# Win32/PEPatch trojan/virus?



## pschan

I am currently running AVG Free as my anti-virus and it keeps detecting this virus called Win32/PEPatch. I'm not even sure what the virus/trojan does. At first, the virus was found in the f:/system volume information/_restore..... folder in a file called A0007803.dll, i would move the file to the vault and it would come back every couple of weeks. The one problem i did have then was that sometimes i would be using IE and it would close all my windows without warning. Just a couple days ago, AVG started to detect the virus in 2 files located in f:/program files/internet explorer, shdocvw.dll and xpsp2res.dll, but now IE no longer closes my windows without warning. Strange. I have tried looking up this virus and anything connected to trojans/viruses in these two files and there doesn't seem to be anything wrong with my system, ie. there are no registry keys added, or files downloaded, so i'm not sure what to do. 
Can anyone help?


----------



## Cheeseball81

Hi and welcome 

* *Click here* to download *HJTsetup.exe*.
Save HJTsetup.exe to your desktop.

Double click on the HJTsetup.exe icon on your desktop.
By default it will install to *C:\Program Files\Hijack This*.
Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
Put a check by Create a desktop icon then click Next again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click Finish and it will launch Hijack This.
Click on the *Do a system scan and save a log file* button. It will scan and then ask you to save the log.
Click Save to save the log file and then the log will open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
*DO NOT* have Hijack This fix anything yet. Most of what it finds will be harmless or even required.


----------



## pschan

here's the log

Logfile of HijackThis v1.99.1
Scan saved at 12:43:32 AM, on 6/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
F:\WINDOWS\eHome\ehRecvr.exe
F:\WINDOWS\eHome\ehSched.exe
F:\WINDOWS\services.exe
F:\WINDOWS\system32\PGPserv.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Logitech\iTouch\iTouch.exe
F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
F:\WINDOWS\SOUNDMAN.EXE
F:\Program Files\HP\HP Software Update\HPWuSchd.exe
F:\Program Files\HP\hpcoretech\hpcmpmgr.exe
F:\WINDOWS\ehome\ehtray.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
F:\Program Files\ATI Technologies\ATI.ACE\MACE.exe
F:\Program Files\ATI Technologies\ATI.ACE\cli.exe
F:\Program Files\ATI Multimedia\main\ATIDtct.EXE
F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
F:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe
F:\Program Files\PGP Corporation\PGP Desktop\PGPtray.exe
F:\Program Files\Logitech\MouseWare\system\em_exec.exe
F:\WINDOWS\system32\dllhost.exe
F:\WINDOWS\eHome\ehmsas.exe
F:\Program Files\MSN Messenger\MsnMsgr.Exe
F:\Program Files\ATI Technologies\ATI.ACE\cli.exe
F:\Program Files\ATI Technologies\ATI.ACE\cli.exe
F:\Program Files\ATI Technologies\ATI.ACE\mace.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgwb.dat
f:\progra~1\window~3\wmplayer.exe
F:\WINDOWS\system32\mshearts.exe
F:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.biblegateway.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [zBrowser Launcher] F:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PinnacleDriverCheck] F:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [NeroFilterCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [HP Software Update] "F:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "F:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ehTray] F:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATIMACE] F:\Program Files\ATI Technologies\ATI.ACE\MACE.exe
O4 - HKLM\..\Run: [ATICCC] "F:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKCU\..\Run: [ATI DeviceDetect] F:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: D-Link AirPlus G Configuration Utility.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Monitor Apache Servers.lnk = F:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe
O4 - Global Startup: PGPtray.exe.lnk = ?
O8 - Extra context menu item: &Google Search - res://f:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://f:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://f:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://f:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://f:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://f:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - F:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: f:\windows\system32\pgplsp.dll
O10 - Unknown file in Winsock LSP: f:\windows\system32\pgplsp.dll
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1135231148515
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "F:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: OCMAPIHK.DLL
O20 - Winlogon Notify: WgaLogon - F:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - F:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apache2.2 - Unknown owner - F:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe" -k runservice (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Messenger - Unknown owner - F:\WINDOWS\services.exe" /s "Messenger (file missing)
O23 - Service: PGPserv - PGP Corporation - F:\WINDOWS\system32\PGPserv.exe
O23 - Service: Pml Driver HPZ12 - HP - F:\WINDOWS\system32\HPZipm12.exe

btw i just did a virus scan and shdocvw.dll is infected again


----------



## Cheeseball81

* *Click here* to download the trial version of *Ewido Security Suite*.

· Install Ewido.
· During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
· Launch ewido.
· It will prompt you to update click the OK button and it will go to the main screen.
· On the left side of the main screen click update.
· Click on Start and let it update.
· *DO NOT* run a scan yet.

Restart your computer into *Safe Mode* now. 
(Start tapping the *F8* key at Startup, before the Windows logo screen).
Perform the following steps in Safe Mode:

* Run *Ewido*:
Click on scanner
Click Complete System Scan and the scan will begin.
During the scan it will prompt you to clean files, click OK.
When the scan is finished, look at the bottom of the screen and click the Save report button.
Save the report to your desktop.

Reboot.

*Post a new Hijack This log and the results of the Ewido scan.*


----------



## pschan

Here's the Hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 1:35:51 PM, on 6/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
F:\WINDOWS\eHome\ehRecvr.exe
F:\WINDOWS\eHome\ehSched.exe
F:\Program Files\ewido anti-malware\ewidoctrl.exe
F:\WINDOWS\services.exe
F:\WINDOWS\system32\PGPserv.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Logitech\iTouch\iTouch.exe
F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
F:\WINDOWS\SOUNDMAN.EXE
F:\Program Files\HP\HP Software Update\HPWuSchd.exe
F:\Program Files\HP\hpcoretech\hpcmpmgr.exe
F:\WINDOWS\ehome\ehtray.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
F:\Program Files\ATI Technologies\ATI.ACE\MACE.exe
F:\Program Files\ATI Technologies\ATI.ACE\cli.exe
F:\Program Files\ATI Multimedia\main\ATIDtct.EXE
F:\Program Files\Logitech\MouseWare\system\em_exec.exe
F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
F:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe
F:\Program Files\PGP Corporation\PGP Desktop\PGPtray.exe
F:\WINDOWS\system32\dllhost.exe
F:\WINDOWS\eHome\ehmsas.exe
F:\Program Files\ATI Technologies\ATI.ACE\cli.exe
F:\Program Files\ATI Technologies\ATI.ACE\cli.exe
F:\Program Files\ATI Technologies\ATI.ACE\mace.exe
F:\PROGRA~1\MOZILL~1\FIREFOX.EXE
F:\WINDOWS\system32\wuauclt.exe
F:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.biblegateway.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [zBrowser Launcher] F:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PinnacleDriverCheck] F:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [NeroFilterCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [HP Software Update] "F:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "F:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ehTray] F:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATIMACE] F:\Program Files\ATI Technologies\ATI.ACE\MACE.exe
O4 - HKLM\..\Run: [ATICCC] "F:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKCU\..\Run: [ATI DeviceDetect] F:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: D-Link AirPlus G Configuration Utility.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Monitor Apache Servers.lnk = F:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe
O4 - Global Startup: PGPtray.exe.lnk = ?
O8 - Extra context menu item: &Google Search - res://f:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://f:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://f:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://f:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://f:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://f:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - F:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: f:\windows\system32\pgplsp.dll
O10 - Unknown file in Winsock LSP: f:\windows\system32\pgplsp.dll
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1135231148515
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "F:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: OCMAPIHK.DLL
O20 - Winlogon Notify: WgaLogon - F:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - F:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apache2.2 - Unknown owner - F:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe" -k runservice (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - F:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Messenger - Unknown owner - F:\WINDOWS\services.exe" /s "Messenger (file missing)
O23 - Service: PGPserv - PGP Corporation - F:\WINDOWS\system32\PGPserv.exe
O23 - Service: Pml Driver HPZ12 - HP - F:\WINDOWS\system32\HPZipm12.exe


