.exe
F:\WINDOWS\system32\msiexec.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - F:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "F:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BrowserWatch] F:\Program Files\StompSoft\Digital File Shredder Pro\BrowserWatchControl.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HostManager] F:\Program Files\Common Files\AOL\1175744380\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [windowsxp2] F:\WINDOWS\system32\windowsxp2.exe
O4 - HKCU\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - F:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite.net/dlmanager/versions/activex/dlm-activex-2.0.6.0.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://mwmus.webex.com/client/v_mywebex-mwm/mywebex/ieatgpc.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15026/CTPID.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - F:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - F:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - F:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - F:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - F:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: CleanService - Unknown owner - F:\PROGRA~1\STOMPS~1\DIGITA~1\CleanService.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: iPod Service - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Unknown owner - F:\Program Files\Norton AntiVirus\isPwdSvc.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe


----------



## Byteman (Jan 24, 2002)

Hi, You have what looks to be a Trojan running.

Please run AVG Antispyware and post the log from the scan.

Run the scan in *Safe Mode*, and make sure the settings are this way-

Start up the AVG Antispyware program....


Next to *Last Update, click on Update now. *(You will need an active internet connection to perform this) 
Wait until you see the *Update succesfull* message.
 When the progress lines stop, ususally pressing "Start Update" will just 
change back- it's done if you don't get any further Updating activity)

______________________________



1. On the main window, click on the "*Scanner*" button and choose the "*Settings*" tab. 
Under "*How to act?*", click on "*Recommended actions*" and choose "*Quarantine*" to set default action for detected malware. 
Under "*How to Scan?*" check all (default). 
Under "*Possibly unwanted software*" check all (default). 
Under "*What to Scan?*" make sure "*Scan every file*" is selected (default). 
Under "*Reports*" select "*Automatically generate report after every scan*" and 
UNcheck "*Only if threats were found*".

2. Click the "*Scan*" tab to return to scanning *options*. You don't scan just yet!
3.*If* you were scanning now, you would Click "*Complete System Scan*" to start. 
4. When the scan finished you'd be presented with a list of infected objects found. Click "*Apply all actions*" to place the files in Quarantine.
 _  HOW TO SCAN- Please note the scan is done in Safe Mode-read on _
 If the computer is running, shut down Windows, and then turn off the power. 
*Reboot your computer* TO *Safe Mode.*  Here's how:
Wait 30 seconds, and then turn the computer on. 
Start tapping the *F8 key.* The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again. 
Ensure that the Safe Mode option is selected. 
Press Enter. The computer then begins to start in Safe mode. 
Login on your *usual account.*
Launch AVG Antispyware
Click "*Complete System Scan*" to start.

*IMPORTANT!* Do not save the report before you have clicked the *Apply all actions* button. If you do, the log that is created will indicate "*No action taken*", making it more difficult to interpret the report. So be sure you save it only AFTER clicking the "Apply all actions" button!

5. Click on "*Save Report*" to view all completed scans. 
Click on the most recent scan you just performed and select "*Save report as*" - the default file name will be in date/time format as follows: *Report-Scan-20072020-142816.txt*.
Save to your desktop. A copy of each report will also be saved in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports\ 
6. Exit AVG Anti-Spyware when done, reboot normally and submit the log report in your next response.


----------



## bella6100 (Feb 7, 2005)

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at:	10:01:37 AM 5/2/2007

+ Scan result:

F:\WINDOWS\system32\windowsxp2hk.dll -> Not-A-Virus.Monitor.Win32.Perflogger.163 : Cleaned with backup (quarantined).
F:\WINDOWS\system32\windowsxp2.exe -> Not-A-Virus.Monitor.Win32.Perflogger.ad : Cleaned with backup (quarantined).
F:\WINDOWS\system32\windowsxp2r.exe -> Not-A-Virus.Monitor.Win32.Perflogger.bx : Cleaned with backup (quarantined).
:mozilla.18:F:\Documents and Settings\Priya\Application Data\Mozilla\Firefox\Profiles\eyhzm68h.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt -> TrackingCookie.Advertising : Cleaned.
F:\Documents and Settings\Priya\Cookies\[email protected][2].txt -> TrackingCookie.Atdmt : Cleaned.
F:\Documents and Settings\Priya\Cookies\[email protected][2].txt -> TrackingCookie.Casalemedia : Cleaned.
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt -> TrackingCookie.Doubleclick : Cleaned.
F:\Documents and Settings\Priya\Cookies\[email protected][2].txt -> TrackingCookie.Fastclick : Cleaned.
F:\Documents and Settings\Priya\Cookies\[email protected][2].txt -> TrackingCookie.Mediaplex : Cleaned.
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt -> TrackingCookie.Msn : Cleaned.
F:\Documents and Settings\Priya\Cookies\[email protected][2].txt -> TrackingCookie.Pointroll : Cleaned.
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt -> TrackingCookie.Serving-sys : Cleaned.
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt -> TrackingCookie.Serving-sys : Cleaned.
F:\Documents and Settings\Priya\Cookies\[email protected][2].txt -> TrackingCookie.Tacoda : Cleaned.
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt -> TrackingCookie.Yieldmanager : Cleaned.
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt -> TrackingCookie.Zedo : Cleaned.

::Report end


----------



## Byteman (Jan 24, 2002)

Hi, Some new tools have come along that we can use to spot where this keylogger is re-creating itself from if that is what is going on- please do this:

Download this tool to your desktop:

*http://www.uploads.ejvindh.net/rootchk.exe*

Run the program. After a short time a logfile will turn up. Copy the contents of the log into the thread.

Next:

Download  Combofix  to your desktop:

* Double-click combofix.exe & follow the prompts.
* When finished, it shall produce a log for you. Post that log into your next reply.

