# Solved: ntos.exe \ eeeeeeek



## topman1 (May 20, 2004)

I have somehow got the dreaded ntos virus on my pc and it is causing havoc with dozens of trojans now on my pc.

i have run spybot, xofspy,avg, adaware,trend, you name it, and they detected a number of them. I deleted them and on reboot they are all back(with some more)

Please Help.

Dave K


----------



## blues_harp28 (Jan 9, 2005)

Hi post a Hijack this log...log experts will check your system.
http://www.thespykiller.co.uk/files/HJTsetup.exe

Save HJTsetup.exe to your desktop.
Double click on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This.
Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
Put a check by Create a desktop icon then click Next again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click Finish and it will launch Hijack This.

Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
Click Save to save the log file and then the log will open in notepad.
Click Edit > Select All> Edit > Copy to copy the entire contents of the log.
Paste the log in your next reply.

DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.


----------



## topman1 (May 20, 2004)

hi blues.

here is my log

Logfile of HijackThis v1.99.1
Scan saved at 18:09:08, on 18/05/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\csrss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\System32\SCardSvr.exe
E:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\MSI\Bluetooth Software\bin\btwdins.exe
E:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\ng2003\GHOSTS~2.EXE
E:\WINDOWS\System32\nvsvc32.exe
E:\Program Files\Spyware Doctor\sdhelp.exe
E:\WINDOWS\System32\snmp.exe
E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
E:\WINDOWS\System32\svchost.exe
C:\My Shared Folder\WRSSSDK.exe
E:\WINDOWS\System32\wdfmgr.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\System32\wuauclt.exe
E:\PROGRA~1\PESTPA~1\PPControl.exe
E:\PROGRA~1\PESTPA~1\CookiePatrol.exe
E:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
E:\WINDOWS\System32\RUNDLL32.EXE
E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
E:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ng2003\GhostStartTrayApp.exe
E:\WINDOWS\VM_STI.EXE
E:\Program Files\QuickTime\qttask.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\My Shared Folder\SpySweeper.exe
E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
E:\Program Files\MSN Messenger\MsnMsgr.Exe
E:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE
E:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\Program Files\WinZip\WZQKPICK.EXE
E:\Program Files\Nokia\PC Suite for Nokia 6600\ectaskscheduler.exe
E:\Program Files\Nokia\PC Suite for Nokia 6600\connmngmntbox.exe
E:\Program Files\Netropa\Onscreen Display\OSD.exe
E:\PROGRA~1\Nokia\PCSUIT~1\Elogerr.exe
E:\Program Files\Intuwave\Shared\mRouterRunTime\mRouterRuntime.exe
E:\PROGRA~1\Intuwave\Shared\MROUTE~1\MROUTE~2.EXE
E:\WINDOWS\System32\rundll32.exe
E:\Program Files\Mozilla Firefox\firefox.exe
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 213.107.224.24:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
F2 - REG:system.ini: UserInit=E:\WINDOWS\System32\userinit.exe,E:\WINDOWS\System32\ntos.exe,
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - E:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Copernic Desktop Search 2 - {968631B6-4729-440D-9BF4-251F5593EC9A} - E:\Program Files\Copernic Desktop Search 2\DesktopSearchBand2526.dll
O4 - HKLM\..\Run: [PestPatrol Control Center] E:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [Jet Detection] "E:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [PPMemCheck] E:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] E:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] E:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] E:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series (Copy 1)] E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P39 "EPSON Stylus Photo R300 Series (Copy 1)" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [AVG7_RegCleaner] E:\PROGRA~1\Grisoft\AVGFRE~1\avgregcl.exe /BOOT
O4 - HKLM\..\Run: [REGSHAVE] E:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [ISUSPM Startup] E:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "E:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\ng2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [BigDogPath] E:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\My Shared Folder\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] E:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series (Copy 2)] E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P39 "EPSON Stylus Photo R300 Series (Copy 2)" /O5 "LPT1:" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "E:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [EPSON Stylus Photo R300 Series (Copy 1)] E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P39 "EPSON Stylus Photo R300 Series (Copy 1)" /M "Stylus Photo R300" /EF "HKCU"
O4 - HKCU\..\Run: [EPSON Stylus Photo R300 Series] E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /M "Stylus Photo R300" /EF "HKCU"
O4 - HKCU\..\Run: [PopUpStopperProfessional] "E:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE"
O4 - HKCU\..\Run: [Google Desktop Search] "E:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [Copernic Desktop Search 2] "E:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe" /tray
O4 - Global Startup: Adobe Gamma Loader.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: WinZip Quick Pick.lnk = E:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: PCSuiteForNokia6600 TS.lnk = ?
O4 - Global Startup: PCSuiteForNokia6600 Detect.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://e:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://e:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://e:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - E:\Program Files\MSI\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Similar Pages - res://e:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://e:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - E:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - E:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - E:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - E:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - E:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - E:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - E:\Program Files\MSI\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - E:\Program Files\MSI\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: e:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/win/djvuplugin/en_US/DjVuControl_en_US.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {10ABC6DB-E091-4EAE-98DD-21B5A2460714} (DetInstaller Class) - http://www.pandasoftware.es/avchecker/controles/AvDetInst.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - E:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - E:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: E:\WINDOWS\System32\win_1.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - E:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Unknown owner - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - E:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - E:\Program Files\MSI\Bluetooth Software\bin\btwdins.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - E:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - E:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\ng2003\GHOSTS~2.EXE
O23 - Service: Google Updater Service (gusvc) - Google - E:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - E:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - E:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - E:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\My Shared Folder\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - E:\WINDOWS\system32\ZONELABS\vsmon.exe

thankyou.


----------



## golferbob (May 18, 2004)

sorry iam not a log reader but you should update to SP2 . you also have a lot of items running at startup you don't need . after you get updated and your virus taken care of some one will help you clean up your startup.


----------



## topman1 (May 20, 2004)

Ok. I Will Wait For Further Instructions


----------



## cybertech (Apr 16, 2002)

*Click Here* and download Killbox and save it to your desktop.

*Run HJT again and put a check in the following:*

O20 - AppInit_DLLs: E:\WINDOWS\System32\win_1.dll

*Close all applications and browser windows before you click "fix checked".*

Close Hijackthis.

Double-click on Killbox.exe to run it. 
Put a tick by *Delete on Reboot*. 
In the "Full Path of File to Delete" box, copy and paste the following line.

*E:\WINDOWS\System32\win_1.dll*

Click on the button that has the red circle with the X in the middle after you enter the file name. 
It will ask for confimation to delete the file. 
Click Yes. 
It will ask for confimation to reboot now.
Click Yes.

*Note:* It is possible that Killbox will tell you that the file does not exist. 
If your computer does not restart automatically then please restart it manually. 
If you get an error message "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.

Download ComboFix from *Here* or *Here* to your Desktop. 

Double click *combofix.exe * and follow the prompts.
When finished, it shall produce a log for you. Post that log and a *HiJackthis* log in your next reply
*Note: Do not mouseclick combofix's window while its running. That may cause it to stall*


----------



## topman1 (May 20, 2004)

My pc will not let me open hjt to delete the line 020.as recommended . 

It opens for a second then flashes the log file and closes down.

what now ?????

Dave K

edited. I am also having the same problem with combifix; and killbox will not stay on screen long enough to input the file to delete. I have tried this in safe mode as well.


----------



## cybertech (Apr 16, 2002)

Download *SDFix* and save it to your Desktop.

Double click *SDFix.exe* and it will extract the files to %systemdrive% 
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in *Safe Mode* by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press *Enter*.
Choose your usual account.

 Open the extracted SDFix folder and double click *RunThis.bat* to start the script. 
 Type *Y* to begin the cleanup process.
 It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot. 
 Press any Key and it will restart the PC. 
 When the PC restarts the Fixtool will run again and complete the removal process then display *Finished*, press any key to end the script and load your desktop icons.
 Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as *Report.txt* 
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
 Finally paste the contents of the Report.txt back on the forum with a new HijackThis log


----------



## topman1 (May 20, 2004)

I have finally managed to get a report from sdfix as my pc kept popping up with B.S.O.D's but I cannot get a new hjthis log as the screen will not stay open long enough for me to get one. It flashes for a split second and is gone.

here is the sdfix log

SDFix: Version 1.85

Run by User - 2007-05-22 - 23:07:42.78

Microsoft Windows XP [Version 5.1.2600]

Running From: E:\SDFix

Safe Mode:
Checking Services:

Killing PID 272 'smss.exe'
Killing PID 352 'winlogon.exe'

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

E:\WINDOWS\SYSTEM32\IHP3K7~1.HTM - Deleted
E:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll - Deleted
E:\WINDOWS\system32\ntos.exe - Deleted
E:\WINDOWS\system32\wsnpoem\audio.dll - Deleted
E:\WINDOWS\system32\wsnpoem\video.dll - Deleted
E:\WINDOWS\system32\wudb.dll - Deleted
E:\WINDOWS\wr.txt - Deleted
E:\WINDOWS\Temp\win*.tmp - Deleted

Folder E:\WINDOWS\system32\kazaabackupfiles - Removed

Removing Temp Files...

ADS Check:

Checking if ADS is attached to system32 Folder 
E:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
E:\WINDOWS\system32\svchost.exe
No streams found.

Final Check:

Remaining Services:
------------------

*Rootkit PE386 Found, Use a Rootkit scanner !*

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------

Backups Folder: - E:\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes:

E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\DEVICE.COM
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\KEYB.COM
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\MODE.COM
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\MOUSE.COM
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\NETBIND.COM
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\Paralink.com
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\pcdos\command.com
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\pcdos\IBMBIO.COM
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\pcdos\IBMDOS.COM
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\DLink DE400 Packet\De400pd.com
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\DLink DMF560-TX Packet\Lmpd.com
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\DLink DT620 Packet\Dt620pd.com
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\IBM Crystal LAN Packet\Epktisa.com
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Kingston EtheRx KNE110TX Packet\Ktc110p.com
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Laneed LD-CDF Packet\Ldcdt.com
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Laneed LD-PCI2TL Packet\Ldpcil.com
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Melco LPC2-T\Lpchkat2.com
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Planex FW-100TX Fast Ethernet Packet\FETPKT.COM
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Planex FW-100TX Fast Ethernet Packet\Rtspkt.com
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\PXE Packet Driver\Undipd.com
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\WaveLAN Packet\Wvlan42.com
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom CBE10-100BTX Packet\Cbepd.com
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom Ethernet II PS Packet\Xpspd.com
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom RE10 - RE100 Packet\Ce3pd.com
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Planex FNW9x00T - ENW8300T Packet\fetpkt.com
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\3COM 3c509 Packet\3C5X9PD.COM
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\3COM 3c59x Packet\3C59XPD.COM
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1200 Packet\EC32PD.COM
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1203 Packet\PCIPD.COM
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1204 Packet\VLNWPD.COM
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1207 Packet\PCIPD.COM
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1207C Packet\PCIPD.COM
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1207D Packet\ACCPKT.COM
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1207F Packet\EN5251PD.COM
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1207TX Packet\PCIPD.COM
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1208 Packet\1208PD.COM
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1625 Packet\NEPD.COM
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1640 Packet\NWPD.COM
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1651 Packet\NWPD.COM
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1652 Packet\NWPD.COM
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1650 Packet\NWPD.COM
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1653 Packet\NE2PD.COM
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1656 Packet\NWPD.COM
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1657 Packet\NWPD.COM
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1658 Packet\NWPD.COM
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN166X Packet\NWPD.COM
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN2216 Packet\PCMPD.COM
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN2218 Packet\PCMPD.COM
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN2228 Packet\PCMPD.COM
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN2320 Packet\EN5251PD.COM
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\DEC EtherWorks ISA (DE305) Packet\DE305.COM
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\DEC EtherWORKS DE500 Packet\DE500.COM
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\DEC EtherWORKS DE450 Packet\DE450.COM
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Laneed LD 10-100AL Packet\L100al.com
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\SN 2000p Packet\PNPPD.COM
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\3COM 3c556 Packet\3C556.COM
E:\Program Files\Shockwave.com\Thumbs.db
E:\WINDOWS\system32\whlpda32e.dll
E:\WINDOWS\system32\fcccyyx.dll
E:\WINDOWS\system32\vturooo.dll
E:\Documents and Settings\User\My Documents\Ebay\eBayISAPI.dll_files\Thumbs.db
E:\Documents and Settings\User\My Documents\Ebay\eBayISAPI.dll_files\ZbThumbnail.info
E:\WINDOWS\?icrosoft\scanregw.exe
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\CMDS.EXE
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\MSCDEX.EXE
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\OHCI.EXE
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\PROTMAN.EXE
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\UHCI.EXE
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\E.EXE
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\Net.exe
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\CMDS16.EXE
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\GUEST.EXE
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom CBE10-100BTX\Cbendis.exe
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom Ethernet II PS\Xpsndis.exe
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom PE3-10Bx\Pe3ndis.exe
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom RE10BT\Ce3ndis.exe
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom Ethernet 10-100 + Modem\Cbendis.exe
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom Re-100Btx + Ce3B-100Btx\Ce3ndis.exe
E:\Program Files\Common Files\s?stem32\??rss.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\Program Files\Picasa2\setup.exe
E:\QooBox\Purity\Documents and Settings\User\Application Data\FNTS~1\?xplorer.exe
E:\WINDOWS\system32\4BFA2BD44F.sys
E:\WINDOWS\system32\3CF445F412.sys
E:\WINDOWS\system32\KGyGaAvL.sys
E:\WINDOWS\system32\C77FEEEC04.sys
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\CATC USB Ethernet\Elndis.sys
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\CATC USB Ethernet\Usbd.sys
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPICD.SYS
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\BOOTSRV.SYS
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\COUNTRY.SYS
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\DISPLAY.SYS
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\HIMEM.SYS
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\KEYBOARD.SYS
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\bootsrv16.sys
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\msbootsrv16.sys
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\DLSHELP.SYS
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPIOHCI.SYS
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPIEHCI.SYS
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPI1394.SYS
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPIUHCI.SYS
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPI2DOS.SYS
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPI4DOS.SYS
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPI8DOS.SYS
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPI8U2.SYS
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\BTCDROM.SYS
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\BTDOSM.SYS
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\FLASHPT.SYS
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\OAKCDROM.SYS
E:\san_test.tmp
E:\WINDOWS\system32\config\system.tmp.LOG
E:\WINDOWS\system32\config\software.tmp.LOG
E:\WINDOWS\system32\config\default.tmp.LOG
E:\WINDOWS\Temp\18467.tmp.LOG
E:\WINDOWS\LastGood.Tmp\INF\oem49.inf
E:\WINDOWS\LastGood.Tmp\INF\oem49.PNF