----------



## pschan

and here's the ewido results:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 1:29:25 PM, 6/13/2006
+ Report-Checksum: A35F4FA3

+ Scan result:

HKLM\SOFTWARE\Classes\HTMLEdit.ViewSource -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\HTMLEdit.ViewSource\CLSID -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\HTMLEdit.ViewSource\CurVer -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\HTMLEdit.ViewSource.1 -> Adware.CoolWebSearch : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.6:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.12:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.24:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.32:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.93:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.94:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.95:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.96:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.97:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.98:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.103:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.106:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.107:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.108:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.109:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.110:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.111:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.112:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.113:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.114:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.115:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.116:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Targetnet : Cleaned with backup
:mozilla.117:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Targetnet : Cleaned with backup
:mozilla.118:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Targetnet : Cleaned with backup
:mozilla.119:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.120:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.126:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.132:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.133:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.135:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.136:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.137:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.138:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.140:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Centrport : Cleaned with backup
:mozilla.141:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Centrport : Cleaned with backup
:mozilla.142:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup
:mozilla.146:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup
:mozilla.148:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.149:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.150:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.151:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.159:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.160:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.180:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Bluestreak : Cleaned with backup
:mozilla.210:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.211:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.212:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.213:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.215:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.220:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.221:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Epilot : Cleaned with backup
:mozilla.229:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Valueclick : Cleaned with backup
:mozilla.234:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Bfast : Cleaned with backup
:mozilla.246:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.247:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.248:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.249:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.261:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Clickbank : Cleaned with backup
:mozilla.270:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.271:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.272:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Zedo : Error during cleaning
:mozilla.273:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.274:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.275:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.281:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.283:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.285:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.286:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.287:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.337:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.338:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.342:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.343:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.344:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.345:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.346:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.347:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.362:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.384:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.389:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.391:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.392:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.393:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.395:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.401:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.407:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.408:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.419:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.432:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.433:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.434:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Goclick : Cleaned with backup
:mozilla.435:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Goclick : Cleaned with backup
:mozilla.458:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Yadro : Cleaned with backup
:mozilla.603:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.623:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup
:mozilla.624:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup
:mozilla.636:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Web-stat : Cleaned with backup
:mozilla.637:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Web-stat : Cleaned with backup
:mozilla.638:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Burstbeacon : Cleaned with backup
:mozilla.662:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Web-stat : Cleaned with backup
:mozilla.663:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Web-stat : Cleaned with backup
:mozilla.664:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Web-stat : Cleaned with backup
:mozilla.705:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.739:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.746:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.776:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.784:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.798:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Masterstats : Cleaned with backup
:mozilla.804:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.807:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.824:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Komtrack : Cleaned with backup
:mozilla.825:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Komtrack : Cleaned with backup
:mozilla.843:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.846:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.849:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.874:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.897:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Enhance : Cleaned with backup
:mozilla.898:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Enhance : Cleaned with backup
:mozilla.921:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.922:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.925:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.927:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Clickzs : Cleaned with backup
:mozilla.928:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Clickzs : Cleaned with backup
:mozilla.932:F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned with backup
F:\Documents and Settings\Phil\Cookies\[email protected][2].txt -> TrackingCookie.2o7 : Cleaned with backup
F:\Documents and Settings\Phil\Cookies\[email protected][1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
F:\Documents and Settings\Phil\Cookies\[email protected][1].txt -> TrackingCookie.Euroclick : Cleaned with backup
F:\Documents and Settings\Phil\Cookies\[email protected][1].txt -> TrackingCookie.Revenue : Cleaned with backup
F:\Documents and Settings\Phil\Cookies\[email protected][2].txt -> TrackingCookie.X10 : Cleaned with backup
F:\Documents and Settings\Phil\Cookies\[email protected][2].txt -> TrackingCookie.Burstnet : Cleaned with backup
F:\Documents and Settings\Phil\Cookies\[email protected][1].txt -> TrackingCookie.Enhance : Cleaned with backup
F:\Documents and Settings\Phil\Cookies\[email protected][1].txt -> TrackingCookie.Goclick : Cleaned with backup
F:\Documents and Settings\Phil\Cookies\[email protected][1].txt -> TrackingCookie.Clickbank : Cleaned with backup
F:\Documents and Settings\Phil\Cookies\[email protected][1].txt -> TrackingCookie.Overture : Cleaned with backup
F:\Documents and Settings\Phil\Cookies\[email protected][1].txt -> TrackingCookie.Overture : Cleaned with backup
F:\Documents and Settings\Phil\Cookies\[email protected][2].txt -> TrackingCookie.Overture : Cleaned with backup
F:\Documents and Settings\Phil\Cookies\[email protected][1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
F:\Documents and Settings\Phil\Cookies\[email protected]re[1].txt -> TrackingCookie.Starware : Cleaned with backup
F:\Documents and Settings\Phil\Cookies\[email protected][1].txt -> TrackingCookie.Hypertracker : Cleaned with backup
F:\Documents and Settings\Phil\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup
F:\Documents and Settings\Phil\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup
F:\Documents and Settings\Phil\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup
F:\Documents and Settings\Phil\Cookies\[email protected][1].txt -> TrackingCookie.Overture : Cleaned with backup
F:\Documents and Settings\Phil\Cookies\[email protected][2].txt -> TrackingCookie.Revenue : Cleaned with backup
F:\Documents and Settings\Phil\Cookies\[email protected][2].txt -> TrackingCookie.Liveperson : Cleaned with backup
F:\Documents and Settings\Phil\Cookies\[email protected][2].txt -> TrackingCookie.Statcounter : Cleaned with backup
F:\Documents and Settings\Phil\Cookies\[email protected][1].txt -> TrackingCookie.Tacoda : Cleaned with backup
F:\Documents and Settings\Phil\Cookies\[email protected][1].txt -> TrackingCookie.Burstbeacon : Cleaned with backup

::Report End


----------



## Cheeseball81

Run *ActiveScan* online virus scan:
http://www.pandasoftware.com/products/activescan.htm

Once you are on the Panda site click the Scan your PC button.
A new window will open...click the Check Now button.
Enter your Country.
Enter your State/Province.
Enter your e-mail address and click send.
Select either Home User or Company.
Click the big Scan Now button.
If it wants to install an ActiveX component allow it.
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan.
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. 
Post the contents of the ActiveScan report.