Note:
Do not mouseclick combofix's window while it runs. That may cause it to stall!
_ _____
Next:

WINPFind3U
Download *WinPFind3U.exe* to your Desktop and double-click on it to extract the files. It will create a *folder named WinPFind3u on your desktop.*

Reboot to *safe mode *by pressing F8 at boot time & select safe mode in the list on the black screen


Open the WinPFind3u folder and double-click on *WinPFind3U.exe* to start the program.
In the *Processes * group click *Non-Microsoft* 
In the *Win32 Services * group click *Non-Microsoft* 
In the *Driver Services * group click *Non-Microsoft* 
In the *Registry * group click *Non-Microsoft* 
In the *Files Created Within* group click *30 days* Make sure Non-Microsoft only is *CHECKED- look at the bottom of that area for the checkbox*
In the *Files Modified Within* group select *30 days* Make sure Non-Microsoft only is *CHECKED-look for the checkbox*
In the *File String Search* group select *Non-Microsoft*
in the *Additional scans sections* please press *select all *and *uncheck*Non- microsoft only

Now click the *Run Scan* button on the toolbar.
The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file 

reboot normally 
Use the * Reply* button and attach the notepad file here Please don't try to post it into your reply, Attach it to your post by using the Manage Attachments button you find below the white Reply space. Just "Browse" to the log's location, when you highlight it once, the path will show in the Upload line, submit the log so it shows as an attachment.


----------



## bella6100 (Feb 7, 2005)

Hi, I am posting the ComboFix log and am attaching the WinPFind. I am also attaching the Rootchk file in two diff attachments because it is a large file.

"Priya" - 07-05-05 0:54:33 Service Pack 2 
ComboFix 07-04-25.4V - Running from: "F:\Documents and Settings\Priya\Desktop\New Folder\"

((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-05 ))))))))))))))))))))))))))))))))))

2007-05-03 10:51	49,152	--a------	F:\WINDOWS\nircmd.exe
2007-05-02 11:21 d--------	F:\DocumentsandSettings
2007-05-01 12:56	3,968	--a------	F:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-04-29 15:40 d--------	F:\DOCUME~1\Priya\APPLIC~1\Viewpoint
2007-04-22 22:24 d--------	F:\DOCUME~1\ALLUSE~1\APPLIC~1\PopCap
2007-04-18 12:58 d--------	F:\Program Files\MSN Games
2007-04-16 21:43	80,182	--a------	F:\WINDOWS\system32\bpkch.dat
2007-04-12 12:33 d---s----	F:\DOCUME~1\Priya\UserData
2007-04-12 12:30	382,628	--a------	F:\WINDOWS\system32\bpk.dat
2007-04-09 07:41 d--------	F:\Program Files\Common Files\Wise Installation Wizard

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-04-13 18:54	--------	d--------	F:\Program Files\norton antivirus
2007-04-13 18:54	--------	d--------	F:\Program Files\Common Files\symantec shared
2007-04-04 22:58	--------	d--------	F:\Program Files\aol 9.0
2007-04-04 22:43	10920	--a------	F:\aolconnfix.exe
2007-04-04 22:41	--------	d--------	F:\Program Files\Common Files\nullsoft
2007-04-04 22:41	--------	d--------	F:\DOCUME~1\Priya\APPLIC~1\aol
2007-04-04 21:33	--------	d--------	F:\Program Files\msn messenger
2007-04-03 16:14	--------	d--h-----	F:\DOCUME~1\Priya\APPLIC~1\move networks
2007-04-03 15:09	--------	d--------	F:\DOCUME~1\Priya\APPLIC~1\limewire
2007-04-03 15:04	--------	d--------	F:\Program Files\limewire
2007-03-30 00:16	--------	d--------	F:\Program Files\viewpoint
2007-03-30 00:14	335	--a------	F:\WINDOWS\nsreg.dat
2007-03-29 11:28	--------	d--------	F:\Program Files\itunes
2007-03-29 11:26	--------	d--h-----	F:\Program Files\installshield installation information
2007-03-29 11:10	--------	d--------	F:\Program Files\ipod
2007-03-28 11:06	29089	--a------	F:\WINDOWS\hpoins03.dat
2007-03-28 11:05	--------	d--------	F:\Program Files\hp
2007-03-28 11:01	--------	d--------	F:\Program Files\Common Files\hp
2007-03-17 08:43	292864	--a------	F:\WINDOWS\system32\winsrv.dll
2007-03-11 11:37	--------	d--------	F:\DOCUME~1\Priya\APPLIC~1\lavasoft
2007-03-11 11:35	--------	d--------	F:\Program Files\lavasoft
2007-03-08 10:36	577536	--a------	F:\WINDOWS\system32\user32.dll
2007-03-08 10:36	40960	--a------	F:\WINDOWS\system32\mf3216.dll
2007-03-08 10:36	281600	--a------	F:\WINDOWS\system32\gdi32.dll
2007-03-08 08:47	1843584	--a------	F:\WINDOWS\system32\win32k.sys
2007-03-07 19:46	--------	d--------	F:\DOCUME~1\Priya\APPLIC~1\corel
2007-03-07 17:50	--------	d--------	F:\Program Files\creative
2007-03-07 17:09	--------	d--------	F:\DOCUME~1\Priya\APPLIC~1\creative
2007-03-06 22:24	--------	d--------	F:\DOCUME~1\Priya\APPLIC~1\pc tools
2007-03-06 20:59	--------	d--------	F:\Program Files\windows security files
2007-02-12 20:32	195	--a------	F:\WINDOWS\powerreg.dat
2007-02-05 15:17	185344	--a------	F:\WINDOWS\system32\upnphost.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}	F:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll [x]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	F:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ccApp"="\"F:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"osCheck"="\"F:\\Program Files\\Norton AntiVirus\\osCheck.exe\""
"SunJavaUpdateSched"="\"F:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
"TkBellExe"="\"F:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"BrowserWatch"="F:\\Program Files\\StompSoft\\Digital File Shredder Pro\\BrowserWatchControl.exe"
"AVG7_CC"="F:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"HostManager"="F:\\Program Files\\Common Files\\AOL\\1175744380\\ee\\AOLSoftware.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"QuickTime Task"="\"F:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Aim6"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages	REG_MULTI_SZ msv1_0\0\0
Security Packages	REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages	REG_MULTI_SZ scecli\0\0