Finished

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-23 06:13:35
Windows 5.1.2600 Service Pack 1 FAT

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
EPSON Stylus Photo R300 Series (Copy 1) = E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P39 "EPSON Stylus Photo R300 Series (Copy 1)" /M "Stylus Photo R300" /EF "HKCU"????????*>?w|???????????????p?'???'?????????????e>?w??'?p?'?????????8???????????qo?w??'?p?'??????o?wp?'???'?????5N?w??????? 
EPSON Stylus Photo R300 Series = E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /M "Stylus Photo R300" /EF "HKCU"?????u???????????*>?w:?z?????????????p?'???'?????????????e>?w??'?p?'?????????8???????????qo?w??'?p?'??????o?wp?'???'?????5N?w???????

scanning hidden files ...

Thanks

Dave K


----------



## topman1 (May 20, 2004)

i just managed to copy this log with some super deft action on my keyboard but the log file will still not open long enough for me to tick/delete.

Logfile of HijackThis v1.99.1
Scan saved at 06:38, on 2007-05-23
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\csrss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\System32\SCardSvr.exe
E:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
E:\WINDOWS\Explorer.EXE
E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\MSI\Bluetooth Software\bin\btwdins.exe
E:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\ng2003\GHOSTS~2.EXE
E:\WINDOWS\System32\nvsvc32.exe
E:\Program Files\Spyware Doctor\sdhelp.exe
E:\WINDOWS\System32\snmp.exe
E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
E:\WINDOWS\System32\svchost.exe
C:\My Shared Folder\WRSSSDK.exe
E:\WINDOWS\System32\wdfmgr.exe
E:\Program Files\Canon\CAL\CALMAIN.exe
E:\PROGRA~1\PESTPA~1\PPControl.exe
E:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
E:\WINDOWS\System32\RUNDLL32.EXE
E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
E:\Program Files\Netropa\Onscreen Display\OSD.exe
E:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ng2003\GhostStartTrayApp.exe
E:\Program Files\QuickTime\qttask.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\My Shared Folder\SpySweeper.exe
E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
E:\Program Files\MSN Messenger\MsnMsgr.Exe
E:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE
E:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe
E:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
E:\WINDOWS\ICROSO~1\scanregw.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\WINDOWS\System32\wuauclt.exe
E:\Program Files\WinZip\WZQKPICK.EXE
E:\Program Files\Nokia\PC Suite for Nokia 6600\ectaskscheduler.exe
E:\PROGRA~1\Nokia\PCSUIT~1\Elogerr.exe
E:\Program Files\Nokia\PC Suite for Nokia 6600\connmngmntbox.exe
E:\Program Files\Intuwave\Shared\mRouterRunTime\mRouterRuntime.exe
E:\PROGRA~1\Intuwave\Shared\MROUTE~1\MROUTE~2.EXE
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\Common Files\s?stem32\??rss.exe
E:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 213.107.224.24:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {55DB983C-BDBF-426f-86F0-187B02DDA39B} - E:\WINDOWS\System32\tdrsvxyx.dll (file missing)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - E:\PROGRA~1\SPYWAR~3\tools\iesdsg.dll
O2 - BHO: (no name) - {6181A284-F443-4426-9364-EE801D035A75} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7ADC8B13-B745-4D08-B7BB-D2289A0C4FA4} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - E:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {986F575F-DB94-48B5-BE3D-FAD706518ADD} - E:\WINDOWS\System32\ddabx.dll
O2 - BHO: (no name) - {A1DFEDF7-B9CB-4427-97E6-6175095BF310} - E:\WINDOWS\System32\awtqr.dll (file missing)
O2 - BHO: (no name) - {B04EBAC1-147D-4727-9CCB-B8C4DC6650FC} - (no file)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - E:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O2 - BHO: (no name) - {B5A2FE0A-844B-4EE9-A3D1-474B44E0496C} - E:\WINDOWS\System32\opnonon.dll
O2 - BHO: (no name) - {C20F4D4F-DCA7-AC28-D97C-82ADDAB173C9} - E:\WINDOWS\System32\iupbj.dll
O2 - BHO: (no name) - {D1159422-16E3-462F-A93D-FB718E100407} - E:\WINDOWS\System32\d4xofa.dll
O2 - BHO: (no name) - {D4D649B6-3BA8-4665-8114-062A172B7327} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - E:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Copernic Desktop Search 2 - {968631B6-4729-440D-9BF4-251F5593EC9A} - E:\Program Files\Copernic Desktop Search 2\DesktopSearchBand2526.dll
O4 - HKLM\..\Run: [PestPatrol Control Center] E:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [Jet Detection] "E:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] E:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] E:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series (Copy 1)] E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P39 "EPSON Stylus Photo R300 Series (Copy 1)" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [AVG7_RegCleaner] E:\PROGRA~1\Grisoft\AVGFRE~1\avgregcl.exe /BOOT
O4 - HKLM\..\Run: [REGSHAVE] E:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [ISUSPM Startup] E:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "E:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\ng2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\My Shared Folder\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] E:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series (Copy 2)] E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P39 "EPSON Stylus Photo R300 Series (Copy 2)" /O5 "LPT1:" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "E:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [setup] rundll32.exe "E:\WINDOWS\System32\cguyxbmr.dll",realset
O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [EPSON Stylus Photo R300 Series (Copy 1)] E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P39 "EPSON Stylus Photo R300 Series (Copy 1)" /M "Stylus Photo R300" /EF "HKCU"
O4 - HKCU\..\Run: [EPSON Stylus Photo R300 Series] E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /M "Stylus Photo R300" /EF "HKCU"
O4 - HKCU\..\Run: [PopUpStopperProfessional] "E:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE"
O4 - HKCU\..\Run: [Copernic Desktop Search 2] "E:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe" /tray
O4 - HKCU\..\Run: [SUPERAntiSpyware] E:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: WinZip Quick Pick.lnk = E:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: PCSuiteForNokia6600 TS.lnk = ?
O4 - Global Startup: PCSuiteForNokia6600 Detect.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://e:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://e:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://e:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - E:\Program Files\MSI\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Similar Pages - res://e:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://e:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - E:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - E:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - E:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - E:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - E:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - E:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - E:\Program Files\MSI\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - E:\Program Files\MSI\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: e:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/win/djvuplugin/en_US/DjVuControl_en_US.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {10ABC6DB-E091-4EAE-98DD-21B5A2460714} (DetInstaller Class) - http://www.pandasoftware.es/avchecker/controles/AvDetInst.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - E:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - E:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: E:\WINDOWS\System32\win_1.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - E:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Unknown owner - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - E:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - E:\Program Files\MSI\Bluetooth Software\bin\btwdins.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - E:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - E:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\ng2003\GHOSTS~2.EXE
O23 - Service: Google Updater Service (gusvc) - Google - E:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - E:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - E:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - E:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\My Shared Folder\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - E:\WINDOWS\system32\ZONELABS\vsmon.exe


----------



## cybertech (Apr 16, 2002)

Download rustbfix.exe from *here* and save it to your desktop.

Double click on *rustbfix.exe*. If a Rustock.b infection is found, you will be asked to reboot your computer. The reboot will probably take quite a while and perhaps two reboots will be needed but this will happen automatically so please be patient and allow the process to complete.

After the reboot, two log files will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt). Post the content of these log files along with a new HijackThis log please


----------



## topman1 (May 20, 2004)

hijack this log

Logfile of HijackThis v1.99.1
Scan saved at 23:16, on 2007-05-23
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\csrss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\System32\SCardSvr.exe
E:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
E:\WINDOWS\Explorer.EXE
E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\MSI\Bluetooth Software\bin\btwdins.exe
E:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\ng2003\GHOSTS~2.EXE
E:\WINDOWS\System32\nvsvc32.exe
E:\Program Files\Spyware Doctor\sdhelp.exe
E:\WINDOWS\System32\snmp.exe
E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
E:\WINDOWS\System32\svchost.exe
C:\My Shared Folder\WRSSSDK.exe
E:\WINDOWS\System32\wdfmgr.exe
E:\Program Files\Canon\CAL\CALMAIN.exe
E:\PROGRA~1\PESTPA~1\PPControl.exe
E:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
E:\WINDOWS\System32\RUNDLL32.EXE
E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
E:\Program Files\Netropa\Onscreen Display\OSD.exe
E:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ng2003\GhostStartTrayApp.exe
E:\Program Files\QuickTime\qttask.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\My Shared Folder\SpySweeper.exe
E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
E:\Program Files\MSN Messenger\MsnMsgr.Exe
E:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE
E:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe
E:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\Program Files\WinZip\WZQKPICK.EXE
E:\WINDOWS\System32\wuauclt.exe
E:\Program Files\Nokia\PC Suite for Nokia 6600\ectaskscheduler.exe
E:\Program Files\Nokia\PC Suite for Nokia 6600\connmngmntbox.exe