----------



## pschan

ACtive scan log:

Incident Status Location

Spyware:Cookie/Statcounter Not disinfected F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt[.statcounter.com/] 
Spyware:Cookie/DomainSponsor Not disinfected F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt[landing.domainsponsor.com/] 
Spyware:Cookie/Zedo Not disinfected F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt[.zedo.com/] 
Spyware:Cookie/Toplist Not disinfected F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt[.toplist.cz/] 
Spyware:Cookie/WinFixer Not disinfected F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt[.winfixer.com/]  
Spyware:Cookie/Rn11 Not disinfected F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt[.rn11.com/] 
Spyware:Cookie/Searchportal Not disinfected F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt[.searchportal.information.com/] 
Spyware:Cookie/GoStats Not disinfected F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt[.gostats.com/] 
Spyware:Cookie/Hbmediapro Not disinfected F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cookies.txt[.adopt.hbmediapro.com/] 
Spyware:Cookie/66.246.209 Not disinfected F:\Documents and Settings\Phil\Cookies\[email protected][2].txt 
Spyware:Cookie/888 Not disinfected F:\Documents and Settings\Phil\Cookies\[email protected][1].txt 
Spyware:Cookie/Hbmediapro Not disinfected F:\Documents and Settings\Phil\Cookies\[email protected][2].txt 
Spyware:Cookie/Atlas DMT Not disinfected F:\Documents and Settings\Phil\Cookies\[email protected][2].txt 
Spyware:Cookie/Azjmp Not disinfected F:\Documents and Settings\Phil\Cookies\[email protected][1].txt 
Spyware:Cookie/Casalemedia Not disinfected F:\Documents and Settings\Phil\Cookies\[email protected][1].txt 
Spyware:Cookie/Cassava Not disinfected F:\Documents and Settings\Phil\Cookies\[email protected][1].txt 
Spyware:Cookie/FastClick Not disinfected F:\Documents and Settings\Phil\Cookies\[email protected][2].txt 
Spyware:Cookie/GoStats Not disinfected F:\Documents and Settings\Phil\Cookies\[email protected][1].txt  
Spyware:Cookie/Screensavers Not disinfected F:\Documents and Settings\Phil\Cookies\[email protected][1].txt 
Spyware:Cookie/RealMedia Not disinfected F:\Documents and Settings\Phil\Cookies\[email protected][1].txt 
Spyware:Cookie/Searchportal Not disinfected F:\Documents and Settings\Phil\Cookies\[email protected][1].txt 
Spyware:Cookie/Statcounter Not disinfected F:\Documents and Settings\Phil\Cookies\[email protected][1].txt


----------



## Cheeseball81

Rescan with Hijack This.
Close all browser windows except Hijack This.
Put a check mark beside these entries and click "Fix Checked".

*O23 - Service: Messenger - Unknown owner - F:\WINDOWS\services.exe" /s "Messenger (file missing)*

Reboot, post a new log.


----------



## pschan

new log:

Logfile of HijackThis v1.99.1
Scan saved at 5:38:04 PM, on 6/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
F:\WINDOWS\eHome\ehRecvr.exe
F:\WINDOWS\eHome\ehSched.exe
F:\Program Files\ewido anti-malware\ewidoctrl.exe
F:\WINDOWS\system32\PGPserv.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Logitech\iTouch\iTouch.exe
F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
F:\WINDOWS\SOUNDMAN.EXE
F:\Program Files\HP\HP Software Update\HPWuSchd.exe
F:\Program Files\HP\hpcoretech\hpcmpmgr.exe
F:\Program Files\Logitech\MouseWare\system\em_exec.exe
F:\WINDOWS\ehome\ehtray.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
F:\Program Files\ATI Technologies\ATI.ACE\MACE.exe
F:\Program Files\ATI Technologies\ATI.ACE\cli.exe
F:\Program Files\ATI Multimedia\main\ATIDtct.EXE
F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
F:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe
F:\Program Files\PGP Corporation\PGP Desktop\PGPtray.exe
F:\WINDOWS\system32\dllhost.exe
F:\WINDOWS\eHome\ehmsas.exe
F:\Program Files\ATI Technologies\ATI.ACE\cli.exe
F:\Program Files\ATI Technologies\ATI.ACE\cli.exe
F:\Program Files\ATI Technologies\ATI.ACE\mace.exe
F:\Program Files\Hijackthis\HijackThis.exe
F:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.biblegateway.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [zBrowser Launcher] F:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PinnacleDriverCheck] F:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [NeroFilterCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [HP Software Update] "F:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "F:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ehTray] F:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATIMACE] F:\Program Files\ATI Technologies\ATI.ACE\MACE.exe
O4 - HKLM\..\Run: [ATICCC] "F:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKCU\..\Run: [ATI DeviceDetect] F:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: D-Link AirPlus G Configuration Utility.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Monitor Apache Servers.lnk = F:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe
O4 - Global Startup: PGPtray.exe.lnk = ?
O8 - Extra context menu item: &Google Search - res://f:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://f:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://f:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://f:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://f:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://f:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - F:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: f:\windows\system32\pgplsp.dll
O10 - Unknown file in Winsock LSP: f:\windows\system32\pgplsp.dll
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1135231148515
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "F:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: OCMAPIHK.DLL
O20 - Winlogon Notify: WgaLogon - F:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - F:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apache2.2 - Unknown owner - F:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe" -k runservice (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - F:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PGPserv - PGP Corporation - F:\WINDOWS\system32\PGPserv.exe
O23 - Service: Pml Driver HPZ12 - HP - F:\WINDOWS\system32\HPZipm12.exe


----------



## Cheeseball81

How are things now?


----------



## pschan

looks good for now, i'll let u know if any problems come up, but how do i prevent recurrences?


----------



## Cheeseball81

Read here on *How to tighten your computer's security settings*: http://forums.techguy.org/t208517.html

*Security Help Tools*: http://forums.techguy.org/security/110854-security-help-tools.html

Now turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Restart your computer.

Turn System Restore back on and create a restore point.

To create a restore point:

Single-click Start and point to All Programs.
Mouse over Accessories, then System Tools, and select System Restore.
In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click Create and you're done.

You can mark your thread "Solved" from the *Thread Tools* drop down menu.


----------



## pschan

DOH! AVG detected the virus again... in xpsp2res.dll in internet explorer folder....
here's the HJT log

Logfile of HijackThis v1.99.1
Scan saved at 1:00:14 AM, on 6/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
F:\WINDOWS\eHome\ehRecvr.exe
F:\WINDOWS\eHome\ehSched.exe
F:\Program Files\ewido anti-malware\ewidoctrl.exe
F:\WINDOWS\system32\PGPserv.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\dllhost.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Logitech\iTouch\iTouch.exe
F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
F:\WINDOWS\SOUNDMAN.EXE
F:\Program Files\HP\HP Software Update\HPWuSchd.exe
F:\Program Files\HP\hpcoretech\hpcmpmgr.exe
F:\WINDOWS\ehome\ehtray.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
F:\Program Files\ATI Technologies\ATI.ACE\MACE.exe
F:\Program Files\ATI Technologies\ATI.ACE\cli.exe
F:\Program Files\ATI Multimedia\main\ATIDtct.EXE
F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
F:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe
F:\WINDOWS\eHome\ehmsas.exe
F:\Program Files\PGP Corporation\PGP Desktop\PGPtray.exe
F:\Program Files\Logitech\MouseWare\system\em_exec.exe
F:\Program Files\ATI Technologies\ATI.ACE\cli.exe
F:\Program Files\ATI Technologies\ATI.ACE\cli.exe
F:\Program Files\ATI Technologies\ATI.ACE\mace.exe
F:\Program Files\MSN Messenger\MsnMsgr.Exe
f:\progra~1\window~3\wmplayer.exe
F:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.biblegateway.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [zBrowser Launcher] F:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PinnacleDriverCheck] F:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [NeroFilterCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [HP Software Update] "F:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "F:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ehTray] F:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATIMACE] F:\Program Files\ATI Technologies\ATI.ACE\MACE.exe
O4 - HKLM\..\Run: [ATICCC] "F:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKCU\..\Run: [ATI DeviceDetect] F:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: D-Link AirPlus G Configuration Utility.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Monitor Apache Servers.lnk = F:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe
O4 - Global Startup: PGPtray.exe.lnk = ?
O8 - Extra context menu item: &Google Search - res://f:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://f:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://f:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://f:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://f:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://f:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - F:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: f:\windows\system32\pgplsp.dll
O10 - Unknown file in Winsock LSP: f:\windows\system32\pgplsp.dll
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1135231148515
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "F:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: OCMAPIHK.DLL
O20 - Winlogon Notify: WgaLogon - F:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Apache2.2 - Unknown owner - F:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe" -k runservice (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - F:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PGPserv - PGP Corporation - F:\WINDOWS\system32\PGPserv.exe
O23 - Service: Pml Driver HPZ12 - HP - F:\WINDOWS\system32\HPZipm12.exe