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\F:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="F:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="F:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="F:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\F:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"path"="F:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk"
"backup"="F:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="F:\\PROGRA~1\\MICROS~2\\Office10\\OSA.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\F:^Documents and Settings^All Users^Start Menu^Programs^Startup^Murasu Anjal2000.lnk]
"path"="F:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Murasu Anjal2000.lnk"
"backup"="F:\\WINDOWS\\pss\\Murasu Anjal2000.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MURASU~1\\ANJAL2~1\\anjal.exe "
"item"="Murasu Anjal2000"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="apdproxy"
"hkey"="HKLM"
"command"="\"F:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares ultra]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Ares Ultra"
"hkey"="HKCU"
"command"="\"F:\\Program Files\\Ares Ultra\\Ares Ultra.exe\" -h"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CTDetect"
"hkey"="HKCU"
"command"="\"F:\\Program Files\\Creative\\MediaSource\\Detector\\CTDetect.exe\" /R"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTRegRun]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CTRegRun"
"hkey"="HKLM"
"command"="F:\\WINDOWS\\CTRegRun.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FireflyMini]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="FireflyMini"
"hkey"="HKLM"
"command"="\"F:\\Program Files\\SnapStream Media\\Firefly Mini\\FireflyMini.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wcescomm"
"hkey"="HKCU"
"command"="\"F:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Hide IP Platinum]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hideippla"
"hkey"="HKCU"
"command"="F:\\Program Files\\Hide IP Platinum\\hideippla.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"F:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\keyman.exe-thamizha]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="keyman"
"hkey"="HKCU"
"command"="F:\\Program Files\\Tavultesoft\\Keyman-thamizha\\keyman.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kural 3.2]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Kural"
"hkey"="HKLM"
"command"="\"F:\\Program Files\\KuralSoft\\3.2\\Kural.exe\" -min"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kural 3.3]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Kural"
"hkey"="HKLM"
"command"="\"F:\\Program Files\\KuralSoft\\3.3\\Kural.exe\" -min"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="F:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mssysmgr"
"hkey"="HKCU"
"command"="F:\\PROGRA~1\\Ahead\\Ahead\\data\\Xtras\\mssysmgr.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RaidTool]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="raid_tool"
"hkey"="HKLM"
"command"="F:\\Program Files\\VIA\\RAID\\raid_tool.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SOUNDMAN"
"hkey"="HKLM"
"command"="SOUNDMAN.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"F:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="YAHOOM~1"
"hkey"="HKCU"
"command"="\"F:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter	REG_MULTI_SZ HTTPFilter\0\0
LocalService	REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService	REG_MULTI_SZ DnsCache\0\0
DcomLaunch	REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss	REG_MULTI_SZ RpcSs\0\0
imgsvc	REG_MULTI_SZ StiSvc\0\0
termsvcs	REG_MULTI_SZ TermService\0\0
WudfServiceGroup	REG_MULTI_SZ WUDFSvc\0\0

Contents of the 'Scheduled Tasks' folder
F:\WINDOWS\tasks\AppleSoftwareUpdate.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-05 00:55:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-05-05 0:55:56
F:\ComboFix-quarantined-files.txt ... 07-05-05 00:55
F:\ComboFix2.txt ... 07-05-05 00:15
F:\ComboFix3.txt ... 07-05-03 10:51


----------



## Byteman (Jan 24, 2002)

Hi, Those scans found some things.

Start WinPFind3U. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the *Run Fix button.*


```
[Kill Explorer]
[Unregister Dlls]
[Files/Folders - Created Within 30 days]
NY -> bpk.dat -> %System32%\bpk.dat
NY -> bpkch.dat -> %System32%\bpkch.dat
[Files/Folders - Modified Within 30 days]
NY -> bpk.dat -> %System32%\bpk.dat
NY -> bpkch.dat -> %System32%\bpkch.dat
NY -> @Alternate Data Stream - 112 bytes -> %AllUsersAppData%\TEMP:38020A20
NY -> @Alternate Data Stream - 118 bytes -> %AllUsersAppData%\TEMP:DFC5A2B2
[File String Scan - Non-Microsoft Only]
NY -> @Alternate Data Stream - 112 bytes -> %AllUsersAppData%\TEMP:38020A20
NY -> @Alternate Data Stream - 118 bytes -> %AllUsersAppData%\TEMP:DFC5A2B2
[Empty Temp Folders]
[Start Explorer]
[Reboot]
```
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new WinPFind3u scan.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above.