Logfile of HijackThis v1.99.1
Scan saved at 23:16, on 2007-05-23
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\csrss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\System32\SCardSvr.exe
E:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
E:\WINDOWS\Explorer.EXE
E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\MSI\Bluetooth Software\bin\btwdins.exe
E:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\ng2003\GHOSTS~2.EXE
E:\WINDOWS\System32\nvsvc32.exe
E:\Program Files\Spyware Doctor\sdhelp.exe
E:\WINDOWS\System32\snmp.exe
E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
E:\WINDOWS\System32\svchost.exe
C:\My Shared Folder\WRSSSDK.exe
E:\WINDOWS\System32\wdfmgr.exe
E:\Program Files\Canon\CAL\CALMAIN.exe
E:\PROGRA~1\PESTPA~1\PPControl.exe
E:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
E:\WINDOWS\System32\RUNDLL32.EXE
E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
E:\Program Files\Netropa\Onscreen Display\OSD.exe
E:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ng2003\GhostStartTrayApp.exe
E:\Program Files\QuickTime\qttask.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\My Shared Folder\SpySweeper.exe
E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
E:\Program Files\MSN Messenger\MsnMsgr.Exe
E:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE
E:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe
E:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\Program Files\WinZip\WZQKPICK.EXE
E:\WINDOWS\System32\wuauclt.exe
E:\Program Files\Nokia\PC Suite for Nokia 6600\ectaskscheduler.exe
E:\Program Files\Nokia\PC Suite for Nokia 6600\connmngmntbox.exe
E:\PROGRA~1\Nokia\PCSUIT~1\Elogerr.exe
E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
E:\Program Files\Intuwave\Shared\mRouterRunTime\mRouterRuntime.exe
E:\PROGRA~1\Intuwave\Shared\MROUTE~1\MROUTE~2.EXE
E:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 213.107.224.24:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - E:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Copernic Desktop Search 2 - {968631B6-4729-440D-9BF4-251F5593EC9A} - E:\Program Files\Copernic Desktop Search 2\DesktopSearchBand2526.dll
O4 - HKLM\..\Run: [PestPatrol Control Center] E:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [Jet Detection] "E:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] E:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] E:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series (Copy 1)] E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P39 "EPSON Stylus Photo R300 Series (Copy 1)" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [AVG7_RegCleaner] E:\PROGRA~1\Grisoft\AVGFRE~1\avgregcl.exe /BOOT
O4 - HKLM\..\Run: [REGSHAVE] E:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [ISUSPM Startup] E:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "E:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\ng2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\My Shared Folder\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] E:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series (Copy 2)] E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P39 "EPSON Stylus Photo R300 Series (Copy 2)" /O5 "LPT1:" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "E:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [setup] rundll32.exe "E:\WINDOWS\System32\cguyxbmr.dll",realset
O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [EPSON Stylus Photo R300 Series (Copy 1)] E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P39 "EPSON Stylus Photo R300 Series (Copy 1)" /M "Stylus Photo R300" /EF "HKCU"
O4 - HKCU\..\Run: [EPSON Stylus Photo R300 Series] E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /M "Stylus Photo R300" /EF "HKCU"
O4 - HKCU\..\Run: [PopUpStopperProfessional] "E:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE"
O4 - HKCU\..\Run: [Copernic Desktop Search 2] "E:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe" /tray
O4 - HKCU\..\Run: [SUPERAntiSpyware] E:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: WinZip Quick Pick.lnk = E:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: PCSuiteForNokia6600 TS.lnk = ?
O4 - Global Startup: PCSuiteForNokia6600 Detect.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://e:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://e:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://e:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - E:\Program Files\MSI\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Similar Pages - res://e:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://e:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - E:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - E:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - E:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - E:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - E:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - E:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - E:\Program Files\MSI\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - E:\Program Files\MSI\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: e:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/win/djvuplugin/en_US/DjVuControl_en_US.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {10ABC6DB-E091-4EAE-98DD-21B5A2460714} (DetInstaller Class) - http://www.pandasoftware.es/avchecker/controles/AvDetInst.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - E:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - E:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: E:\WINDOWS\System32\win_1.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - E:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Unknown owner - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - E:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - E:\Program Files\MSI\Bluetooth Software\bin\btwdins.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - E:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - E:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\ng2003\GHOSTS~2.EXE
O23 - Service: Google Updater Service (gusvc) - Google - E:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - E:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - E:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - E:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\My Shared Folder\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - E:\WINDOWS\system32\ZONELABS\vsmon.exe

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\t^hhhqwf

*******************

Script file located at: \??\E:\WINDOWS\System32\cfagaqkm.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at E:\Avenger

*******************

Beginning to process script file:

Driver PE386 unloaded successfully.
Program E:\Rustbfix\2run.bat successfully set up to run once on reboot.

Completed script processing.

*******************

Finished! Terminate.

************************* Rustock.b-fix v. 1.01 -- By ejvindh *************************
2007-05-23 23:25:35.25

No Rustock.b-rootkits found

******************************* End of Logfile ********************************

again I have had trouble trying to keep the logfiles open long enough to paste. I had to use word reader to open them

regards

Dave K


----------



## cybertech (Apr 16, 2002)

*NOTE: If you have downloaded VundoFix previously please delete that version and download it again!*

Please download *VundoFix.exe* to your desktop.
Double-click *VundoFix.exe* to run it.
Click the *Scan for Vundo* button.
Once it's done scanning, click the *Remove Vundo* button.
You will receive a prompt asking if you want to remove the files, click *YES*
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click *OK*.
Turn your computer back on.
Please post the contents of C:\*vundofix.txt* and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove. 
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.


----------



## topman1 (May 20, 2004)

Here is my hjt log:

Logfile of HijackThis v1.99.1
Scan saved at 20:51, on 2007-05-24
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\csrss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\System32\SCardSvr.exe
E:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\MSI\Bluetooth Software\bin\btwdins.exe
E:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\ng2003\GHOSTS~2.EXE
E:\WINDOWS\System32\nvsvc32.exe
E:\Program Files\Spyware Doctor\sdhelp.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\System32\snmp.exe
E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
E:\WINDOWS\System32\svchost.exe
C:\My Shared Folder\WRSSSDK.exe
E:\WINDOWS\System32\wdfmgr.exe
E:\Program Files\Canon\CAL\CALMAIN.exe
E:\PROGRA~1\PESTPA~1\PPControl.exe
E:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
E:\WINDOWS\System32\RUNDLL32.EXE
E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
E:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ng2003\GhostStartTrayApp.exe
E:\Program Files\QuickTime\qttask.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\My Shared Folder\SpySweeper.exe
E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
E:\Program Files\MSN Messenger\MsnMsgr.Exe
E:\Program Files\Netropa\Onscreen Display\OSD.exe
E:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE
E:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe
E:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
E:\Program Files\WinZip\WZQKPICK.EXE
E:\Program Files\Nokia\PC Suite for Nokia 6600\ectaskscheduler.exe
E:\Program Files\Nokia\PC Suite for Nokia 6600\connmngmntbox.exe
E:\PROGRA~1\Nokia\PCSUIT~1\Elogerr.exe
E:\Program Files\Intuwave\Shared\mRouterRunTime\mRouterRuntime.exe
E:\PROGRA~1\Intuwave\Shared\MROUTE~1\MROUTE~2.EXE
E:\Program Files\iPod\bin\iPodService.exe
E:\WINDOWS\System32\wuauclt.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 213.107.224.24:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - E:\PROGRA~1\SPYWAR~3\tools\iesdsg.dll
O2 - BHO: (no name) - {6181A284-F443-4426-9364-EE801D035A75} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7ADC8B13-B745-4D08-B7BB-D2289A0C4FA4} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - E:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {92083FFF-2E48-4FE3-83DF-331AAE2A0DAD} - E:\WINDOWS\System32\ddabx.dll (file missing)
O2 - BHO: (no name) - {A1DFEDF7-B9CB-4427-97E6-6175095BF310} - E:\WINDOWS\System32\awtqr.dll (file missing)
O2 - BHO: (no name) - {B04EBAC1-147D-4727-9CCB-B8C4DC6650FC} - (no file)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - E:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O2 - BHO: (no name) - {C20F4D4F-DCA7-AC28-D97C-82ADDAB173C9} - E:\WINDOWS\System32\iupbj.dll
O2 - BHO: (no name) - {D1159422-16E3-462F-A93D-FB718E100407} - E:\WINDOWS\System32\d4xofa.dll
O2 - BHO: (no name) - {D4D649B6-3BA8-4665-8114-062A172B7327} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - E:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Copernic Desktop Search 2 - {968631B6-4729-440D-9BF4-251F5593EC9A} - E:\Program Files\Copernic Desktop Search 2\DesktopSearchBand2526.dll
O4 - HKLM\..\Run: [PestPatrol Control Center] E:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [Jet Detection] "E:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] E:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] E:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series (Copy 1)] E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P39 "EPSON Stylus Photo R300 Series (Copy 1)" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [AVG7_RegCleaner] E:\PROGRA~1\Grisoft\AVGFRE~1\avgregcl.exe /BOOT

Vundo File

VundoFix V6.4.1

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 20:08:20 2007-05-24

Listing files found while scanning....

E:\WINDOWS\System32\cguyxbmr.dll
E:\WINDOWS\System32\ddabx.dll
E:\WINDOWS\system32\fcccyyx.dll
E:\WINDOWS\system32\ocdhflrl.exe
E:\WINDOWS\system32\opnonon.dll
E:\WINDOWS\System32\tdrsvxyx.dll
E:\WINDOWS\system32\vturooo.dll
E:\WINDOWS\System32\xbadd.bak2
E:\WINDOWS\system32\xbadd.ini

Beginning removal...

Attempting to delete E:\WINDOWS\System32\ddabx.dll
E:\WINDOWS\System32\ddabx.dll Has been deleted!

Attempting to delete E:\WINDOWS\system32\fcccyyx.dll
E:\WINDOWS\system32\fcccyyx.dll Has been deleted!

Attempting to delete E:\WINDOWS\system32\ocdhflrl.exe
E:\WINDOWS\system32\ocdhflrl.exe Has been deleted!

Attempting to delete E:\WINDOWS\system32\opnonon.dll
E:\WINDOWS\system32\opnonon.dll Could not be deleted.

Attempting to delete E:\WINDOWS\system32\vturooo.dll
E:\WINDOWS\system32\vturooo.dll Has been deleted!

Attempting to delete E:\WINDOWS\System32\xbadd.bak2
E:\WINDOWS\System32\xbadd.bak2 Has been deleted!

Attempting to delete E:\WINDOWS\system32\xbadd.ini
E:\WINDOWS\system32\xbadd.ini Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete E:\WINDOWS\system32\opnonon.dll
E:\WINDOWS\system32\opnonon.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.4.1

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 20:31:24 2007-05-24

Listing files found while scanning....

No infected files were found.

Thanks


----------



## cybertech (Apr 16, 2002)

Looks like you cut off the bottom of the log.

*Run HJT again and put a check in the following:*

O2 - BHO: (no name) - {6181A284-F443-4426-9364-EE801D035A75} - (no file)
O2 - BHO: (no name) - {7ADC8B13-B745-4D08-B7BB-D2289A0C4FA4} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {92083FFF-2E48-4FE3-83DF-331AAE2A0DAD} - E:\WINDOWS\System32\ddabx.dll (file missing)
O2 - BHO: (no name) - {A1DFEDF7-B9CB-4427-97E6-6175095BF310} - E:\WINDOWS\System32\awtqr.dll (file missing)
O2 - BHO: (no name) - {B04EBAC1-147D-4727-9CCB-B8C4DC6650FC} - (no file)
O2 - BHO: (no name) - {C20F4D4F-DCA7-AC28-D97C-82ADDAB173C9} - E:\WINDOWS\System32\iupbj.dll
O2 - BHO: (no name) - {D1159422-16E3-462F-A93D-FB718E100407} - E:\WINDOWS\System32\d4xofa.dll
O2 - BHO: (no name) - {D4D649B6-3BA8-4665-8114-062A172B7327} - (no file)

*Close all applications and browser windows before you click "fix checked".*

Check in add/remove programs and remove all old versions of java.

Download ComboFix from *Here* or *Here* to your Desktop. 

Double click *combofix.exe * and follow the prompts.
When finished, it shall produce a log for you. Post that log and a *HiJackthis* log in your next reply
*Note: Do not mouseclick combofix's window while its running. That may cause it to stall*


----------



## topman1 (May 20, 2004)

i cant keep the hjt log on screen at all to check anything to be fixed.???????????


----------



## cybertech (Apr 16, 2002)

Can you run combofix yet?


----------



## topman1 (May 20, 2004)

this is the log for combifix;



Scan times for badly infected machines may easily double

FINDSTR: Search string too long.
FINDSTR: Search string too long.

"E:\Documents and Settings\All Users.\documents\settings\desktop.ini"
"E:\WINDOWS\system32\wsnpoem\audio.dll.cla"
"E:\WINDOWS\gc_407.cnf"
"E:\WINDOWS\gsc_407.cnf"
"E:\WINDOWS\system32\rpcc1.dll"
"E:\Documents and Settings\All Users.\documents\settings"
"E:\WINDOWS\system32\wsnpoem"

thanks


----------



## cybertech (Apr 16, 2002)

*Click Here* and download Killbox and save it to your desktop.

Double-click on Killbox.exe to run it. 
Put a tick by *Delete on Reboot*. 
Copy the following list of files to clipboard, CTRL+C to copy

*E:\WINDOWS\system32\wsnpoem
E:\WINDOWS\system32\rpcc1.dll
E:\WINDOWS\gc_407.cnf
E:\WINDOWS\gsc_407.cnf
E:\WINDOWS\system32\wsnpoem\audio.dll.cla
*

Now in Killbox go to File, Paste from clipboard.
Click the *All Files* button.
Click on the button that has the red circle with the X in the middle.
It will ask for confimation to delete the file. 
Click Yes. 
It will ask if you want to reboot now,
Click Yes.

*Note:* It is possible that Killbox will tell you that the file does not exist.

If your computer does not restart automatically then please restart it manually. 
If you get an error message "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.

*Click here* to download *Dr.Web CureIt* and save it to your desktop.