----------



## pschan

I d/l spyware doctor and bazooka scanner off cnet.com
spyware doctor detected 2 items i'm not sure of, one is block-checker found in my C&C Generals Zero Hour folder, i think it's a dll file, i think i'll keep that one for now
the other is services.exe in f:/windows, bazooka scanner also found this one, here is the entry from kephyr.com:

WinDir.services

Overview
A common technique that spyware, adwares, viruses, keyloggers etc use to hide from users is to drop files on the system that use the same name as a legitimate file but in a different folder. WinDir.services is a warning that there is a file named services.exe located in %WinDir% on your system. The legitimate services.exe file is located in %SystemDir%. You might want to analyse %WinDir%\services.exe to verify it is something that you really want on your system. Do not delete %WinDir%\services.exe unless you are 100% sure it is a threats.

Note: %WinDir% is a variable (?). By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\WINNT (Windows NT/2000).
Note: %SystemDir% is a variable (?). By default, this is C:\Windows\System (Windows 95/98/Me), C:\WINNT\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

The following threats drops services.exe in %WinDir%:
W32.Netsky.A, W32.Netsky.B, Troj/Legmir-E, W32/[email protected], etc.

Should i delete this file?


----------



## pschan

here's a HJT log

Logfile of HijackThis v1.99.1
Scan saved at 10:09:07 AM, on 6/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\csrss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\Explorer.EXE
F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
F:\WINDOWS\eHome\ehRecvr.exe
F:\WINDOWS\eHome\ehSched.exe
F:\Program Files\ewido anti-malware\ewidoctrl.exe
F:\Program Files\Logitech\iTouch\iTouch.exe
F:\WINDOWS\system32\PGPserv.exe
F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
F:\WINDOWS\SOUNDMAN.EXE
F:\Program Files\HP\HP Software Update\HPWuSchd.exe
F:\Program Files\HP\hpcoretech\hpcmpmgr.exe
F:\WINDOWS\ehome\ehtray.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
F:\Program Files\ATI Technologies\ATI.ACE\MACE.exe
F:\Program Files\ATI Technologies\ATI.ACE\cli.exe
F:\Program Files\ATI Multimedia\main\ATIDtct.EXE
F:\Program Files\Logitech\MouseWare\system\em_exec.exe
F:\Program Files\Spyware Doctor\swdoctor.exe
F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
F:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe
F:\Program Files\PGP Corporation\PGP Desktop\PGPtray.exe
F:\Program Files\Spyware Doctor\sdhelp.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\wdfmgr.exe
F:\WINDOWS\ehome\mcrdsvc.exe
F:\Program Files\ATI Technologies\ATI.ACE\cli.exe
F:\Program Files\ATI Technologies\ATI.ACE\cli.exe
F:\Program Files\ATI Technologies\ATI.ACE\mace.exe
F:\WINDOWS\system32\dllhost.exe
F:\WINDOWS\System32\alg.exe
F:\WINDOWS\eHome\ehmsas.exe
F:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.biblegateway.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - F:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar2.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - F:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [zBrowser Launcher] F:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PinnacleDriverCheck] F:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [NeroFilterCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [HP Software Update] "F:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "F:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ehTray] F:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATIMACE] F:\Program Files\ATI Technologies\ATI.ACE\MACE.exe
O4 - HKLM\..\Run: [ATICCC] "F:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKCU\..\Run: [ATI DeviceDetect] F:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [Spyware Doctor] "F:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: D-Link AirPlus G Configuration Utility.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Monitor Apache Servers.lnk = F:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe
O4 - Global Startup: PGPtray.exe.lnk = ?
O8 - Extra context menu item: &Google Search - res://f:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://f:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://f:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://f:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://f:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://f:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - F:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - F:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: f:\windows\system32\pgplsp.dll
O10 - Unknown file in Winsock LSP: f:\windows\system32\pgplsp.dll
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1135231148515
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "F:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: OCMAPIHK.DLL
O20 - Winlogon Notify: WgaLogon - F:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Apache2.2 - Unknown owner - F:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe" -k runservice (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - F:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PGPserv - PGP Corporation - F:\WINDOWS\system32\PGPserv.exe
O23 - Service: Pml Driver HPZ12 - HP - F:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - F:\Program Files\Spyware Doctor\sdhelp.exe


----------



## Cheeseball81

Can I have the full file path?


----------



## pschan

f:/program files/internet explorer/xpsp2res.dll
f:/program files/internet explorer/shdocvw.dll


----------



## pschan

Can you also take a look at my other post, thanks.

http://forums.techguy.org/security/477453-spyware-adware-services-exe.html


----------



## Cheeseball81

Is that other thread the same system we are working on here? Or a different one?

Please go to this site: http://virusscan.jotti.org/

Use the Browse button at Jotti.
Navigate to the file's location on your hard drive and submit these files:

f:/program files/internet explorer/xpsp2res.dll
f:/program files/internet explorer/shdocvw.dll

Let me know what it says regarding the file.


----------



## pschan

yes, it is the same system and re: submitting the files, i quarantined them using avg


----------



## Cheeseball81

Since it's the same system, I merged the threads together. It's easier that way.


----------



## pschan

i can't get onto that site...i'll try again tomorrow


----------



## Cheeseball81

Okay


----------



## pschan

for both files it says:
The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file


----------



## Cheeseball81

Go to the forum here: http://www.thespykiller.co.uk/forum/index.php?board=1.0 
Upload this (these) file(s):

f:/program files/internet explorer/xpsp2res.dll
f:/program files/internet explorer/shdocvw.dll

Here are the directions for uploading the file:

Just click "New Topic", fill in the needed details and post a link to your thread here. Click the "Browse" button. Navigate to the file on your computer. When the file is listed in the window click "Post" to upload the file.


----------



## pschan

ok, done, now what?


----------



## Cheeseball81

We wait for them to get analyzed. In some cases, those files are legit.


----------



## pschan

and what about f:/windows/services.exe, should I upload that too?


----------



## Cheeseball81

Yes please.


----------



## pschan

there was a response for the two files found in the IE folder, the guy said that the files were empty and asked for a link to here.... maybe my router is blocking something?


----------



## dvk01

services.exe is BackDoor.Seuh according to Dr web so all the antiviruses will be adding detection soon as well


----------



## dvk01

it will be AVG preventing the upload

if it is quarantining them and they keep being recreated then you have other problems with a hidden file or files recreating them


Download *WinPFind*
*Right Click* the Zip Folder and Select "*Extract All*"
Extract it somewhere you will remember like the *Desktop*
Dont do anything with it yet!