* Next: Run a new AVG Antispyware scan and post the log from it.*


----------



## bella6100 (Feb 7, 2005)

Explorer killed successfully
[Files/Folders - Created Within 30 days]
File F:\WINDOWS\SYSTEM32\bpk.dat not found!
File F:\WINDOWS\SYSTEM32\bpkch.dat not found!
[Files/Folders - Modified Within 30 days]
File F:\WINDOWS\SYSTEM32\bpk.dat not found!
File F:\WINDOWS\SYSTEM32\bpkch.dat not found!
Unable to delete ADS F:\Documents and Settings\All Users\Application Data\TEMP:38020A20 .
Unable to delete ADS F:\Documents and Settings\All Users\Application Data\TEMPFC5A2B2 .
[File String Scan - Non-Microsoft Only]
Unable to delete ADS F:\Documents and Settings\All Users\Application Data\TEMP:38020A20 .
Unable to delete ADS F:\Documents and Settings\All Users\Application Data\TEMPFC5A2B2 .
[Empty Temp Folders]
F:\DOCUME~1\Priya\LOCALS~1\Temp\ -> emptied.
F:\Documents and Settings\Priya\Local Settings\Temporary Internet Files\Content.IE5\ -> emptied
RecycleBin -> emptied.
< End of log >
Created on 05/05/2007 13:00:31


----------



## Byteman (Jan 24, 2002)

Hi, Even though the WinPFind3u log showed that it could not delete the items in the last fix, they are gone

Let's look at a new ComboFix log next:


Double click *combofix.exe * and follow the prompts.
When finished, it shall produce a log for you. Post that log and a *HiJackthis* log in your next reply
*Note: Do not mouseclick combofix's window while its running. That may cause it to stall*

You still *should do* the new AVG Antispyware scan as in my last reply. You might be in the process of posting the log from that now, if you have not scanned with AVG yet, you can now or after you post a new ComboFix log.


----------



## Byteman (Jan 24, 2002)

Hi, Some files to delete:

F:\Documents and Settings\BCM\Recent\bpk (2).lnk
F:\Documents and Settings\BCM\Recent\bpk.lnk
F:\Documents and Settings\BCM\Start Menu\Programs\Startup\PowerReg Scheduler.exe


----------



## bella6100 (Feb 7, 2005)

When I went to delete those three files, it denied me access to that folder.

"Priya" - 07-05-05 15:18:55 Service Pack 2 
ComboFix 07-04-25.4V - Running from: "F:\Documents and Settings\Priya\Desktop\New Folder\"

((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-05 ))))))))))))))))))))))))))))))))))

2007-05-03 10:51	49,152	--a------	F:\WINDOWS\nircmd.exe
2007-05-02 11:21 d--------	F:\DocumentsandSettings
2007-05-01 12:56	3,968	--a------	F:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-04-29 15:40 d--------	F:\DOCUME~1\Priya\APPLIC~1\Viewpoint
2007-04-22 22:24 d--------	F:\DOCUME~1\ALLUSE~1\APPLIC~1\PopCap
2007-04-18 12:58 d--------	F:\Program Files\MSN Games
2007-04-12 12:33 d---s----	F:\DOCUME~1\Priya\UserData
2007-04-09 07:41 d--------	F:\Program Files\Common Files\Wise Installation Wizard

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-04-13 18:54	--------	d--------	F:\Program Files\norton antivirus
2007-04-13 18:54	--------	d--------	F:\Program Files\Common Files\symantec shared
2007-04-04 22:58	--------	d--------	F:\Program Files\aol 9.0
2007-04-04 22:43	10920	--a------	F:\aolconnfix.exe
2007-04-04 22:41	--------	d--------	F:\Program Files\Common Files\nullsoft
2007-04-04 22:41	--------	d--------	F:\DOCUME~1\Priya\APPLIC~1\aol
2007-04-04 21:33	--------	d--------	F:\Program Files\msn messenger
2007-04-03 16:14	--------	d--h-----	F:\DOCUME~1\Priya\APPLIC~1\move networks
2007-04-03 15:09	--------	d--------	F:\DOCUME~1\Priya\APPLIC~1\limewire
2007-04-03 15:04	--------	d--------	F:\Program Files\limewire
2007-03-30 00:16	--------	d--------	F:\Program Files\viewpoint
2007-03-30 00:14	335	--a------	F:\WINDOWS\nsreg.dat
2007-03-29 11:28	--------	d--------	F:\Program Files\itunes
2007-03-29 11:26	--------	d--h-----	F:\Program Files\installshield installation information
2007-03-29 11:10	--------	d--------	F:\Program Files\ipod
2007-03-28 11:06	29089	--a------	F:\WINDOWS\hpoins03.dat
2007-03-28 11:05	--------	d--------	F:\Program Files\hp
2007-03-28 11:01	--------	d--------	F:\Program Files\Common Files\hp
2007-03-17 08:43	292864	--a------	F:\WINDOWS\system32\winsrv.dll
2007-03-11 11:37	--------	d--------	F:\DOCUME~1\Priya\APPLIC~1\lavasoft
2007-03-11 11:35	--------	d--------	F:\Program Files\lavasoft
2007-03-08 10:36	577536	--a------	F:\WINDOWS\system32\user32.dll
2007-03-08 10:36	40960	--a------	F:\WINDOWS\system32\mf3216.dll
2007-03-08 10:36	281600	--a------	F:\WINDOWS\system32\gdi32.dll
2007-03-08 08:47	1843584	--a------	F:\WINDOWS\system32\win32k.sys
2007-03-07 19:46	--------	d--------	F:\DOCUME~1\Priya\APPLIC~1\corel
2007-03-07 17:50	--------	d--------	F:\Program Files\creative
2007-03-07 17:09	--------	d--------	F:\DOCUME~1\Priya\APPLIC~1\creative
2007-03-06 22:24	--------	d--------	F:\DOCUME~1\Priya\APPLIC~1\pc tools
2007-03-06 20:59	--------	d--------	F:\Program Files\windows security files
2007-02-12 20:32	195	--a------	F:\WINDOWS\powerreg.dat
2007-02-05 15:17	185344	--a------	F:\WINDOWS\system32\upnphost.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}	F:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll [x]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	F:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ccApp"="\"F:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"osCheck"="\"F:\\Program Files\\Norton AntiVirus\\osCheck.exe\""
"SunJavaUpdateSched"="\"F:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
"TkBellExe"="\"F:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"BrowserWatch"="F:\\Program Files\\StompSoft\\Digital File Shredder Pro\\BrowserWatchControl.exe"
"AVG7_CC"="F:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"HostManager"="F:\\Program Files\\Common Files\\AOL\\1175744380\\ee\\AOLSoftware.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"QuickTime Task"="\"F:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Aim6"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages	REG_MULTI_SZ msv1_0\0\0
Security Packages	REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages	REG_MULTI_SZ scecli\0\0