Doubleclick the *drweb-cureit.exe* file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the *green arrow* at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found:








If so, click it and then click the next icon right below and select *Move incurable* as you'll see in next image:








This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
After selecting, in the Dr.Web CureIt menu on top, click *file* and choose *save report list*
Save the report to your desktop. The report will be called *DrWeb.csv*
Close Dr.Web Cureit.
*Reboot* your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web you saved previously in your next reply along with a new Hijack This log.


----------



## topman1 (May 20, 2004)

I have completed your requests and Something has happened as the log files do not flash and disappear as before.

Here are the log files.

ngfjya.exe;C:\;Trojan.DownLoader.19256;Deleted.;
xx1232255.exe;C:\;Trojan.Packed.131;Deleted.;
StartLog.bat;C:\WINDOWS\TEMP\StartLog;Probably SCRIPT.BATCH.Virus;Incurable.Moved.;
Process.exe;C:\unzipped\SmitfraudFix\SmitfraudFix;Tool.Prockill;Incurable.Moved.;
A0356243.exe;C:\System Volume Information\_restore{100CCA3A-5156-4318-A36F-963CFE5C296E}\RP738;Trojan.DownLoader.19256;Deleted.;
A0356244.exe;C:\System Volume Information\_restore{100CCA3A-5156-4318-A36F-963CFE5C296E}\RP738;Trojan.Packed.131;Deleted.;
!update-4395[1].0000;E:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\M5E16ZIS;Trojan.DownLoader.22753;Deleted.;
Process.exe;E:\Documents and Settings\User\Desktop\Virus Software\SmitfraudFix;Tool.Prockill;Incurable.Moved.;
Process.exe;E:\Documents and Settings\User\Desktop\SmitfraudFix;Tool.Prockill;Incurable.Moved.;
pv.exe;E:\Program Files\PacificPoker;Program.PrcView.3725;Incurable.Moved.;
(Better Version) **** sucking 1 44.wma;E:\Program Files\Shareaza\Downloads;Trojan.Isbar.389;Deleted.;
16-9-2005 (7-31-21).txt;E:\Program Files\RegistryFix\logs;Probably MACRO.SCRIPT.IRC.WORM.Virus;Incurable.Moved.;
A0338723.DLL;E:\System Volume Information\_restore{100CCA3A-5156-4318-A36F-963CFE5C296E}\RP731;Trojan.Virtumod;Deleted.;
A0338737.dll;E:\System Volume Information\_restore{100CCA3A-5156-4318-A36F-963CFE5C296E}\RP731;Trojan.Virtumod;Deleted.;
A0343774.exe;E:\System Volume Information\_restore{100CCA3A-5156-4318-A36F-963CFE5C296E}\RP732;Trojan.PurityAd;Incurable.Moved.;
A0343777.dll;E:\System Volume Information\_restore{100CCA3A-5156-4318-A36F-963CFE5C296E}\RP732;Adware.ClickSpring;Incurable.Moved.;
A0345836.exe;E:\System Volume Information\_restore{100CCA3A-5156-4318-A36F-963CFE5C296E}\RP732;Trojan.Packed.131;Deleted.;
A0345839.exe;E:\System Volume Information\_restore{100CCA3A-5156-4318-A36F-963CFE5C296E}\RP732;Trojan.Spambot;Deleted.;
A0345841.sys;E:\System Volume Information\_restore{100CCA3A-5156-4318-A36F-963CFE5C296E}\RP732;Trojan.NtRootKit.249;Deleted.;
A0345842.dll;E:\System Volume Information\_restore{100CCA3A-5156-4318-A36F-963CFE5C296E}\RP732;Trojan.Virtumod;Deleted.;
A0345843.dll;E:\System Volume Information\_restore{100CCA3A-5156-4318-A36F-963CFE5C296E}\RP732;Trojan.Virtumod;Deleted.;
A0345844.dll;E:\System Volume Information\_restore{100CCA3A-5156-4318-A36F-963CFE5C296E}\RP732;Trojan.Virtumod;Deleted.;
A0345845.DLL;E:\System Volume Information\_restore{100CCA3A-5156-4318-A36F-963CFE5C296E}\RP732;Trojan.Virtumod;Deleted.;
A0345846.dll;E:\System Volume Information\_restore{100CCA3A-5156-4318-A36F-963CFE5C296E}\RP732;Trojan.Virtumod;Deleted.;
A0345847.DLL;E:\System Volume Information\_restore{100CCA3A-5156-4318-A36F-963CFE5C296E}\RP732;Trojan.Virtumod;Deleted.;
A0345848.dll;E:\System Volume Information\_restore{100CCA3A-5156-4318-A36F-963CFE5C296E}\RP732;Trojan.Virtumod;Deleted.;
A0345849.dll;E:\System Volume Information\_restore{100CCA3A-5156-4318-A36F-963CFE5C296E}\RP732;Trojan.Virtumod;Deleted.;
A0345850.dll;E:\System Volume Information\_restore{100CCA3A-5156-4318-A36F-963CFE5C296E}\RP732;Trojan.Virtumod;Deleted.;
A0345851.dll;E:\System Volume Information\_restore{100CCA3A-5156-4318-A36F-963CFE5C296E}\RP732;Trojan.Virtumod;Deleted.;
A0345852.dll;E:\System Volume Information\_restore{100CCA3A-5156-4318-A36F-963CFE5C296E}\RP732;Trojan.Virtumod;Deleted.;
A0345853.dll;E:\System Volume Information\_restore{100CCA3A-5156-4318-A36F-963CFE5C296E}\RP732;Trojan.Virtumod;Deleted.;
A0345855.dll;E:\System Volume Information\_restore{100CCA3A-5156-4318-A36F-963CFE5C296E}\RP732;Trojan.Virtumod;Deleted.;
A0345856.dll;E:\System Volume Information\_restore{100CCA3A-5156-4318-A36F-963CFE5C296E}\RP732;Trojan.Virtumod;Deleted.;
A0345857.dll;E:\System Volume Information\_restore{100CCA3A-5156-4318-A36F-963CFE5C296E}\RP732;Trojan.Virtumod;Deleted.;
A0345858.dll;E:\System Volume Information\_restore{100CCA3A-5156-4318-A36F-963CFE5C296E}\RP732;Trojan.Virtumod;Deleted.;
A0345859.dll;E:\System Volume Information\_restore{100CCA3A-5156-4318-A36F-963CFE5C296E}\RP732;Trojan.Virtumod;Deleted.;
A0345860.dll;E:\System Volume Information\_restore{100CCA3A-5156-4318-A36F-963CFE5C296E}\RP732;Trojan.Virtumod;Deleted.;
A0346926.exe;E:\System Volume Information\_restore{100CCA3A-5156-4318-A36F-963CFE5C296E}\RP732;Tool.Prockill;Incurable.Moved.;
A0346952.exe;E:\System Volume Information\_restore{100CCA3A-5156-4318-A36F-963CFE5C296E}\RP732;Trojan.DownLoader.22816;Deleted.;
A0351970.dll;E:\System Volume Information\_restore{100CCA3A-5156-4318-A36F-963CFE5C296E}\RP733;Probably BACKDOOR.Trojan;Incurable.Moved.;
A0351971.exe;E:\System Volume Information\_restore{100CCA3A-5156-4318-A36F-963CFE5C296E}\RP733;Trojan.DownLoader.22816;Deleted.;
A0353093.exe;E:\System Volume Information\_restore{100CCA3A-5156-4318-A36F-963CFE5C296E}\RP736;Trojan.DownLoader.22753;Deleted.;
A0354084.dll;E:\System Volume Information\_restore{100CCA3A-5156-4318-A36F-963CFE5C296E}\RP737;Trojan.Virtumod;Deleted.;
A0354085.dll;E:\System Volume Information\_restore{100CCA3A-5156-4318-A36F-963CFE5C296E}\RP737;Trojan.Virtumod;Deleted.;
A0354086.exe;E:\System Volume Information\_restore{100CCA3A-5156-4318-A36F-963CFE5C296E}\RP737;Adware.TopSearch;Incurable.Moved.;
A0354087.dll;E:\System Volume Information\_restore{100CCA3A-5156-4318-A36F-963CFE5C296E}\RP737;Trojan.Virtumod;Deleted.;
A0355092.DLL;E:\System Volume Information\_restore{100CCA3A-5156-4318-A36F-963CFE5C296E}\RP737;Trojan.Virtumod;Deleted.;
A0355203.DLL;E:\System Volume Information\_restore{100CCA3A-5156-4318-A36F-963CFE5C296E}\RP737;Trojan.Ads;Deleted.;
A0355204.DLL;E:\System Volume Information\_restore{100CCA3A-5156-4318-A36F-963CFE5C296E}\RP737;Trojan.Fakealert.249;Deleted.;
A0355205.EXE;E:\System Volume Information\_restore{100CCA3A-5156-4318-A36F-963CFE5C296E}\RP737;Trojan.DownLoader.22753;Deleted.;
A0355207.dll;E:\System Volume Information\_restore{100CCA3A-5156-4318-A36F-963CFE5C296E}\RP737;Trojan.Virtumod;Deleted.;
A0355233.DLL;E:\System Volume Information\_restore{100CCA3A-5156-4318-A36F-963CFE5C296E}\RP738;Win32.HLLM.Bid;Deleted.;
vexga8me6.exe.vir;E:\QooBox\Quarantine\E\WINDOWS\system32;Trojan.Packed.131;Deleted.;
spoolsvv.exe.vir;E:\QooBox\Quarantine\E\WINDOWS\system32;Trojan.Spambot;Deleted.;
spoolsvv.sys.vir;E:\QooBox\Quarantine\E\WINDOWS\system32;Trojan.NtRootKit.249;Deleted.;
cguyxbmr.dll.vir;E:\QooBox\Quarantine\E\WINDOWS\system32;Trojan.Virtumod;Deleted.;
tdrsvxyx.dll.vir;E:\QooBox\Quarantine\E\WINDOWS\system32;Trojan.Virtumod;Deleted.;
yjgescvf.dll.vir;E:\QooBox\Quarantine\E\WINDOWS\system32;Trojan.Virtumod;Deleted.;
xnkiigcq.dll.vir;E:\QooBox\Quarantine\E\WINDOWS\system32;Trojan.Virtumod;Deleted.;
kubrvhde.dll.vir;E:\QooBox\Quarantine\E\WINDOWS\system32;Trojan.Virtumod;Deleted.;

HJT:

Logfile of HijackThis v1.99.1
Scan saved at 05:01, on 2007-05-27
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\csrss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\System32\SCardSvr.exe
E:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\MSI\Bluetooth Software\bin\btwdins.exe
E:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\ng2003\GHOSTS~2.EXE
E:\WINDOWS\System32\nvsvc32.exe
E:\Program Files\Spyware Doctor\sdhelp.exe
E:\WINDOWS\System32\snmp.exe
E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
E:\WINDOWS\System32\svchost.exe
C:\My Shared Folder\WRSSSDK.exe
E:\WINDOWS\System32\wdfmgr.exe
E:\Program Files\Canon\CAL\CALMAIN.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\System32\wuauclt.exe
E:\PROGRA~1\PESTPA~1\PPControl.exe
E:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
E:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
E:\WINDOWS\System32\RUNDLL32.EXE
E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
E:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ng2003\GhostStartTrayApp.exe
E:\Program Files\QuickTime\qttask.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\My Shared Folder\SpySweeper.exe
E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
E:\Program Files\MSN Messenger\MsnMsgr.Exe
E:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE
E:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe
E:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
E:\Program Files\WinZip\WZQKPICK.EXE
E:\Program Files\Nokia\PC Suite for Nokia 6600\ectaskscheduler.exe
E:\Program Files\Nokia\PC Suite for Nokia 6600\connmngmntbox.exe
E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
E:\PROGRA~1\Nokia\PCSUIT~1\Elogerr.exe
E:\Program Files\Intuwave\Shared\mRouterRunTime\mRouterRuntime.exe
E:\Program Files\Netropa\Onscreen Display\OSD.exe
E:\PROGRA~1\Intuwave\Shared\MROUTE~1\MROUTE~2.EXE
E:\Program Files\iPod\bin\iPodService.exe
E:\WINDOWS\System32\wuauclt.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 213.107.224.24:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - E:\PROGRA~1\SPYWAR~3\tools\iesdsg.dll
O2 - BHO: (no name) - {6181A284-F443-4426-9364-EE801D035A75} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7ADC8B13-B745-4D08-B7BB-D2289A0C4FA4} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - E:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {B04EBAC1-147D-4727-9CCB-B8C4DC6650FC} - (no file)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - E:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O2 - BHO: (no name) - {C20F4D4F-DCA7-AC28-D97C-82ADDAB173C9} - E:\WINDOWS\System32\iupbj.dll
O2 - BHO: (no name) - {D4D649B6-3BA8-4665-8114-062A172B7327} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - E:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Copernic Desktop Search 2 - {968631B6-4729-440D-9BF4-251F5593EC9A} - E:\Program Files\Copernic Desktop Search 2\DesktopSearchBand2526.dll
O4 - HKLM\..\Run: [PestPatrol Control Center] E:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [Jet Detection] "E:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] E:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] E:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series (Copy 1)] E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P39 "EPSON Stylus Photo R300 Series (Copy 1)" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [AVG7_RegCleaner] E:\PROGRA~1\Grisoft\AVGFRE~1\avgregcl.exe /BOOT
O4 - HKLM\..\Run: [REGSHAVE] E:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [ISUSPM Startup] E:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "E:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\ng2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\My Shared Folder\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] E:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series (Copy 2)] E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P39 "EPSON Stylus Photo R300 Series (Copy 2)" /O5 "LPT1:" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "E:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [EPSON Stylus Photo R300 Series (Copy 1)] E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P39 "EPSON Stylus Photo R300 Series (Copy 1)" /M "Stylus Photo R300" /EF "HKCU"
O4 - HKCU\..\Run: [EPSON Stylus Photo R300 Series] E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /M "Stylus Photo R300" /EF "HKCU"
O4 - HKCU\..\Run: [PopUpStopperProfessional] "E:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE"
O4 - HKCU\..\Run: [Copernic Desktop Search 2] "E:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe" /tray
O4 - HKCU\..\Run: [SUPERAntiSpyware] E:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: WinZip Quick Pick.lnk = E:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: PCSuiteForNokia6600 TS.lnk = ?
O4 - Global Startup: PCSuiteForNokia6600 Detect.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://e:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://e:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://e:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - E:\Program Files\MSI\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Similar Pages - res://e:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://e:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - E:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - E:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - E:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - E:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - E:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - E:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - E:\Program Files\MSI\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - E:\Program Files\MSI\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: e:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/win/djvuplugin/en_US/DjVuControl_en_US.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {10ABC6DB-E091-4EAE-98DD-21B5A2460714} (DetInstaller Class) - http://www.pandasoftware.es/avchecker/controles/AvDetInst.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - E:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - E:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: E:\WINDOWS\System32\win_1.dll
O20 - Winlogon Notify: !SASWinLogon - E:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: rpcc1 - E:\WINDOWS\System32\rpcc1.dll (file missing)
O20 - Winlogon Notify: winbug32 - winbug32.dll (file missing)
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - E:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Unknown owner - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - E:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - E:\Program Files\MSI\Bluetooth Software\bin\btwdins.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - E:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - E:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\ng2003\GHOSTS~2.EXE
O23 - Service: Google Updater Service (gusvc) - Google - E:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - E:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - E:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - E:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\My Shared Folder\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - E:\WINDOWS\system32\ZONELABS\vsmon.exe

Do you want me to delete 020 now?

Thanks once again

Dave K


----------



## cybertech (Apr 16, 2002)

*Run HJT again and put a check in the following:*

O2 - BHO: (no name) - {6181A284-F443-4426-9364-EE801D035A75} - (no file)
O2 - BHO: (no name) - {7ADC8B13-B745-4D08-B7BB-D2289A0C4FA4} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {B04EBAC1-147D-4727-9CCB-B8C4DC6650FC} - (no file)
O2 - BHO: (no name) - {C20F4D4F-DCA7-AC28-D97C-82ADDAB173C9} - E:\WINDOWS\System32\iupbj.dll
O2 - BHO: (no name) - {D4D649B6-3BA8-4665-8114-062A172B7327} - (no file)
O20 - AppInit_DLLs: E:\WINDOWS\System32\win_1.dll
O20 - Winlogon Notify: rpcc1 - E:\WINDOWS\System32\rpcc1.dll (file missing)
O20 - Winlogon Notify: winbug32 - winbug32.dll (file missing)

*Close all applications and browser windows before you click "fix checked".*

*Click Here* and download Killbox and save it to your desktop.

Double-click on Killbox.exe to run it. 
Put a tick by *Delete on Reboot*. 
Copy the following list of files to clipboard, CTRL+C to copy

*E:\WINDOWS\System32\iupbj.dll
E:\WINDOWS\System32\win_1.dll
*

Now in Killbox go to File, Paste from clipboard.
Click the *All Files* button.
Click on the button that has the red circle with the X in the middle.
It will ask for confimation to delete the file. 
Click Yes. 
It will ask if you want to reboot now,
Click Yes.

*Note:* It is possible that Killbox will tell you that the file does not exist.

If your computer does not restart automatically then please restart it manually. 
If you get an error message "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.

After the reboot post your hijackthis log again.

Download *WinPFind3U.exe* to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

Open the WinPFind3u folder and double-click on *WinPFind3U.exe* to start the program.
In the *Files Created Within* group click *30 days*
In the *Files Modified Within* group select *30 days*
In the *File String Search* group select *Non-Microsoft*

Now click the *Run Scan* button on the toolbar.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please post the resulting log here as an attachment.


----------



## topman1 (May 20, 2004)

Latest log files.

Logfile of HijackThis v1.99.1
Scan saved at 00:25, on 2007-05-28
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\csrss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\System32\SCardSvr.exe
E:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\MSI\Bluetooth Software\bin\btwdins.exe
E:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\ng2003\GHOSTS~2.EXE
E:\WINDOWS\System32\nvsvc32.exe
E:\Program Files\Spyware Doctor\sdhelp.exe
E:\WINDOWS\System32\snmp.exe
E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
E:\WINDOWS\System32\svchost.exe
C:\My Shared Folder\WRSSSDK.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\System32\wdfmgr.exe
E:\Program Files\Canon\CAL\CALMAIN.exe
E:\PROGRA~1\PESTPA~1\PPControl.exe
E:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
E:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
E:\WINDOWS\System32\RUNDLL32.EXE
E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
E:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ng2003\GhostStartTrayApp.exe
E:\Program Files\QuickTime\qttask.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\My Shared Folder\SpySweeper.exe
E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
E:\Program Files\MSN Messenger\MsnMsgr.Exe
E:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE
E:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe
E:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
E:\Program Files\Netropa\Onscreen Display\OSD.exe
E:\Program Files\WinZip\WZQKPICK.EXE
E:\Program Files\Nokia\PC Suite for Nokia 6600\ectaskscheduler.exe
E:\Program Files\Nokia\PC Suite for Nokia 6600\connmngmntbox.exe
E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
E:\PROGRA~1\Nokia\PCSUIT~1\Elogerr.exe
E:\Program Files\Intuwave\Shared\mRouterRunTime\mRouterRuntime.exe
E:\PROGRA~1\Intuwave\Shared\MROUTE~1\MROUTE~2.EXE
E:\WINDOWS\System32\wuauclt.exe
E:\WINDOWS\System32\wuauclt.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 213.107.224.24:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - E:\PROGRA~1\SPYWAR~3\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - E:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - E:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - E:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Copernic Desktop Search 2 - {968631B6-4729-440D-9BF4-251F5593EC9A} - E:\Program Files\Copernic Desktop Search 2\DesktopSearchBand2526.dll
O4 - HKLM\..\Run: [PestPatrol Control Center] E:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [Jet Detection] "E:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] E:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] E:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series (Copy 1)] E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P39 "EPSON Stylus Photo R300 Series (Copy 1)" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [AVG7_RegCleaner] E:\PROGRA~1\Grisoft\AVGFRE~1\avgregcl.exe /BOOT
O4 - HKLM\..\Run: [ISUSPM Startup] E:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "E:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\ng2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\My Shared Folder\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] E:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series (Copy 2)] E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P39 "EPSON Stylus Photo R300 Series (Copy 2)" /O5 "LPT1:" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "E:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [REGSHAVE] E:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [EPSON Stylus Photo R300 Series (Copy 1)] E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P39 "EPSON Stylus Photo R300 Series (Copy 1)" /M "Stylus Photo R300" /EF "HKCU"
O4 - HKCU\..\Run: [EPSON Stylus Photo R300 Series] E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /M "Stylus Photo R300" /EF "HKCU"
O4 - HKCU\..\Run: [PopUpStopperProfessional] "E:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE"
O4 - HKCU\..\Run: [Copernic Desktop Search 2] "E:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe" /tray
O4 - HKCU\..\Run: [SUPERAntiSpyware] E:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: WinZip Quick Pick.lnk = E:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: PCSuiteForNokia6600 TS.lnk = ?
O4 - Global Startup: PCSuiteForNokia6600 Detect.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://e:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://e:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://e:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - E:\Program Files\MSI\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Similar Pages - res://e:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://e:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - E:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - E:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - E:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - E:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - E:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - E:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - E:\Program Files\MSI\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - E:\Program Files\MSI\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: e:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/win/djvuplugin/en_US/DjVuControl_en_US.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {10ABC6DB-E091-4EAE-98DD-21B5A2460714} (DetInstaller Class) - http://www.pandasoftware.es/avchecker/controles/AvDetInst.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - E:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - E:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - E:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - E:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Unknown owner - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - E:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - E:\Program Files\MSI\Bluetooth Software\bin\btwdins.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - E:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - E:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\ng2003\GHOSTS~2.EXE
O23 - Service: Google Updater Service (gusvc) - Google - E:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - E:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - E:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - E:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\My Shared Folder\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - E:\WINDOWS\system32\ZONELABS\vsmon.exe

I did try to find how to do win log as an attachment but could not see how to do it.

Dave K

Thanks.


----------



## topman1 (May 20, 2004)

ooops


found it.


----------



## cybertech (Apr 16, 2002)

1. Please *download* *The Avenger* by Swandog46 to your *Desktop*.
Click on Avenger.zip to open the file
Extract *avenger.exe* to your desktop

2. Copy the *entire contents* of the code box below to your Clipboard by highlighting it and pressing (*Ctrl+C*):



> Files to delete:
> c:\windows\g1718312.exe
> c:\windows\g3145671.exe
> c:\windows\g11829671.exe
> ...


_*
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.*_

3. Now, *start The Avenger program* by clicking on its icon on your desktop.
 Under "*Script file to execute*" choose "*Input Script Manually*".
Now click on the *Magnifying Glass icon* which will open a new window titled "*View/edit script*"
 Paste the text copied to clipboard into this window by pressing (*Ctrl+V*).
 Click *Done*
 Now click on the *Green Light* to begin execution of the script
 Answer "*Yes*" twice when prompted.
4. *The Avenger will automatically do the following*:
It will *Restart your computer*. ( In cases where the code to execute contains "*Drivers to Unload*", The Avenger will actually *restart your system twice.*)
On reboot, it will briefly *open a black command window* on your desktop, this is normal.
After the restart, it *creates a log file* that should open with the results of Avenger's actions. This log file will be located at *C:\avenger.txt*
 The Avenger will also have *backed up all the files, etc., that you asked it to delete*, and will have zipped them and moved the zip archives to *C:\avenger\backup.zip*.
5. Please *copy/paste* the content of *c:\avenger.txt* into your reply 

*Delete your current version of SDFix and download it again!*
Download *SDFix* and save it to your Desktop.

Double click *SDFix.exe* and choose *Install* to extract it to its own folder on the Desktop. Please then reboot your computer in *Safe Mode* by doing the following :
Restart your computer 
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; 
Instead of Windows loading as normal, a menu with options should appear; 
Select the first option, to run Windows in Safe Mode, then press "Enter". 
Choose your usual account. 

 In Safe Mode, right click the SDFix.zip folder and choose *Extract All*, 
 Open the extracted folder and double click *RunThis.bat* to start the script. 
 Type *Y* to begin the script. 
 It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot. 
 Press any Key and it will restart the PC. 
 Your system will take longer that normal to restart as the fixtool will be running and removing files. 
 When the desktop loads the Fixtool will complete the removal and display *Finished*, then press any key to end the script and load your desktop icons. 
 Finally open the SDFix folder on your desktop and copy and paste the contents of the results file *Report.txt* back onto your next reply.

*Delete your current version of ComboFix and download it again!*
Download ComboFix from *Here* or *Here* to your Desktop. 

Double click *combofix.exe * and follow the prompts.
When finished, it shall produce a log for you. Post that log and a *HiJackthis* log in your next reply
*Note: Do not mouseclick combofix's window while its running. That may cause it to stall*


----------



## topman1 (May 20, 2004)

Whilst using the Avenger program I got an error popup.