Reboot into Safe Mode
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Doubleclick *WinPFind.exe*
Now Click "*Start Scan*"
*It will scan the entire System, so please be patient!*
Once the Scan is Complete
Reboot back to Normal Mode!
Go to the *WinPFind folder*
Locate *WinPFind.txt*
Place those results in the next post!.


and

download gmer from http://www.gmer.net

save it somewhere safe & unzip it to desktop

double click the gmer.exe to run it and select the rootkit tab, press scan & when it has finished press save & copy the log back here

most entries will be normal so don't panic


----------



## pschan

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
PEC2 8/10/2004 6:00:00 AM 41397 F:\WINDOWS\SYSTEM32\dfrg.msc
PTech 5/17/2006 11:23:38 AM 579888 F:\WINDOWS\SYSTEM32\LegitCheckControl.dll
PECompact2 6/8/2006 7:19:50 PM 5967776 F:\WINDOWS\SYSTEM32\MRT.exe
aspack 6/8/2006 7:19:50 PM 5967776 F:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/10/2004 6:00:00 AM 708096 F:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/10/2004 6:00:00 AM 657920 F:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 8/10/2004 6:00:00 AM 1309184 F:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
UPX! 5/23/2006 10:35:18 AM 776096 F:\WINDOWS\SYSTEM32\drivers\avg7core.sys
FSG! 5/23/2006 10:35:18 AM 776096 F:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PEC2 5/23/2006 10:35:18 AM 776096 F:\WINDOWS\SYSTEM32\drivers\avg7core.sys
aspack 5/23/2006 10:35:18 AM 776096 F:\WINDOWS\SYSTEM32\drivers\avg7core.sys

Items found in F:\WINDOWS\SYSTEM32\drivers\etc\hosts

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
6/25/2006 10:46:10 PM S 2048 F:\WINDOWS\bootstat.dat
5/4/2006 9:39:16 PM H 54156 F:\WINDOWS\QTFont.qfn
6/10/2006 11:59:02 AM S 64 F:\WINDOWS\CSC\00000001
6/10/2006 11:44:04 AM S 64 F:\WINDOWS\CSC\00000002
5/14/2006 4:21:52 AM S 13309 F:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB911280.cat
5/5/2006 8:22:46 AM S 12227 F:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB914389.cat
5/29/2006 10:16:00 AM S 23751 F:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB916281.cat
5/18/2006 1:15:12 AM S 10925 F:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB917344.cat
5/4/2006 6:37:36 PM S 7898 F:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB917734.cat
6/1/2006 2:28:56 PM S 11043 F:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB918439.cat
5/17/2006 11:24:42 AM S 7160 F:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\WGA.cat
6/25/2006 10:46:00 PM H 8192 F:\WINDOWS\system32\config\DEFAULT.LOG
6/25/2006 10:46:40 PM H 1024 F:\WINDOWS\system32\config\SAM.LOG
6/25/2006 10:46:10 PM H 16384 F:\WINDOWS\system32\config\SECURITY.LOG
6/25/2006 10:46:58 PM H 81920 F:\WINDOWS\system32\config\SOFTWARE.LOG
6/25/2006 10:46:14 PM H 1064960 F:\WINDOWS\system32\config\SYSTEM.LOG
6/13/2006 9:25:58 PM H 1024 F:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
5/27/2006 3:59:28 PM H 0 F:\WINDOWS\system32\drivers\umdf\MsftWdf_user_01_00_00.Wdf
5/19/2006 8:53:30 AM HS 388 F:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\1a9ed12c-ff41-44c3-a221-e25c91efdb97
5/19/2006 8:53:30 AM HS 24 F:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\Preferred
6/20/2006 11:34:02 PM HS 388 F:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\089ab3eb-b60b-4865-acc8-1c1bd6fc0030
6/20/2006 11:34:02 PM HS 24 F:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
6/25/2006 10:44:42 PM H 6 F:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/10/2004 6:00:00 AM 68608 F:\WINDOWS\SYSTEM32\access.cpl
Realtek Semiconductor Corp. 8/20/2003 8:37:38 PM 10435072 F:\WINDOWS\SYSTEM32\ALSNDMGR.CPL
Microsoft Corporation 8/10/2004 6:00:00 AM 549888 F:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/10/2004 6:00:00 AM 110592 F:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/10/2004 6:00:00 AM 135168 F:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/10/2004 6:00:00 AM 80384 F:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/10/2004 6:00:00 AM 155136 F:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/10/2004 6:00:00 AM 358400 F:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/10/2004 6:00:00 AM 129536 F:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/10/2004 6:00:00 AM 380416 F:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/10/2004 6:00:00 AM 68608 F:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 11/10/2005 1:03:50 PM 49265 F:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/10/2004 6:00:00 AM 187904 F:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/10/2004 6:00:00 AM 618496 F:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/10/2004 6:00:00 AM 35840 F:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/10/2004 6:00:00 AM 25600 F:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/10/2004 6:00:00 AM 257024 F:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/10/2004 6:00:00 AM 36864 F:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 8/10/2004 6:00:00 AM 32768 F:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/10/2004 6:00:00 AM 114688 F:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft Corporation 8/10/2004 6:00:00 AM 298496 F:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/10/2004 6:00:00 AM 28160 F:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/10/2004 6:00:00 AM 94208 F:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/10/2004 6:00:00 AM 148480 F:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 5:16:30 AM 174360 F:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/10/2004 6:00:00 AM 68608 F:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 8/10/2004 6:00:00 AM 549888 F:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 8/10/2004 6:00:00 AM 135168 F:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 8/10/2004 6:00:00 AM 80384 F:\WINDOWS\SYSTEM32\dllcache\firewall.cpl
Microsoft Corporation 8/10/2004 6:00:00 AM 155136 F:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 8/10/2004 6:00:00 AM 358400 F:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 8/10/2004 6:00:00 AM 129536 F:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 8/10/2004 6:00:00 AM 68608 F:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 8/10/2004 6:00:00 AM 187904 F:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/10/2004 6:00:00 AM 618496 F:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 8/10/2004 6:00:00 AM 35840 F:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/10/2004 6:00:00 AM 25600 F:\WINDOWS\SYSTEM32\dllcache\netsetup.cpl
Microsoft Corporation 8/10/2004 6:00:00 AM 257024 F:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 8/10/2004 6:00:00 AM 36864 F:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 8/10/2004 6:00:00 AM 32768 F:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 8/10/2004 6:00:00 AM 114688 F:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 8/10/2004 6:00:00 AM 155648 F:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 8/10/2004 6:00:00 AM 298496 F:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 8/10/2004 6:00:00 AM 28160 F:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 8/10/2004 6:00:00 AM 94208 F:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
Microsoft Corporation 8/10/2004 6:00:00 AM 148480 F:\WINDOWS\SYSTEM32\dllcache\wscui.cpl
Microsoft Corporation 5/26/2005 5:16:30 AM 174360 F:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
1/24/2006 6:40:12 PM 1757 F:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
12/21/2005 11:32:32 PM HS 84 F:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\desktop.ini
12/21/2005 11:44:40 PM 499 F:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\D-Link AirPlus G Configuration Utility.lnk
1/13/2006 6:55:56 PM 1808 F:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
12/22/2005 1:43:44 AM 1730 F:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk
6/7/2006 3:11:08 AM 969 F:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Monitor Apache Servers.lnk
6/25/2006 10:12:06 PM 2295 F:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\PGPtray.exe.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
12/21/2005 4:06:36 PM HS 62 F:\Documents and Settings\All Users.WINDOWS\Application Data\desktop.ini
1/13/2006 6:56:46 PM 774 F:\Documents and Settings\All Users.WINDOWS\Application Data\hpzinstall.log