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\F:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="F:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="F:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="F:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\F:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"path"="F:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk"
"backup"="F:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="F:\\PROGRA~1\\MICROS~2\\Office10\\OSA.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\F:^Documents and Settings^All Users^Start Menu^Programs^Startup^Murasu Anjal2000.lnk]
"path"="F:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Murasu Anjal2000.lnk"
"backup"="F:\\WINDOWS\\pss\\Murasu Anjal2000.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MURASU~1\\ANJAL2~1\\anjal.exe "
"item"="Murasu Anjal2000"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="apdproxy"
"hkey"="HKLM"
"command"="\"F:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares ultra]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Ares Ultra"
"hkey"="HKCU"
"command"="\"F:\\Program Files\\Ares Ultra\\Ares Ultra.exe\" -h"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CTDetect"
"hkey"="HKCU"
"command"="\"F:\\Program Files\\Creative\\MediaSource\\Detector\\CTDetect.exe\" /R"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTRegRun]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CTRegRun"
"hkey"="HKLM"
"command"="F:\\WINDOWS\\CTRegRun.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FireflyMini]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="FireflyMini"
"hkey"="HKLM"
"command"="\"F:\\Program Files\\SnapStream Media\\Firefly Mini\\FireflyMini.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wcescomm"
"hkey"="HKCU"
"command"="\"F:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Hide IP Platinum]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hideippla"
"hkey"="HKCU"
"command"="F:\\Program Files\\Hide IP Platinum\\hideippla.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"F:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\keyman.exe-thamizha]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="keyman"
"hkey"="HKCU"
"command"="F:\\Program Files\\Tavultesoft\\Keyman-thamizha\\keyman.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kural 3.2]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Kural"
"hkey"="HKLM"
"command"="\"F:\\Program Files\\KuralSoft\\3.2\\Kural.exe\" -min"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kural 3.3]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Kural"
"hkey"="HKLM"
"command"="\"F:\\Program Files\\KuralSoft\\3.3\\Kural.exe\" -min"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="F:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mssysmgr"
"hkey"="HKCU"
"command"="F:\\PROGRA~1\\Ahead\\Ahead\\data\\Xtras\\mssysmgr.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RaidTool]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="raid_tool"
"hkey"="HKLM"
"command"="F:\\Program Files\\VIA\\RAID\\raid_tool.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SOUNDMAN"
"hkey"="HKLM"
"command"="SOUNDMAN.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"F:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="YAHOOM~1"
"hkey"="HKCU"
"command"="\"F:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter	REG_MULTI_SZ HTTPFilter\0\0
LocalService	REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService	REG_MULTI_SZ DnsCache\0\0
DcomLaunch	REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss	REG_MULTI_SZ RpcSs\0\0
imgsvc	REG_MULTI_SZ StiSvc\0\0
termsvcs	REG_MULTI_SZ TermService\0\0
WudfServiceGroup	REG_MULTI_SZ WUDFSvc\0\0

Contents of the 'Scheduled Tasks' folder
F:\WINDOWS\tasks\AppleSoftwareUpdate.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-05 15:20:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-05-05 15:20:12
F:\ComboFix-quarantined-files.txt ... 07-05-05 15:20
F:\ComboFix2.txt ... 07-05-05 00:55
F:\ComboFix3.txt ... 07-05-05 00:15

Logfile of HijackThis v1.99.1
Scan saved at 3:20:32 PM, on 5/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
F:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
F:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\explorer.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\internet explorer\iexplore.exe
F:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - F:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "F:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BrowserWatch] F:\Program Files\StompSoft\Digital File Shredder Pro\BrowserWatchControl.exe
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HostManager] F:\Program Files\Common Files\AOL\1175744380\ee\AOLSoftware.exe
O4 - HKCU\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - F:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite.net/dlmanager/versions/activex/dlm-activex-2.0.6.0.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://mwmus.webex.com/client/v_mywebex-mwm/mywebex/ieatgpc.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15026/CTPID.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - F:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - F:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - F:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - F:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - F:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: CleanService - Unknown owner - F:\PROGRA~1\STOMPS~1\DIGITA~1\CleanService.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: iPod Service - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Unknown owner - F:\Program Files\Norton AntiVirus\isPwdSvc.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at:	15:14 07-05-05

+ Scan result:

F:\System Volume Information\_restore{E292E2A8-2BF3-4D88-9226-6D49D95AC1EE}\RP261\A0078057.dll -> Not-A-Virus.Monitor.Win32.Perflogger.163 : Cleaned with backup (quarantined).
F:\System Volume Information\_restore{E292E2A8-2BF3-4D88-9226-6D49D95AC1EE}\RP261\A0078056.exe -> Not-A-Virus.Monitor.Win32.Perflogger.ad : Cleaned with backup (quarantined).
F:\System Volume Information\_restore{E292E2A8-2BF3-4D88-9226-6D49D95AC1EE}\RP261\A0078058.exe -> Not-A-Virus.Monitor.Win32.Perflogger.bx : Cleaned with backup (quarantined).
F:\Documents and Settings\Priya\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
F:\System Volume Information\_restore{E292E2A8-2BF3-4D88-9226-6D49D95AC1EE}\RP261\A0078140.sys -> Trojan.Rkproc.ay : Cleaned with backup (quarantined).
F:\System Volume Information\_restore{E292E2A8-2BF3-4D88-9226-6D49D95AC1EE}\RP261\A0078141.exe -> Trojan.Small : Cleaned with backup (quarantined).