Selected file does not appear to be a valid script. 

Then an error 0 popup.

Dave K


Edited; NOW sorted


----------



## topman1 (May 20, 2004)

I have managed to get all the reports as you requested.

as follows:

SDFix: Version 1.85

Run by User - 2007-05-28 - 23:34:23.23

Microsoft Windows XP [Version 5.1.2600]

Running From: E:\DOCUME~1\User\Desktop\SDFix

Safe Mode:
Checking Services:

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

No Trojan Files Found

E:\WINDOWS\Temp\mx_*.tmp - Deleted

Removing Temp Files...

ADS Check:

Checking if ADS is attached to system32 Folder 
E:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
E:\WINDOWS\system32\svchost.exe
No streams found.

Final Check:

Remaining Services:
------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------

Checking For Files with Hidden Attributes:

E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\DEVICE.COM
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\KEYB.COM
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\MODE.COM
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\MOUSE.COM
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\NETBIND.COM
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\Paralink.com
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\pcdos\command.com
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\pcdos\IBMBIO.COM
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\pcdos\IBMDOS.COM
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\DLink DE400 Packet\De400pd.com
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\DLink DMF560-TX Packet\Lmpd.com
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\DLink DT620 Packet\Dt620pd.com
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\IBM Crystal LAN Packet\Epktisa.com
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Kingston EtheRx KNE110TX Packet\Ktc110p.com
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Laneed LD-CDF Packet\Ldcdt.com
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Laneed LD-PCI2TL Packet\Ldpcil.com
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Melco LPC2-T\Lpchkat2.com
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Planex FW-100TX Fast Ethernet Packet\FETPKT.COM
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Planex FW-100TX Fast Ethernet Packet\Rtspkt.com
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\PXE Packet Driver\Undipd.com
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\WaveLAN Packet\Wvlan42.com
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom CBE10-100BTX Packet\Cbepd.com
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom Ethernet II PS Packet\Xpspd.com
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom RE10 - RE100 Packet\Ce3pd.com
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Planex FNW9x00T - ENW8300T Packet\fetpkt.com
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\3COM 3c509 Packet\3C5X9PD.COM
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\3COM 3c59x Packet\3C59XPD.COM
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1200 Packet\EC32PD.COM
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1203 Packet\PCIPD.COM
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1204 Packet\VLNWPD.COM
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1207 Packet\PCIPD.COM
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1207C Packet\PCIPD.COM
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1207D Packet\ACCPKT.COM
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1207F Packet\EN5251PD.COM
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1207TX Packet\PCIPD.COM
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1208 Packet\1208PD.COM
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1625 Packet\NEPD.COM
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1640 Packet\NWPD.COM
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1651 Packet\NWPD.COM
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1652 Packet\NWPD.COM
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1650 Packet\NWPD.COM
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1653 Packet\NE2PD.COM
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1656 Packet\NWPD.COM
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1657 Packet\NWPD.COM
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1658 Packet\NWPD.COM
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN166X Packet\NWPD.COM
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN2216 Packet\PCMPD.COM
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN2218 Packet\PCMPD.COM
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN2228 Packet\PCMPD.COM
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN2320 Packet\EN5251PD.COM
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\DEC EtherWorks ISA (DE305) Packet\DE305.COM
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\DEC EtherWORKS DE500 Packet\DE500.COM
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\DEC EtherWORKS DE450 Packet\DE450.COM
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Laneed LD 10-100AL Packet\L100al.com
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\SN 2000p Packet\PNPPD.COM
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\3COM 3c556 Packet\3C556.COM
E:\Program Files\Shockwave.com\Thumbs.db
E:\WINDOWS\system32\whlpda32e.dll
E:\Documents and Settings\User\My Documents\Ebay\eBayISAPI.dll_files\Thumbs.db
E:\Documents and Settings\User\My Documents\Ebay\eBayISAPI.dll_files\ZbThumbnail.info
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\CMDS.EXE
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\MSCDEX.EXE
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\OHCI.EXE
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\PROTMAN.EXE
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\UHCI.EXE
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\E.EXE
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\Net.exe
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\CMDS16.EXE
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\GUEST.EXE
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom CBE10-100BTX\Cbendis.exe
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom Ethernet II PS\Xpsndis.exe
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom PE3-10Bx\Pe3ndis.exe
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom RE10BT\Ce3ndis.exe
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom Ethernet 10-100 + Modem\Cbendis.exe
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom Re-100Btx + Ce3B-100Btx\Ce3ndis.exe
E:\Program Files\Common Files\s?stem32\??rss.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\Program Files\Picasa2\setup.exe
E:\WINDOWS\system32\4BFA2BD44F.sys
E:\WINDOWS\system32\3CF445F412.sys
E:\WINDOWS\system32\KGyGaAvL.sys
E:\WINDOWS\system32\C77FEEEC04.sys
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\CATC USB Ethernet\Elndis.sys
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\CATC USB Ethernet\Usbd.sys
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPICD.SYS
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\BOOTSRV.SYS
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\COUNTRY.SYS
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\DISPLAY.SYS
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\HIMEM.SYS
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\KEYBOARD.SYS
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\bootsrv16.sys
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\msbootsrv16.sys
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\DLSHELP.SYS
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPIOHCI.SYS
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPIEHCI.SYS
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPI1394.SYS
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPIUHCI.SYS
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPI2DOS.SYS
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPI4DOS.SYS
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPI8DOS.SYS
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPI8U2.SYS
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\BTCDROM.SYS
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\BTDOSM.SYS
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\FLASHPT.SYS
E:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\OAKCDROM.SYS
E:\san_test.tmp
E:\WINDOWS\system32\config\system.tmp.LOG
E:\WINDOWS\system32\config\software.tmp.LOG
E:\WINDOWS\system32\config\default.tmp.LOG
E:\WINDOWS\LastGood.Tmp\INF\oem49.inf
E:\WINDOWS\LastGood.Tmp\INF\oem49.PNF

Finished

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\tebcnkud

*******************

Script file located at: \??\E:\Documents and Settings\ccdhctvu.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at E:\Avenger

*******************

Beginning to process script file:

File c:\windows\g1718312.exe not found!
Deletion of file c:\windows\g1718312.exe failed!

Could not process line:
c:\windows\g1718312.exe
Status: 0xc0000034

File c:\windows\g3145671.exe not found!
Deletion of file c:\windows\g3145671.exe failed!

Could not process line:
c:\windows\g3145671.exe
Status: 0xc0000034

File c:\windows\g11829671.exe not found!
Deletion of file c:\windows\g11829671.exe failed!

Could not process line:
c:\windows\g11829671.exe
Status: 0xc0000034

File c:\windows\g13060765.exe not found!
Deletion of file c:\windows\g13060765.exe failed!

Could not process line:
c:\windows\g13060765.exe
Status: 0xc0000034

File c:\windows\g14260453.exe not found!
Deletion of file c:\windows\g14260453.exe failed!

Could not process line:
c:\windows\g14260453.exe
Status: 0xc0000034

File c:\windows\g15449031.exe not found!
Deletion of file c:\windows\g15449031.exe failed!

Could not process line:
c:\windows\g15449031.exe
Status: 0xc0000034

File c:\windows\g3038968.exe not found!
Deletion of file c:\windows\g3038968.exe failed!

Could not process line:
c:\windows\g3038968.exe
Status: 0xc0000034

File c:\windows\smanager.7.exe~ not found!
Deletion of file c:\windows\smanager.7.exe~ failed!

Could not process line:
c:\windows\smanager.7.exe~
Status: 0xc0000034

File c:\windows\g4749890.exe not found!
Deletion of file c:\windows\g4749890.exe failed!

Could not process line:
c:\windows\g4749890.exe
Status: 0xc0000034

File c:\windows\g5950250.exe not found!
Deletion of file c:\windows\g5950250.exe failed!

Could not process line:
c:\windows\g5950250.exe
Status: 0xc0000034

File c:\windows\g7152859.exe not found!
Deletion of file c:\windows\g7152859.exe failed!

Could not process line:
c:\windows\g7152859.exe
Status: 0xc0000034

File c:\windows\g283671.exe not found!
Deletion of file c:\windows\g283671.exe failed!

Could not process line:
c:\windows\g283671.exe
Status: 0xc0000034

File c:\windows\g1745875.exe not found!
Deletion of file c:\windows\g1745875.exe failed!

Could not process line:
c:\windows\g1745875.exe
Status: 0xc0000034

File c:\windows\g272187.exe not found!
Deletion of file c:\windows\g272187.exe failed!

Could not process line:
c:\windows\g272187.exe
Status: 0xc0000034

File c:\windows\g8353140.exe not found!
Deletion of file c:\windows\g8353140.exe failed!

Could not process line:
c:\windows\g8353140.exe
Status: 0xc0000034

File c:\windows\g9671796.exe not found!
Deletion of file c:\windows\g9671796.exe failed!

Could not process line:
c:\windows\g9671796.exe
Status: 0xc0000034

File c:\windows\g1593281.exe not found!
Deletion of file c:\windows\g1593281.exe failed!

Could not process line:
c:\windows\g1593281.exe
Status: 0xc0000034

File c:\windows\g10993265.exe not found!
Deletion of file c:\windows\g10993265.exe failed!

Could not process line:
c:\windows\g10993265.exe
Status: 0xc0000034

File c:\windows\g549687.exe not found!
Deletion of file c:\windows\g549687.exe failed!

Could not process line:
c:\windows\g549687.exe
Status: 0xc0000034

File c:\windows\g2793937.exe not found!
Deletion of file c:\windows\g2793937.exe failed!

Could not process line:
c:\windows\g2793937.exe
Status: 0xc0000034

File c:\windows\g395984.exe not found!
Deletion of file c:\windows\g395984.exe failed!

Could not process line:
c:\windows\g395984.exe
Status: 0xc0000034

File c:\windows\g401765.exe not found!
Deletion of file c:\windows\g401765.exe failed!

Could not process line:
c:\windows\g401765.exe
Status: 0xc0000034

File c:\windows\g12312156.exe not found!
Deletion of file c:\windows\g12312156.exe failed!

Could not process line:
c:\windows\g12312156.exe
Status: 0xc0000034

File c:\windows\g13632828.exe not found!
Deletion of file c:\windows\g13632828.exe failed!

Could not process line:
c:\windows\g13632828.exe
Status: 0xc0000034

File c:\windows\g14953078.exe not found!
Deletion of file c:\windows\g14953078.exe failed!

Could not process line:
c:\windows\g14953078.exe
Status: 0xc0000034

File c:\windows\g16153875.exe not found!
Deletion of file c:\windows\g16153875.exe failed!

Could not process line:
c:\windows\g16153875.exe
Status: 0xc0000034

File c:\windows\g17474390.exe not found!
Deletion of file c:\windows\g17474390.exe failed!

Could not process line:
c:\windows\g17474390.exe
Status: 0xc0000034

File c:\windows\g18794687.exe not found!
Deletion of file c:\windows\g18794687.exe failed!

Could not process line:
c:\windows\g18794687.exe
Status: 0xc0000034

File c:\windows\g1599765.exe not found!
Deletion of file c:\windows\g1599765.exe failed!

Could not process line:
c:\windows\g1599765.exe
Status: 0xc0000034

File c:\windows\g20114906.exe not found!
Deletion of file c:\windows\g20114906.exe failed!

Could not process line:
c:\windows\g20114906.exe
Status: 0xc0000034

File c:\windows\g21435250.exe not found!
Deletion of file c:\windows\g21435250.exe failed!

Could not process line:
c:\windows\g21435250.exe
Status: 0xc0000034

File c:\windows\g10762640.exe not found!
Deletion of file c:\windows\g10762640.exe failed!

Could not process line:
c:\windows\g10762640.exe
Status: 0xc0000034

File c:\windows\g2920875.exe not found!
Deletion of file c:\windows\g2920875.exe failed!

Could not process line:
c:\windows\g2920875.exe
Status: 0xc0000034

File c:\windows\g280281.exe not found!
Deletion of file c:\windows\g280281.exe failed!

Could not process line:
c:\windows\g280281.exe
Status: 0xc0000034

File c:\windows\g1481015.exe not found!
Deletion of file c:\windows\g1481015.exe failed!

Could not process line:
c:\windows\g1481015.exe
Status: 0xc0000034

File c:\windows\g544531.exe not found!
Deletion of file c:\windows\g544531.exe failed!

Could not process line:
c:\windows\g544531.exe
Status: 0xc0000034

File c:\windows\g518953.exe not found!
Deletion of file c:\windows\g518953.exe failed!