Checking files in %USERPROFILE%\Startup folder...
12/21/2005 11:32:32 PM HS 84 F:\Documents and Settings\Administrator\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
12/21/2005 4:06:36 PM HS 62 F:\Documents and Settings\Administrator\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = F:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = F:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{969223c0-26aa-11d0-90ee-444553540000}
= pgpmn.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = F:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Library
{54F51408-DD44-4a12-82EF-519AD2A80DE9} = F:\Program Files\ATI Multimedia\mlibrary\MLShell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = F:\Program Files\WinRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\{969223c0-26aa-11d0-90ee-444553540000}
= pgpmn.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = F:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= F:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}
PCTools Site Guard = F:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
SSVHelper Class = F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}
Google Toolbar Helper = f:\program files\google\googletoolbar2.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B56A7D7D-6927-48C8-A975-17DF180C71AC}
PCTools Browser Monitor = F:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\system32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} = &Google	: f:\program files\google\googletoolbar2.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console	: F:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2D663D1A-8670-49D9-A1A5-4C56B4E14E84}
ButtonText = Spyware Doctor	: 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{44226DFF-747E-4edc-B30C-78752E50CD0C}
ButtonText = ATI TV	: 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger	: F:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
zBrowser Launcher	F:\Program Files\Logitech\iTouch\iTouch.exe
SunJavaUpdateSched	F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
SoundMan	SOUNDMAN.EXE
QuickTime Task	"F:\Program Files\QuickTime\qttask.exe" -atboottime
PinnacleDriverCheck	F:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
NeroFilterCheck	F:\WINDOWS\system32\NeroCheck.exe
Logitech Utility	Logi_MwX.Exe
HP Software Update	"F:\Program Files\HP\HP Software Update\HPWuSchd.exe"
HP Component Manager	"F:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
ehTray	F:\WINDOWS\ehome\ehtray.exe
AVG7_CC	F:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
ATIMACE	F:\Program Files\ATI Technologies\ATI.ACE\MACE.exe
ATICCC	"F:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL	Installed = 1
MAPI	Installed = 1
MSFS	Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	
hkey	HKLM
command	
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini	0
win.ini	0
bootini	0
services	0
startup	0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID
{17492023-C23A-453E-A040-C7C580BBF700}	1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = F:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} = 
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername	0
legalnoticecaption	
legalnoticetext	
shutdownwithoutlogon	1
undockwithoutlogon	1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun	145

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = F:\WINDOWS\system32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit	= F:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent
= Ati2evxx.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon
= WgaLogon.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs	OCMAPIHK.DLL

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1	- Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 6/25/2006 10:54:03 PM


----------



## pschan

GMER 1.0.10.10122 - http://www.gmer.net
Rootkit 2006-06-25 23:15:53
Windows 5.1.2600 Service Pack 2

---- Devices - GMER 1.0.10 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN [F7A0985A] avgtdi.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN [F7A0985A] avgtdi.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN [F7A0985A] avgtdi.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN [F7A0985A] avgtdi.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SHUTDOWN [F7A0985A] avgtdi.sys
Device \FileSystem\Fastfat \Fat IRP_MJ_CREATE ABDAFC8A

---- Files - GMER 1.0.10 ----

File C:\System Volume Information\MountPointManagerRemoteDatabase 
File C:\System Volume Information\tracking.log 
File F:\System Volume Information\MountPointManagerRemoteDatabase 
File F:\System Volume Information\tracking.log

---- EOF - GMER 1.0.10 ----


----------



## dvk01

nothing showing there at all

Run an online antivirus check from

http://www.kaspersky.com/virusscanner

select extended bases & post back it's log

it is only a scanner & won't fix anything but it will detect anything bad anywhere


----------



## pschan

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, June 26, 2006 2:24:13 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 26/06/2006
Kaspersky Anti-Virus database records: 202942
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 78453
Number of viruses found: 2
Number of infected objects: 15 / 0
Number of suspicious objects: 0
Duration of the scan process: 00:46:13