::Report end


----------



## Byteman (Jan 24, 2002)

Hi, We can try in *Safe Mode* that may work better. Those files are in the BCM user account so you could start up in Safe Mode and log into that account and then run Avenger etc.

You will need these directions with you in Safe Mode so print them or save them to a Notepad helper text file on your desktop, name it somesteps.txt or whatever you want...

I don't know if you have used Avenger yet, here are the download link and directions, it's not difficult at all.

1. Please *download* *The Avenger* by Swandog46 to your *Desktop*.
Click on Avenger.zip to open the file
Extract *avenger.exe* to your desktop

Next: Boot to *Safe Mode* using the F8 key as you have previously...have the directions saved to your desktop.

2. Copy all the text including Files to delete: to the end of the last file shown, contained in the code box below to your Clipboard by highlighting it and pressing (*Ctrl+C*):


```
Files to delete:

F:\WINDOWS\powerreg.dat
F:\Documents and Settings\BCM\Recent\bpk (2).lnk
F:\Documents and Settings\BCM\Recent\bpk.lnk
F:\Documents and Settings\BCM\Start Menu\Programs\Startup\PowerReg Scheduler.exe
```
_*
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.*_

3. Now, *start The Avenger program* by clicking on its icon on your desktop.
 Under "*Script file to execute*" choose "*Input Script Manually*".
Now click on the *Magnifying Glass icon* which will open a new window titled "*View/edit script*" 
 Paste the text copied to clipboard into this window by pressing (*Ctrl+V*).
 Click *Done* 
 Now click on the *Green Light* to begin execution of the script 
 Answer "*Yes*" twice when prompted.
4. *The Avenger will automatically do the following*:
It will *Restart your computer*. ( In cases where the code to execute contains "*Drivers to Unload*", The Avenger will actually *restart your system twice.*) 
On reboot, it will briefly *open a black command window* on your desktop, this is normal.
After the restart, it *creates a log file* that should open with the results of Avenger's actions. This log file will be located at *C:\avenger.txt*
 The Avenger will also have *backed up all the files, etc., that you asked it to delete*, and will have zipped them and moved the zip archives to *C:\avenger\backup.zip*.
5. Please *copy/paste* the content of *c:\avenger.txt* into your reply.


----------



## bella6100 (Feb 7, 2005)

When I log on normally, both my account as well as the BCM accounts are available but when I reboot to safe mode, there is only an administrator account and my account. When I log on with my acccount and go to Control Panel and user accounts, the BCM is listed as a limited account so I am not sure if that has something to do with it.


----------



## Byteman (Jan 24, 2002)

Hi, OK try in Normal mode for the BCM but you will need either to hunt for avenger.exe in Windows Explorer, or copy the original download over onto BCM's desktop and run the fix fromthere. 

So, you will end up with Avenger in two places, but it does not install so you simply right click the file and delete it after we are done


----------



## bella6100 (Feb 7, 2005)

Sorry, I am a little confused. I logged onto BCM and searched for avenger but it didn't find it. So, I can't just download and install avenger when I am in the BCM account?


----------



## Byteman (Jan 24, 2002)

Hi, Yes you can do that. What I meant was, for you to COPY the original download using Windows Explorer...onto the F:\Windows\Documents and Settings\BCM\desktop so then you could see it when logged in as BCM.... don't let it mix you up, if it is easier to re-download do that and then run the fix.

As a limited account you may find that it will not allow to install, extract files though....you could try right clicking the file avenger.exe after extracting it, and select "Run As" > Administrator if it will not open for you.

After you post the Avenger log, I would like you to also run ComboFix while logged in as BCM please.

It's your choice, you can also re-download ComboFix if you wish.

Download ComboFix from *Here* or *Here* to your Desktop. 

Double click *combofix.exe * and follow the prompts.
When finished, it shall produce a log for you. Post that log and a *HiJackthis* log in your next reply
*Note: Do not mouseclick combofix's window while its running. That may cause it to stall*

And it would be a good idea to also run SDFix from there.


----------



## bella6100 (Feb 7, 2005)

Sigh.....I followed the instructions but after I pressed the green light icon and said yes, it gave me an error "Fatal error: could not create new script file" and " Error Code: 0 Could not log error----aborting now"


----------



## Byteman (Jan 24, 2002)

Hi, you know....you as an Admin level account, can simply make BCM an Administrator account, then you should be able to do what you need to do with Avenger, or anything else. You can then change the account back to a Limited one....from your own account (Priya)

You can do this from Priya (which I figure is your account)

Control Panel> User Accounts> Change user account > *make BCM an Admin account*. Log off Priya, and into BCM and try the Avenger fix again when you feel up to it.

The trick is, to get all the text onto the clipboard by dragging down quickly with the mouse....right click, select Copy, get it pasted into the location in Avenger and run it.

Should work at Administrator level.

Did you download a new copy of Avenger to that account?


----------



## bella6100 (Feb 7, 2005)

I tried that and it still gave me the same error- I really don't know why it's not working and yes I downloaded the avenger on that account.


----------



## Byteman (Jan 24, 2002)

Hi, Try just booting to Safe Mode again into BCM account, (it should show up in Safe Mode)

and manually deleting those 3 files

F:\WINDOWS\powerreg.dat
F:\Documents and Settings\BCM\Recent\bpk (2).lnk
F:\Documents and Settings\BCM\Recent\bpk.lnk
F:\Documents and Settings\BCM\Start Menu\Programs\Startup\PowerReg Scheduler.exe


What you may have to do, when in the account, make these changes to settings:

Because XP will not always show you hidden files and folders by default, Go to Start > Search>Files and Folders>> and under "More advanced search options". 
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK" 

I'm done now....try it.