Could not process line:
c:\windows\g518953.exe
Status: 0xc0000034

File c:\windows\g917203.exe not found!
Deletion of file c:\windows\g917203.exe failed!

Could not process line:
c:\windows\g917203.exe
Status: 0xc0000034

File c:\windows\g2237187.exe not found!
Deletion of file c:\windows\g2237187.exe failed!

Could not process line:
c:\windows\g2237187.exe
Status: 0xc0000034

File c:\windows\g3437750.exe not found!
Deletion of file c:\windows\g3437750.exe failed!

Could not process line:
c:\windows\g3437750.exe
Status: 0xc0000034

File c:\windows\g4758484.exe not found!
Deletion of file c:\windows\g4758484.exe failed!

Could not process line:
c:\windows\g4758484.exe
Status: 0xc0000034

File c:\windows\g1742312.exe not found!
Deletion of file c:\windows\g1742312.exe failed!

Could not process line:
c:\windows\g1742312.exe
Status: 0xc0000034

File c:\windows\g2942640.exe not found!
Deletion of file c:\windows\g2942640.exe failed!

Could not process line:
c:\windows\g2942640.exe
Status: 0xc0000034

File c:\windows\g4269156.exe not found!
Deletion of file c:\windows\g4269156.exe failed!

Could not process line:
c:\windows\g4269156.exe
Status: 0xc0000034

File c:\windows\g534187.exe not found!
Deletion of file c:\windows\g534187.exe failed!

Could not process line:
c:\windows\g534187.exe
Status: 0xc0000034

File c:\windows\g523625.exe not found!
Deletion of file c:\windows\g523625.exe failed!

Could not process line:
c:\windows\g523625.exe
Status: 0xc0000034

File c:\windows\g767390.exe not found!
Deletion of file c:\windows\g767390.exe failed!

Could not process line:
c:\windows\g767390.exe
Status: 0xc0000034

File c:\windows\g2086031.exe not found!
Deletion of file c:\windows\g2086031.exe failed!

Could not process line:
c:\windows\g2086031.exe
Status: 0xc0000034

File c:\windows\g3301421.exe not found!
Deletion of file c:\windows\g3301421.exe failed!

Could not process line:
c:\windows\g3301421.exe
Status: 0xc0000034

File c:\windows\g4493343.exe not found!
Deletion of file c:\windows\g4493343.exe failed!

Could not process line:
c:\windows\g4493343.exe
Status: 0xc0000034

File c:\windows\g5813234.exe not found!
Deletion of file c:\windows\g5813234.exe failed!

Could not process line:
c:\windows\g5813234.exe
Status: 0xc0000034

File c:\windows\g7133000.exe not found!
Deletion of file c:\windows\g7133000.exe failed!

Could not process line:
c:\windows\g7133000.exe
Status: 0xc0000034

File c:\windows\g8334500.exe not found!
Deletion of file c:\windows\g8334500.exe failed!

Could not process line:
c:\windows\g8334500.exe
Status: 0xc0000034

File c:\windows\g9655750.exe not found!
Deletion of file c:\windows\g9655750.exe failed!

Could not process line:
c:\windows\g9655750.exe
Status: 0xc0000034

File c:\windows\g10976921.exe not found!
Deletion of file c:\windows\g10976921.exe failed!

Could not process line:
c:\windows\g10976921.exe
Status: 0xc0000034

File c:\windows\g12297843.exe not found!
Deletion of file c:\windows\g12297843.exe failed!

Could not process line:
c:\windows\g12297843.exe
Status: 0xc0000034

File c:\windows\g3428031.exe not found!
Deletion of file c:\windows\g3428031.exe failed!

Could not process line:
c:\windows\g3428031.exe
Status: 0xc0000034

File c:\windows\g13618656.exe not found!
Deletion of file c:\windows\g13618656.exe failed!

Could not process line:
c:\windows\g13618656.exe
Status: 0xc0000034

File c:\windows\g14939500.exe not found!
Deletion of file c:\windows\g14939500.exe failed!

Could not process line:
c:\windows\g14939500.exe
Status: 0xc0000034

File c:\windows\g4750406.exe not found!
Deletion of file c:\windows\g4750406.exe failed!

Could not process line:
c:\windows\g4750406.exe
Status: 0xc0000034

File c:\windows\g5957843.exe not found!
Deletion of file c:\windows\g5957843.exe failed!

Could not process line:
c:\windows\g5957843.exe
Status: 0xc0000034

File c:\windows\g7154375.exe not found!
Deletion of file c:\windows\g7154375.exe failed!

Could not process line:
c:\windows\g7154375.exe
Status: 0xc0000034

File c:\windows\g16140515.exe not found!
Deletion of file c:\windows\g16140515.exe failed!

Could not process line:
c:\windows\g16140515.exe
Status: 0xc0000034

File c:\windows\g8371859.exe not found!
Deletion of file c:\windows\g8371859.exe failed!

Could not process line:
c:\windows\g8371859.exe
Status: 0xc0000034

File c:\windows\g9561546.exe not found!
Deletion of file c:\windows\g9561546.exe failed!

Could not process line:
c:\windows\g9561546.exe
Status: 0xc0000034

File c:\windows\g11965203.exe not found!
Deletion of file c:\windows\g11965203.exe failed!

Could not process line:
c:\windows\g11965203.exe
Status: 0xc0000034

File c:\windows\g13166671.exe not found!
Deletion of file c:\windows\g13166671.exe failed!

Could not process line:
c:\windows\g13166671.exe
Status: 0xc0000034

File c:\windows\g14371015.exe not found!
Deletion of file c:\windows\g14371015.exe failed!

Could not process line:
c:\windows\g14371015.exe
Status: 0xc0000034

File c:\windows\g15575359.exe not found!
Deletion of file c:\windows\g15575359.exe failed!

Could not process line:
c:\windows\g15575359.exe
Status: 0xc0000034

File c:\windows\g16771796.exe not found!
Deletion of file c:\windows\g16771796.exe failed!

Could not process line:
c:\windows\g16771796.exe
Status: 0xc0000034

File c:\windows\g17972859.exe not found!
Deletion of file c:\windows\g17972859.exe failed!

Could not process line:
c:\windows\g17972859.exe
Status: 0xc0000034

File c:\windows\g19173296.exe not found!
Deletion of file c:\windows\g19173296.exe failed!

Could not process line:
c:\windows\g19173296.exe
Status: 0xc0000034

Completed script processing.

*******************

Finished! Terminate.//////////////////////////////////////////

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\tebcnkud

*******************

Script file located at: \??\E:\Documents and Settings\ccdhctvu.txt

Script file not found! Error

Could not open script file! Status: 0xc0000034 Abort!

F ---


----------



## topman1 (May 20, 2004)

"User" - 2007-05-29 0:15:52 Service Pack 1 
ComboFix 07-05.27.V - Running from: "E:\Documents and Settings\User\Desktop\"

((((((((((((((((((((((((((((((( Files Created from 2007-04-28 to 2007-05-29 ))))))))))))))))))))))))))))))))))

2007-05-28 23:59	49,152	--a------	E:\WINDOWS\nircmd.exe
2007-05-28 23:14 d--------	E:\avenger
2007-05-27 19:56 d--------	E:\DOCUME~1\User\APPLIC~1\FUJIFILM
2007-05-27 19:51	274,432	--a------	E:\WINDOWS\system32\FFTIFF16.dll
2007-05-27 19:51	155,648	--a------	E:\WINDOWS\system32\FFRAFLIB.DLL
2007-05-27 19:50	81,924	---------	E:\WINDOWS\system32\drivers\VC4CB104.SYS
2007-05-27 19:50	65,536	---------	E:\WINDOWS\system32\FINFCHECK.dll
2007-05-27 19:50	45,056	---------	E:\WINDOWS\system32\FINFCOPY.dll
2007-05-27 19:50 d--------	E:\Program Files\REGSHAVE
2007-05-27 19:41 d--hs----	E:\FOUND.023
2007-05-26 20:12 d--------	E:\Documents and Settings\User\DoctorWeb
2007-05-26 20:12 d--------	E:\DOCUME~1\User\DoctorWeb
2007-05-23 23:02 d--------	E:\Rustbfix
2007-05-23 05:32 d--hs----	E:\FOUND.022
2007-05-23 05:18 d--hs----	E:\FOUND.021
2007-05-23 04:34 d--hs----	E:\FOUND.020
2007-05-22 05:41 d--------	E:\!KillBox
2007-05-22 00:02 d--hs----	E:\FOUND.019
2007-05-20 20:58 d--hs----	E:\FOUND.018
2007-05-20 19:48 d--hs----	E:\FOUND.009
2007-05-20 19:23 d--------	E:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-05-20 19:22 d--------	E:\Program Files\SUPERAntiSpyware
2007-05-20 19:22 d--------	E:\DOCUME~1\User\APPLIC~1\SUPERAntiSpyware.com
2007-05-20 01:41	71,680	--a------	E:\WINDOWS\g20615750.exe
2007-05-20 01:17	71,680	--a------	E:\WINDOWS\g19173296.exe
2007-05-20 00:57	71,680	--a------	E:\WINDOWS\g17972859.exe
2007-05-20 00:37	71,680	--a------	E:\WINDOWS\g16771796.exe
2007-05-20 00:17	71,680	--a------	E:\WINDOWS\g15575359.exe
2007-05-19 23:57	71,680	--a------	E:\WINDOWS\g14371015.exe
2007-05-19 23:37	71,680	--a------	E:\WINDOWS\g13166671.exe
2007-05-19 23:17	71,680	--a------	E:\WINDOWS\g11965203.exe
2007-05-19 22:57	71,680	--a------	E:\WINDOWS\g10762640.exe
2007-05-19 22:37	71,680	--a------	E:\WINDOWS\g9561546.exe
2007-05-19 22:17	71,680	--a------	E:\WINDOWS\g8371859.exe
2007-05-19 21:57	71,680	--a------	E:\WINDOWS\g7154375.exe
2007-05-19 21:37	71,680	--a------	E:\WINDOWS\g5957843.exe
2007-05-19 21:17	71,680	--a------	E:\WINDOWS\g4750406.exe
2007-05-19 20:55	71,680	--a------	E:\WINDOWS\g3428031.exe
2007-05-19 20:02 d--hs----	E:\FOUND.008
2007-05-19 19:44	71,680	--a------	E:\WINDOWS\g16140515.exe
2007-05-19 19:24	71,680	--a------	E:\WINDOWS\g14939500.exe
2007-05-19 19:02	71,680	--a------	E:\WINDOWS\g13618656.exe
2007-05-19 18:40	71,680	--a------	E:\WINDOWS\g12297843.exe
2007-05-19 18:18	71,680	--a------	E:\WINDOWS\g10976921.exe
2007-05-19 17:56	71,680	--a------	E:\WINDOWS\g9655750.exe
2007-05-19 17:34	71,680	--a------	E:\WINDOWS\g8334500.exe
2007-05-19 17:14	71,680	--a------	E:\WINDOWS\g7133000.exe
2007-05-19 16:52	71,680	--a------	E:\WINDOWS\g5813234.exe
2007-05-19 16:30	71,680	--a------	E:\WINDOWS\g4493343.exe
2007-05-19 16:11	71,680	--a------	E:\WINDOWS\g3301421.exe
2007-05-19 15:50	71,680	--a------	E:\WINDOWS\g2086031.exe
2007-05-19 15:28	71,680	--a------	E:\WINDOWS\g767390.exe
2007-05-19 07:27	71,680	--a------	E:\WINDOWS\g523625.exe
2007-05-19 06:57	71,680	--a------	E:\WINDOWS\g534187.exe
2007-05-18 18:49	71,680	--a------	E:\WINDOWS\g4269156.exe
2007-05-18 18:27	71,680	--a------	E:\WINDOWS\g2942640.exe
2007-05-18 18:07	71,680	--a------	E:\WINDOWS\g1742312.exe
2007-05-18 08:01	71,680	--a------	E:\WINDOWS\g4758484.exe
2007-05-18 07:39	71,680	--a------	E:\WINDOWS\g3437750.exe
2007-05-18 07:19	71,680	--a------	E:\WINDOWS\g2237187.exe
2007-05-18 06:57	71,680	--a------	E:\WINDOWS\g917203.exe
2007-05-18 04:51	71,680	--a------	E:\WINDOWS\g518953.exe
2007-05-18 04:30	71,680	--a------	E:\WINDOWS\g544531.exe
2007-05-18 04:26 d--hs----	E:\FOUND.007
2007-05-18 04:10 d--------	E:\Program Files\RegCure
2007-05-18 04:01	71,680	--a------	E:\WINDOWS\g1481015.exe
2007-05-18 03:41	71,680	--a------	E:\WINDOWS\g280281.exe
2007-05-17 07:54	71,680	--a------	E:\WINDOWS\g2920875.exe
2007-05-17 07:32	71,680	--a------	E:\WINDOWS\g1599765.exe
2007-05-17 07:12	71,680	--a------	E:\WINDOWS\g401765.exe
2007-05-16 22:57	71,680	--a------	E:\WINDOWS\g395984.exe
2007-05-16 08:29	71,680	--a------	E:\WINDOWS\g2793937.exe
2007-05-16 08:09	71,680	--a------	E:\WINDOWS\g1593281.exe
2007-05-16 07:47	71,680	--a------	E:\WINDOWS\g272187.exe
2007-05-16 07:29 d--hs----	E:\FOUND.006
2007-05-16 05:38	71,680	--a------	E:\WINDOWS\g283671.exe
2007-05-15 23:02	71,680	--a------	E:\WINDOWS\g1745875.exe
2007-05-15 22:42	71,680	--a------	E:\WINDOWS\g549687.exe
2007-05-15 22:35	196,608	--a------	E:\WINDOWS\system32\ssleay32.dll
2007-05-15 22:35	1,040,384	--a------	E:\WINDOWS\system32\libeay32.dll
2007-05-15 07:23	71,680	--a------	E:\WINDOWS\g21435250.exe
2007-05-15 07:01	71,680	--a------	E:\WINDOWS\g20114906.exe
2007-05-15 06:39	71,680	--a------	E:\WINDOWS\g18794687.exe
2007-05-15 06:17	71,680	--a------	E:\WINDOWS\g17474390.exe
2007-05-15 05:55	71,680	--a------	E:\WINDOWS\g16153875.exe
2007-05-15 05:35	71,680	--a------	E:\WINDOWS\g14953078.exe
2007-05-15 05:13	71,680	--a------	E:\WINDOWS\g13632828.exe
2007-05-15 04:51	71,680	--a------	E:\WINDOWS\g12312156.exe
2007-05-15 04:29	71,680	--a------	E:\WINDOWS\g10993265.exe
2007-05-15 04:07	71,680	--a------	E:\WINDOWS\g9671796.exe
2007-05-15 03:45	71,680	--a------	E:\WINDOWS\g8353140.exe
2007-05-15 03:25	71,680	--a------	E:\WINDOWS\g7152859.exe
2007-05-15 03:05	71,680	--a------	E:\WINDOWS\g5950250.exe
2007-05-15 02:45	71,680	--a------	E:\WINDOWS\g4749890.exe
2007-05-15 02:16	71,680	--a------	E:\WINDOWS\g3038968.exe
2007-05-15 01:54	71,680	--a------	E:\WINDOWS\g1718312.exe
2007-05-14 03:54 d--hs----	E:\FOUND.005
2007-05-14 03:32	71,680	--a------	E:\WINDOWS\g15449031.exe
2007-05-14 03:12	71,680	--a------	E:\WINDOWS\g14260453.exe
2007-05-14 02:52	71,680	--a------	E:\WINDOWS\g13060765.exe
2007-05-14 02:31	71,680	--a------	E:\WINDOWS\g11829671.exe
2007-05-13 22:21 d--hs----	E:\FOUND.004
2007-05-13 11:15 d--------	E:\WINDOWS\LastGood
2007-05-13 11:05 d--------	E:\WINDOWS\LogFiles
2007-05-11 09:15 d--hs----	E:\FOUND.002
2007-05-08 05:16	13,312	--a------	E:\WINDOWS\system32\SVRAPI.DLL
2007-05-08 05:16 d--------	E:\Program Files\NewsRover
2007-05-04 20:26 d--hs----	E:\FOUND.003
2007-05-04 20:19	614,191	--a------	E:\WINDOWS\system32\RegistryCleanerSetup.exe
2007-05-04 20:08	71,680	--a------	E:\WINDOWS\g3145671.exe
2007-05-04 10:15 d--------	E:\Program Files\Road Angel Group
2007-05-04 10:14 d--------	E:\Program Files\Common Files\Wise Installation Wizard
2007-05-01 23:29 d--hs----	E:\FOUND.001
2007-05-01 23:04 d--------	E:\WINDOWS\LastGood.Tmp
2007-04-29 13:49 d--hs----	E:\FOUND.000