Infected Object Name / Virus Name / Last Action
C:\itouch_crash_info.txt	Object is locked	skipped
C:\System Volume Information\MountPointManagerRemoteDatabase	Object is locked	skipped
F:\Documents and Settings\All Users.WINDOWS\Application Data\avg7\Log\emc.log	Object is locked	skipped
F:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft\Avg7Data\avg7log.log	Object is locked	skipped
F:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft\Avg7Data\avg7log.log.lck	Object is locked	skipped
F:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Crypto\RSA\MachineKeys\278fa447f3f549886e437eb88583227c_a6f66f32-e57d-45b0-afc9-2481a3d28fde	Object is locked	skipped
F:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Crypto\RSA\MachineKeys\356f9d49436a116a1a30970ad3678b0f_a6f66f32-e57d-45b0-afc9-2481a3d28fde	Object is locked	skipped
F:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Crypto\RSA\MachineKeys\60ebb8b8ec697cd0d78e6214d7e80236_a6f66f32-e57d-45b0-afc9-2481a3d28fde	Object is locked	skipped
F:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Crypto\RSA\MachineKeys\8ed1c8e2dba13f6df8b30c420d59ff80_a6f66f32-e57d-45b0-afc9-2481a3d28fde	Object is locked	skipped
F:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr0.dat	Object is locked	skipped
F:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr1.dat	Object is locked	skipped
F:\Documents and Settings\All Users.WINDOWS\Documents\Recorded TV\TempRec\TempSBE\MSDVRMM_3565892912_4784128_39064	Object is locked	skipped
F:\Documents and Settings\All Users.WINDOWS\Documents\Recorded TV\TempRec\TempSBE\SBE3.tmp	Object is locked	skipped
F:\Documents and Settings\All Users.WINDOWS\Documents\Recorded TV\TempRec\{E00AF9EE-92CF-4C89-931B-5BA096C00F55}.TmpSBE	Object is locked	skipped
F:\Documents and Settings\All Users.WINDOWS\DRM\drmstore.hds	Object is locked	skipped
F:\Documents and Settings\LocalService\Cookies\index.dat	Object is locked	skipped
F:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat	Object is locked	skipped
F:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG	Object is locked	skipped
F:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat	Object is locked	skipped
F:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat	Object is locked	skipped
F:\Documents and Settings\LocalService\NTUSER.DAT	Object is locked	skipped
F:\Documents and Settings\LocalService\ntuser.dat.LOG	Object is locked	skipped
F:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat	Object is locked	skipped
F:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG	Object is locked	skipped
F:\Documents and Settings\NetworkService\NTUSER.DAT	Object is locked	skipped
F:\Documents and Settings\NetworkService\ntuser.dat.LOG	Object is locked	skipped
F:\Documents and Settings\Phil\.housecall\Quarantine\crack-inf.exe.bac_a00808/stream/data0001	Infected: Trojan-Clicker.Win32.VB.la	skipped
F:\Documents and Settings\Phil\.housecall\Quarantine\crack-inf.exe.bac_a00808/stream	Infected: Trojan-Clicker.Win32.VB.la	skipped
F:\Documents and Settings\Phil\.housecall\Quarantine\crack-inf.exe.bac_a00808	NSIS: infected - 2	skipped
F:\Documents and Settings\Phil\.housecall\Quarantine\crack-inf.exe.bac_a00808	CryptFF.b: infected - 2	skipped
F:\Documents and Settings\Phil\.housecall\Quarantine\Df94.ZIP.bac_a00808/crack-inf.exe/stream/data0001	Infected: Trojan-Clicker.Win32.VB.la	skipped
F:\Documents and Settings\Phil\.housecall\Quarantine\Df94.ZIP.bac_a00808/crack-inf.exe/stream	Infected: Trojan-Clicker.Win32.VB.la	skipped
F:\Documents and Settings\Phil\.housecall\Quarantine\Df94.ZIP.bac_a00808/crack-inf.exe	Infected: Trojan-Clicker.Win32.VB.la	skipped
F:\Documents and Settings\Phil\.housecall\Quarantine\Df94.ZIP.bac_a00808	ZIP: infected - 3	skipped
F:\Documents and Settings\Phil\.housecall\Quarantine\Df94.ZIP.bac_a00808	CryptFF.b: infected - 3	skipped
F:\Documents and Settings\Phil\.housecall\Quarantine\Df95.ZIP.bac_a00808/crack-inf.exe/stream/data0001	Infected: Trojan-Clicker.Win32.VB.la	skipped
F:\Documents and Settings\Phil\.housecall\Quarantine\Df95.ZIP.bac_a00808/crack-inf.exe/stream	Infected: Trojan-Clicker.Win32.VB.la	skipped
F:\Documents and Settings\Phil\.housecall\Quarantine\Df95.ZIP.bac_a00808/crack-inf.exe	Infected: Trojan-Clicker.Win32.VB.la	skipped
F:\Documents and Settings\Phil\.housecall\Quarantine\Df95.ZIP.bac_a00808	ZIP: infected - 3	skipped
F:\Documents and Settings\Phil\.housecall\Quarantine\Df95.ZIP.bac_a00808	CryptFF.b: infected - 3	skipped
F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\cert8.db	Object is locked	skipped
F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\history.dat	Object is locked	skipped
F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\key3.db	Object is locked	skipped
F:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\parent.lock	Object is locked	skipped
F:\Documents and Settings\Phil\Cookies\index.dat	Object is locked	skipped
F:\Documents and Settings\Phil\Local Settings\Application Data\ApplicationHistory\cli.exe.76111974.ini.inuse	Object is locked	skipped
F:\Documents and Settings\Phil\Local Settings\Application Data\ApplicationHistory\MACE.exe.5d011caa.ini.inuse	Object is locked	skipped
F:\Documents and Settings\Phil\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat	Object is locked	skipped
F:\Documents and Settings\Phil\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG	Object is locked	skipped
F:\Documents and Settings\Phil\Local Settings\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\Cache\_CACHE_001_	Object is locked	skipped
F:\Documents and Settings\Phil\Local Settings\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\Cache\_CACHE_002_	Object is locked	skipped
F:\Documents and Settings\Phil\Local Settings\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\Cache\_CACHE_003_	Object is locked	skipped
F:\Documents and Settings\Phil\Local Settings\Application Data\Mozilla\Firefox\Profiles\y5lpzrj1.default\Cache\_CACHE_MAP_	Object is locked	skipped
F:\Documents and Settings\Phil\Local Settings\History\History.IE5\index.dat	Object is locked	skipped
F:\Documents and Settings\Phil\Local Settings\History\History.IE5\MSHist012006062620060627\index.dat	Object is locked	skipped
F:\Documents and Settings\Phil\Local Settings\Temp\Perflib_Perfdata_478.dat	Object is locked	skipped
F:\Documents and Settings\Phil\Local Settings\Temp\Perflib_Perfdata_6a4.dat	Object is locked	skipped
F:\Documents and Settings\Phil\Local Settings\Temp\Perflib_Perfdata_9dc.dat	Object is locked	skipped
F:\Documents and Settings\Phil\Local Settings\Temp\Perflib_Perfdata_9e8.dat	Object is locked	skipped
F:\Documents and Settings\Phil\Local Settings\Temp\Perflib_Perfdata_f0.dat	Object is locked	skipped
F:\Documents and Settings\Phil\Local Settings\Temporary Internet Files\Content.IE5\index.dat	Object is locked	skipped
F:\Documents and Settings\Phil\My Documents\PGP\pubring.pkr	Object is locked	skipped
F:\Documents and Settings\Phil\My Documents\PGP\secring.skr	Object is locked	skipped
F:\Documents and Settings\Phil\ntuser.dat	Object is locked	skipped
F:\Documents and Settings\Phil\NTUSER.DAT.LOG	Object is locked	skipped
F:\Program Files\HP\hpcoretech\hpcmerr.log	Object is locked	skipped
F:\System Volume Information\MountPointManagerRemoteDatabase	Object is locked	skipped
F:\WINDOWS\Debug\PASSWD.LOG	Object is locked	skipped
F:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{E7C6D0A0-E991-4910-801F-842823C99380}.crmlog	Object is locked	skipped
F:\WINDOWS\SchedLgU.Txt	Object is locked	skipped
F:\WINDOWS\services.exe	Infected: Backdoor.Win32.Agent.abz	skipped
F:\WINDOWS\SoftwareDistribution\EventCache\{8CE31A16-D560-4BDE-82A4-848439F66858}.bin	Object is locked	skipped
F:\WINDOWS\SoftwareDistribution\ReportingEvents.log	Object is locked	skipped
F:\WINDOWS\Sti_Trace.log	Object is locked	skipped
F:\WINDOWS\system32\CatRoot2\edb.log	Object is locked	skipped
F:\WINDOWS\system32\CatRoot2\tmp.edb	Object is locked	skipped
F:\WINDOWS\system32\config\ACEEvent.evt	Object is locked	skipped
F:\WINDOWS\system32\config\AppEvent.Evt	Object is locked	skipped
F:\WINDOWS\system32\config\default	Object is locked	skipped
F:\WINDOWS\system32\config\DEFAULT.LOG	Object is locked	skipped
F:\WINDOWS\system32\config\Media Ce.evt	Object is locked	skipped
F:\WINDOWS\system32\config\SAM	Object is locked	skipped
F:\WINDOWS\system32\config\SAM.LOG	Object is locked	skipped
F:\WINDOWS\system32\config\SecEvent.Evt	Object is locked	skipped
F:\WINDOWS\system32\config\SECURITY	Object is locked	skipped
F:\WINDOWS\system32\config\SECURITY.LOG	Object is locked	skipped
F:\WINDOWS\system32\config\software	Object is locked	skipped
F:\WINDOWS\system32\config\SOFTWARE.LOG	Object is locked	skipped
F:\WINDOWS\system32\config\SysEvent.Evt	Object is locked	skipped
F:\WINDOWS\system32\config\system	Object is locked	skipped
F:\WINDOWS\system32\config\SYSTEM.LOG	Object is locked	skipped
F:\WINDOWS\system32\h323log.txt	Object is locked	skipped
F:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR	Object is locked	skipped
F:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP	Object is locked	skipped
F:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER	Object is locked	skipped
F:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP	Object is locked	skipped
F:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP	Object is locked	skipped
F:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA	Object is locked	skipped
F:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP	Object is locked	skipped
F:\WINDOWS\Temp\Perflib_Perfdata_88.dat	Object is locked	skipped
F:\WINDOWS\wiadebug.log	Object is locked	skipped
F:\WINDOWS\wiaservc.log	Object is locked	skipped
F:\WINDOWS\WindowsUpdate.log	Object is locked	skipped

Scan process completed.


----------



## pschan

so what do i do now?