----------



## bella6100 (Feb 7, 2005)

Yay, I was finally able to run avenger in safe mode 

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\gsiobami

*******************

Script file located at: \??\F:\prictcix.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at F:\Avenger

*******************

Beginning to process script file:

File F:\WINDOWS\powerreg.dat deleted successfully.
File F:\Documents and Settings\BCM\Recent\bpk (2).lnk deleted successfully.
File F:\Documents and Settings\BCM\Recent\bpk.lnk deleted successfully.
File F:\Documents and Settings\BCM\Start Menu\Programs\Startup\PowerReg Scheduler.exe deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

*COMBOFIX LOG*

"BCM" - 07-05-06 9:34:01 Service Pack 2 [SAFE MODE]
ComboFix 07-04-25.4V - Running from: "F:\Documents and Settings\Priya\Desktop\New Folder\"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

F:\DOCUME~1\BCM\Desktop.\internet explorer.lnk
F:\DOCUME~1\BCM\Desktop\internet.lnk

((((((((((((((((((((((((((((((( Files Created from 2007-04-06 to 2007-05-06 ))))))))))))))))))))))))))))))))))

2007-05-06 09:26	60,416	--a------	F:\WINDOWS\system32\drivers\fslxsrdb.sys
2007-05-06 09:26	126,976	--a------	F:\zip.exe
2007-05-06 09:26	1,080	--a------	F:\lxhuhcaa.bat
2007-05-05 16:43 d--------	F:\Avenger
2007-05-05 16:14	524,288	--ah-----	F:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-05-03 10:51	49,152	--a------	F:\WINDOWS\nircmd.exe
2007-05-02 11:21 d--------	F:\DocumentsandSettings
2007-05-01 12:56	3,968	--a------	F:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-04-29 15:40 d--------	F:\DOCUME~1\Priya\APPLIC~1\Viewpoint
2007-04-22 22:24 d--------	F:\DOCUME~1\ALLUSE~1\APPLIC~1\PopCap
2007-04-18 12:58 d--------	F:\Program Files\MSN Games
2007-04-12 12:33 d---s----	F:\DOCUME~1\Priya\UserData
2007-04-09 07:41 d--------	F:\Program Files\Common Files\Wise Installation Wizard

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-04-13 18:54	--------	d--------	F:\Program Files\norton antivirus
2007-04-13 18:54	--------	d--------	F:\Program Files\Common Files\symantec shared
2007-04-04 22:58	--------	d--------	F:\Program Files\aol 9.0
2007-04-04 22:43	10920	--a------	F:\aolconnfix.exe
2007-04-04 22:41	--------	d--------	F:\Program Files\Common Files\nullsoft
2007-04-04 21:33	--------	d--------	F:\Program Files\msn messenger
2007-04-03 15:04	--------	d--------	F:\Program Files\limewire
2007-03-30 00:16	--------	d--------	F:\Program Files\viewpoint
2007-03-30 00:14	335	--a------	F:\WINDOWS\nsreg.dat
2007-03-29 11:28	--------	d--------	F:\Program Files\itunes
2007-03-29 11:26	--------	d--h-----	F:\Program Files\installshield installation information
2007-03-29 11:10	--------	d--------	F:\Program Files\ipod
2007-03-28 11:06	29089	--a------	F:\WINDOWS\hpoins03.dat
2007-03-28 11:05	--------	d--------	F:\Program Files\hp
2007-03-28 11:01	--------	d--------	F:\Program Files\Common Files\hp
2007-03-17 08:43	292864	--a------	F:\WINDOWS\system32\winsrv.dll
2007-03-11 11:35	--------	d--------	F:\Program Files\lavasoft
2007-03-08 10:36	577536	--a------	F:\WINDOWS\system32\user32.dll
2007-03-08 10:36	40960	--a------	F:\WINDOWS\system32\mf3216.dll
2007-03-08 10:36	281600	--a------	F:\WINDOWS\system32\gdi32.dll
2007-03-08 08:47	1843584	--a------	F:\WINDOWS\system32\win32k.sys
2007-03-07 17:50	--------	d--------	F:\Program Files\creative
2007-03-06 20:59	--------	d--------	F:\Program Files\windows security files
2007-02-21 07:10	67864	--a------	F:\DOCUME~1\BCM\APPLIC~1\gdipfontcachev1.dat

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}	F:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll [x]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	F:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ccApp"="\"F:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"osCheck"="\"F:\\Program Files\\Norton AntiVirus\\osCheck.exe\""
"SunJavaUpdateSched"="\"F:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
"TkBellExe"="\"F:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"BrowserWatch"="F:\\Program Files\\StompSoft\\Digital File Shredder Pro\\BrowserWatchControl.exe"
"AVG7_CC"="F:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"HostManager"="F:\\Program Files\\Common Files\\AOL\\1175744380\\ee\\AOLSoftware.exe"
"guxflmqf"="F:\\lxhuhcaa.bat"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"F:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"ctfmon.exe"="F:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"=dword:00000000
"NoSecurityTab"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages	REG_MULTI_SZ msv1_0\0\0
Security Packages	REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages	REG_MULTI_SZ scecli\0\0

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\F:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="F:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="F:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="F:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\F:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"path"="F:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk"
"backup"="F:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="F:\\PROGRA~1\\MICROS~2\\Office10\\OSA.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\F:^Documents and Settings^All Users^Start Menu^Programs^Startup^Murasu Anjal2000.lnk]
"path"="F:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Murasu Anjal2000.lnk"
"backup"="F:\\WINDOWS\\pss\\Murasu Anjal2000.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MURASU~1\\ANJAL2~1\\anjal.exe "
"item"="Murasu Anjal2000"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="apdproxy"
"hkey"="HKLM"
"command"="\"F:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares ultra]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Ares Ultra"
"hkey"="HKCU"
"command"="\"F:\\Program Files\\Ares Ultra\\Ares Ultra.exe\" -h"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CTDetect"
"hkey"="HKCU"
"command"="\"F:\\Program Files\\Creative\\MediaSource\\Detector\\CTDetect.exe\" /R"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTRegRun]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CTRegRun"
"hkey"="HKLM"
"command"="F:\\WINDOWS\\CTRegRun.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FireflyMini]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="FireflyMini"
"hkey"="HKLM"
"command"="\"F:\\Program Files\\SnapStream Media\\Firefly Mini\\FireflyMini.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wcescomm"
"hkey"="HKCU"
"command"="\"F:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Hide IP Platinum]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hideippla"
"hkey"="HKCU"
"command"="F:\\Program Files\\Hide IP Platinum\\hideippla.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"F:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\keyman.exe-thamizha]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="keyman"
"hkey"="HKCU"
"command"="F:\\Program Files\\Tavultesoft\\Keyman-thamizha\\keyman.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kural 3.2]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Kural"
"hkey"="HKLM"
"command"="\"F:\\Program Files\\KuralSoft\\3.2\\Kural.exe\" -min"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kural 3.3]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Kural"
"hkey"="HKLM"
"command"="\"F:\\Program Files\\KuralSoft\\3.3\\Kural.exe\" -min"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="F:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mssysmgr"
"hkey"="HKCU"
"command"="F:\\PROGRA~1\\Ahead\\Ahead\\data\\Xtras\\mssysmgr.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RaidTool]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="raid_tool"
"hkey"="HKLM"
"command"="F:\\Program Files\\VIA\\RAID\\raid_tool.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SOUNDMAN"
"hkey"="HKLM"
"command"="SOUNDMAN.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"F:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="YAHOOM~1"
"hkey"="HKCU"
"command"="\"F:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter	REG_MULTI_SZ HTTPFilter\0\0
LocalService	REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService	REG_MULTI_SZ DnsCache\0\0
DcomLaunch	REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss	REG_MULTI_SZ RpcSs\0\0
imgsvc	REG_MULTI_SZ StiSvc\0\0
termsvcs	REG_MULTI_SZ TermService\0\0
WudfServiceGroup	REG_MULTI_SZ WUDFSvc\0\0

Contents of the 'Scheduled Tasks' folder
F:\WINDOWS\tasks\AppleSoftwareUpdate.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-06 09:36:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-05-06 9:36:18
F:\ComboFix-quarantined-files.txt ... 07-05-06 09:36
F:\ComboFix2.txt ... 07-05-05 15:20
F:\ComboFix3.txt ... 07-05-05 00:55

*HIJACK LOG*

Logfile of HijackThis v1.99.1
Scan saved at 9:37:16 AM, on 5/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\NOTEPAD.EXE
F:\Program Files\Hijackthis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - F:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "F:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BrowserWatch] F:\Program Files\StompSoft\Digital File Shredder Pro\BrowserWatchControl.exe
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HostManager] F:\Program Files\Common Files\AOL\1175744380\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [guxflmqf] F:\lxhuhcaa.bat
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - F:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite.net/dlmanager/versions/activex/dlm-activex-2.0.6.0.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://mwmus.webex.com/client/v_mywebex-mwm/mywebex/ieatgpc.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15026/CTPID.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - F:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - F:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - F:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - F:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - F:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: CleanService - Unknown owner - F:\PROGRA~1\STOMPS~1\DIGITA~1\CleanService.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: iPod Service - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Unknown owner - F:\Program Files\Norton AntiVirus\isPwdSvc.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe


----------



## Byteman (Jan 24, 2002)

Hi, While you are logged into BCM user account, go to the site below and submit the files one by one to get a quick scan of each one.

Takes just a few seconds for a file, you can only scan one file at a time, just be sure to copy and paste what shows as the results for a file into an open reply. (You can add each file's results to the reply, then post the entire thing as one reply).

http://virusscan.jotti.org/

Use the Browse button there, this brings up a small box where you can find one of the files, click *ONCE* on the file, then the path to it will show in the *Submit* space, then click *Submit* to upload the file and you will get the results back quickly.

F:\WINDOWS\system32\drivers\fslxsrdb.sys

F:\zip.exe

F:\lxhuhcaa.bat


----------



## bella6100 (Feb 7, 2005)

I could not find any of those files in order to scan them, I even tried searching for all of them. I actually ran ComboFix one more time from the BCM account, and this time those three files did not appear in the log file.


----------



## Byteman (Jan 24, 2002)

Hi, Hmmm I want to tell you that is good however, I'm not sure!

You will have to continue to monitor the situation.

If someone, as we think, is installing the main problem again and again, there is not much I can do.

Run a new Big Defender scan:



* Go here and do the BitDefender online virus scan.
Click "I Agree" to agree to the EULA.
Allow the ActiveX control to install when prompted.
Click "Click here to scan" to begin the scan.
Please refrain from using the computer until the scan is finished.
When the scan is finished, click on "Click here to export the scan results"
Save the report to your desktop so you can *attach* it to your next reply to this thread.


----------



## bella6100 (Feb 7, 2005)

I ran the scan but it found nothing to report. I am assuming that is a good thing.


----------



## Byteman (Jan 24, 2002)

Hi, That may be very good news, before it always found it after we removed files.

Time will tell, I would ask that you come back in 3 or 4 days, post a new AVG Antispyware scan and perhaps a ComboFix log, in this thread and I will see it. Good luck!

You may want to change the BCM account back to a Limited account.


----------



## bella6100 (Feb 7, 2005)

Ok, I will monitor the situation. Thanks again!!


----------