----------



## dvk01

That shows clean as well 

I can't see anything wrong now

please post a fresh HJT log just to check and let us know if tehre are any problems still


----------



## pschan

Are you sure? What about these? 
F:\WINDOWS\services.exe Infected: Backdoor.Win32.Agent.abz skipped

I'm not too worried about the following because they're under the quaratine

F:\Documents and Settings\Phil\.housecall\Quarantine\crack-inf.exe.bac_a00808/stream/data0001 
Infected: Trojan-Clicker.Win32.VB.la 

F:\Documents and Settings\Phil\.housecall\Quarantine\crack-inf.exe.bac_a00808/stream 
Infected: Trojan-Clicker.Win32.VB.la 

F:\Documents and Settings\Phil\.housecall\Quarantine\crack-inf.exe.bac_a00808 
NSIS: infected - 2 skipped
F:\Documents and Settings\Phil\.housecall\Quarantine\crack-inf.exe.bac_a00808 
CryptFF.b: infected - 2 skipped

F:\Documents and Settings\Phil\.housecall\Quarantine\Df94.ZIP.bac_a00808/crack-inf.exe/stream/data0001 
Infected: Trojan-Clicker.Win32.VB.la 

F:\Documents and Settings\Phil\.housecall\Quarantine\Df94.ZIP.bac_a00808/crack-inf.exe/stream 
Infected: Trojan-Clicker.Win32.VB.la 

F:\Documents and Settings\Phil\.housecall\Quarantine\Df94.ZIP.bac_a00808/crack-inf.exe Infected: Trojan-Clicker.Win32.VB.la 

F:\Documents and Settings\Phil\.housecall\Quarantine\Df94.ZIP.bac_a00808 
ZIP: infected - 3 skipped

F:\Documents and Settings\Phil\.housecall\Quarantine\Df94.ZIP.bac_a00808 
CryptFF.b: infected - 3 skipped

F:\Documents and Settings\Phil\.housecall\Quarantine\Df95.ZIP.bac_a00808/crack-inf.exe/stream/data0001 
Infected: Trojan-Clicker.Win32.VB.la skipped

F:\Documents and Settings\Phil\.housecall\Quarantine\Df95.ZIP.bac_a00808/crack-inf.exe/stream 
Infected: Trojan-Clicker.Win32.VB.la skipped

F:\Documents and Settings\Phil\.housecall\Quarantine\Df95.ZIP.bac_a00808/crack-inf.exe Infected: Trojan-Clicker.Win32.VB.la skipped

F:\Documents and Settings\Phil\.housecall\Quarantine\Df95.ZIP.bac_a00808 
ZIP: infected - 3 skipped

F:\Documents and Settings\Phil\.housecall\Quarantine\Df95.ZIP.bac_a00808 
CryptFF.b: infected - 3 skipped


----------



## dvk01

what scanner gave those results from your last post


----------



## pschan

that was the kaspersky scan


----------



## dvk01

I thought we deleted the file earlier obviously not

Download pocket killbox from http://www.thespykiller.co.uk/files/killbox.exe & put it on the desktop where you can find it easily

now Start killbox, paste the first file listed below into the full pathname and file to delete box

The file name will appear in the window, select delete on reboot , press the red X button, say yes to the prompt and * NO*to reboot now then repeat for each file in turn

[Note: Killbox makes backups of all deleted files & folders in a folder called C:\!killbox ] If Killbox tells you any files are missing don't worry but make a note and let us know in your next reply

F:\WINDOWS\services.exe

Then on killbox top bar press tools/delete temp files, in the pop up box select any options it will allow you to, then on the drop down user account box, select your account, then repeat for every user account on the computer

then reboot & post fresh HJT log just to check please


----------



## pschan

Latest HJT log,

Logfile of HijackThis v1.99.1
Scan saved at 7:32:23 PM, on 6/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\csrss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\Explorer.EXE
F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
F:\WINDOWS\eHome\ehRecvr.exe
F:\WINDOWS\eHome\ehSched.exe
F:\Program Files\ewido anti-malware\ewidoctrl.exe
F:\WINDOWS\system32\PGPserv.exe
F:\Program Files\Spyware Doctor\sdhelp.exe
F:\Program Files\Logitech\iTouch\iTouch.exe
F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
F:\WINDOWS\SOUNDMAN.EXE
F:\Program Files\HP\HP Software Update\HPWuSchd.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\HP\hpcoretech\hpcmpmgr.exe
F:\WINDOWS\system32\wdfmgr.exe
F:\Program Files\Logitech\MouseWare\system\em_exec.exe
F:\WINDOWS\ehome\ehtray.exe
F:\WINDOWS\ehome\mcrdsvc.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
F:\Program Files\ATI Technologies\ATI.ACE\MACE.exe
F:\Program Files\ATI Technologies\ATI.ACE\cli.exe
F:\Program Files\ATI Multimedia\main\ATIDtct.EXE
F:\Program Files\Spyware Doctor\swdoctor.exe
F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
F:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe
F:\Program Files\PGP Corporation\PGP Desktop\PGPtray.exe
F:\WINDOWS\system32\wbem\wmiprvse.exe
F:\WINDOWS\system32\dllhost.exe
F:\WINDOWS\eHome\ehmsas.exe
F:\WINDOWS\System32\alg.exe
F:\Program Files\ATI Technologies\ATI.ACE\cli.exe
F:\Program Files\ATI Technologies\ATI.ACE\cli.exe
F:\Program Files\ATI Technologies\ATI.ACE\mace.exe
F:\WINDOWS\system32\wuauclt.exe
F:\WINDOWS\system32\wuauclt.exe
F:\PROGRA~1\MOZILL~1\FIREFOX.EXE
F:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.biblegateway.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - F:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar2.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - F:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [zBrowser Launcher] F:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PinnacleDriverCheck] F:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [NeroFilterCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [HP Software Update] "F:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "F:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ehTray] F:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATIMACE] F:\Program Files\ATI Technologies\ATI.ACE\MACE.exe
O4 - HKLM\..\Run: [ATICCC] "F:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKCU\..\Run: [ATI DeviceDetect] F:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [Spyware Doctor] "F:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: D-Link AirPlus G Configuration Utility.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Monitor Apache Servers.lnk = F:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe
O4 - Global Startup: PGPtray.exe.lnk = ?
O8 - Extra context menu item: &Google Search - res://f:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://f:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://f:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://f:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://f:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://f:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - F:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - F:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: f:\windows\system32\pgplsp.dll
O10 - Unknown file in Winsock LSP: f:\windows\system32\pgplsp.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1135231148515
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "F:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: OCMAPIHK.DLL
O20 - Winlogon Notify: WgaLogon - F:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Apache2.2 - Unknown owner - F:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe" -k runservice (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - F:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PGPserv - PGP Corporation - F:\WINDOWS\system32\PGPserv.exe
O23 - Service: Pml Driver HPZ12 - HP - F:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - F:\Program Files\Spyware Doctor\sdhelp.exe


----------



## dvk01

that looks clear but you have a few out of date programs

update Ewido to the latest version as you have an old one

then run a full scan with it & see if it finds anything

then Turn off system restore by following instructions here 
http://www.thespykiller.co.uk/forum/index.php?page=8
That will purge the restore folder and clear any malware that has been put in there. Then reboot & then re-enable sytem restore & create a new restore point.

go here* http://forums.techguy.org/t208517/s.html *for info on how to tighten your security settings and how to help prevent future attacks.

and pay an urgent visit to windows update & make sure you are fully updated & get the bunch of new updates that are alleged to plug the security holes that let these pests on in the first place

go to www.java.com & download the latest version of java 1.5.0.7

install it & then go to add/remove programs and UNINSTALL ALL previous versions of sun java


----------



## dvk01

As this appears to be solved I am closing this thread now if the original poster needs more help please pm me or another moderator who will reopen

Anybody else with the same problem please start your own thread


----------