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-18 04:16:30	6,338	----a-w	E:\WINDOWS\system32\tmp.reg
2007-05-12 05:43:18	24	----a-w	E:\WINDOWS\system32\DVCStateBkp-{00000000-00000000-0000000B-00001102-00000002-80651102}.dat
2007-05-12 05:43:18	24	----a-w	E:\WINDOWS\system32\DVCState-{00000000-00000000-0000000B-00001102-00000002-80651102}.dat
2007-04-28 14:51:36	--------	d-----w	E:\Program Files\DriverScan
2007-04-26 06:08:56	--------	d-----w	E:\Program Files\Road Angel Group(2)
2007-04-16 21:47:36	33,624	----a-w	E:\WINDOWS\system32\wups.dll
2007-04-16 21:45:54	1,710,936	----a-w	E:\WINDOWS\system32\wuaueng.dll
2007-04-16 21:45:48	549,720	----a-w	E:\WINDOWS\system32\wuapi.dll
2007-04-16 21:45:42	325,976	----a-w	E:\WINDOWS\system32\wucltui.dll
2007-04-16 21:45:36	203,096	----a-w	E:\WINDOWS\system32\wuweb.dll
2007-04-16 21:45:28	92,504	----a-w	E:\WINDOWS\system32\cdm.dll
2007-04-16 21:45:20	53,080	----a-w	E:\WINDOWS\system32\wuauclt.exe
2007-04-16 21:45:20	43,352	----a-w	E:\WINDOWS\system32\wups2.dll
2007-04-11 08:09:46	--------	d-----w	E:\DOCUME~1\User\APPLIC~1\Snapfish
2007-04-11 08:09:42	8,806	----a-w	E:\WINDOWS\mozver.dat
2007-04-08 20:31:02	--------	d-----w	E:\Program Files\DVD Photo Slideshow Professional
2007-04-02 07:29:44	--------	d-----w	E:\Program Files\Bonjour
2007-04-02 07:13:08	--------	d-----w	E:\Program Files\Kodak
2007-03-28 06:46:40	--------	d-----w	E:\Program Files\Common Files\xing shared
2007-02-28 23:05:28	86,016	----a-w	E:\WINDOWS\system32\ElbyCDIO.dll
2005-10-03 18:29:34	1,890	--sha-w	E:\WINDOWS\system32\KGyGaAvL.sys
2005-05-14 19:51:00	8	--sh--r	E:\WINDOWS\system32\C77FEEEC04.sys
2005-02-08 22:00:34	8	--sh--r	E:\WINDOWS\system32\4BFA2BD44F.sys
2004-12-31 12:36:32	56	--sh--r	E:\WINDOWS\system32\3CF445F412.sys

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F}=E:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}=E:\PROGRA~1\SPYWAR~3\tools\iesdsg.dll [2005-12-09 16:22]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{9030D464-4C02-4ABF-8ECC-5164760863C6}=E:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-08-31 20:33]
{B56A7D7D-6927-48C8-A975-17DF180C71AC}=E:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll [2006-02-06 14:51]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PestPatrol Control Center"="E:\PROGRA~1\PESTPA~1\PPControl.exe" [2004-11-15 11:49]
"Jet Detection"="E:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 01:00]
"SSC_UserPrompt"="E:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [2004-11-02 16:59]
"MULTIMEDIA KEYBOARD"="E:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe" [2001-02-21 10:55]
"AVG7_CC"="E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2005-07-30 07:04]
"AVG7_EMC"="E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" [2005-07-30 07:05]
"AVG7_RegCleaner"="E:\PROGRA~1\Grisoft\AVGFRE~1\avgregcl.exe" [2005-07-30 07:05]
"ISUSPM Startup"="E:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-16 06:03]
"ISUSScheduler"="E:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 06:03]
"GhostStartTrayApp"="C:\Program Files\ng2003\GhostStartTrayApp.exe" [2002-08-14 15:21]
"QuickTime Task"="E:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58]
"iTunesHelper"="E:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36]
"SunJavaUpdateSched"="E:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"SpySweeper"="C:\My Shared Folder\SpySweeper.exe" [2005-05-12 15:14]
"InCD"="E:\Program Files\Ahead\InCD\InCD.exe" [2006-03-23 17:06]
"TkBellExe"="E:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-03-28 07:43]
"Adobe Photo Downloader"="E:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46]
"REGSHAVE"="E:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 22:32]
"NvCplDaemon"="E:\WINDOWS\System32\NvCpl.dll" [2003-10-06 14:16]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="E:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"EPSON Stylus Photo R300 Series (Copy 1)"="E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.exe" [2003-06-04 03:00]
"EPSON Stylus Photo R300 Series"="E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.exe" [2003-06-04 03:00]
"PopUpStopperProfessional"="E:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE" [2005-06-03 00:06]
"Copernic Desktop Search 2"="E:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe" [2006-12-08 15:58]
"SUPERAntiSpyware"="E:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-05-25 18:42]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"NvMediaCenter"=RUNDLL32.EXE E:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 14:13]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="E:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 13:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
E:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages	msv1_0 relog_ap

Contents of the 'Scheduled Tasks' folder
2007-05-28 21:49:18 E:\WINDOWS\tasks\Symantec NetDetect.job
2007-05-28 20:06:32 E:\WINDOWS\tasks\XoftSpy.job
2007-04-10 20:22:02 E:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-05-18 03:11:10 E:\WINDOWS\tasks\RegCure.job
2007-05-28 23:21:52 E:\WINDOWS\tasks\RegCure Program Check.job

********************************************************************

catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-29 00:21:51
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
EPSON Stylus Photo R300 Series (Copy 1) = E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P39 "EPSON Stylus Photo R300 Series (Copy 1)" /M "Stylus Photo R300" /EF "HKCU"????????*>?w|???????????????p?'???'?????????????e>?w??'?p?'?????????8???????????qo?w??'?p?'??????o?wp?'???'?????5N?w??????? 
EPSON Stylus Photo R300 Series = E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /M "Stylus Photo R300" /EF "HKCU"?????u???????????*>?w:?z?????????????p?'???'?????????????e>?w??'?p?'?????????8???????????qo?w??'?p?'??????o?wp?'???'?????5N?w???????

scanning hidden files ...

disk error: E:\WINDOWS\

please note that you need administrator rights to perform deep scan

********************************************************************

Completion time: 2007-05-29 0:25:03 - machine was rebooted
E:\ComboFix3.txt ... 2006-11-15 05:15
E:\ComboFix2.txt ... 2007-05-28 23:59
E:\ComboFix-quarantined-files.txt ... 2007-05-29 00:24

--- E O F ---


----------



## topman1 (May 20, 2004)

Hjt Log

Logfile of HijackThis v1.99.1
Scan saved at 00:07:54, on 29/05/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\csrss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\System32\SCardSvr.exe
E:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\MSI\Bluetooth Software\bin\btwdins.exe
E:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\ng2003\GHOSTS~2.EXE
E:\WINDOWS\System32\nvsvc32.exe
E:\Program Files\Spyware Doctor\sdhelp.exe
E:\WINDOWS\System32\snmp.exe
E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
E:\WINDOWS\System32\svchost.exe
C:\My Shared Folder\WRSSSDK.exe
E:\WINDOWS\System32\wdfmgr.exe
E:\Program Files\Canon\CAL\CALMAIN.exe
E:\WINDOWS\Explorer.EXE
E:\PROGRA~1\PESTPA~1\PPControl.exe
E:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
E:\WINDOWS\System32\wuauclt.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
E:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ng2003\GhostStartTrayApp.exe
E:\Program Files\QuickTime\qttask.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\My Shared Folder\SpySweeper.exe
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
E:\Program Files\MSN Messenger\MsnMsgr.Exe
E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
E:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE
E:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe
E:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
E:\Program Files\WinZip\WZQKPICK.EXE
E:\Program Files\Nokia\PC Suite for Nokia 6600\ectaskscheduler.exe
E:\Program Files\Nokia\PC Suite for Nokia 6600\connmngmntbox.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\Program Files\Netropa\Onscreen Display\OSD.exe
E:\PROGRA~1\Nokia\PCSUIT~1\Elogerr.exe
E:\Program Files\Intuwave\Shared\mRouterRunTime\mRouterRuntime.exe
E:\PROGRA~1\Intuwave\Shared\MROUTE~1\MROUTE~2.EXE
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 213.107.224.24:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - E:\PROGRA~1\SPYWAR~3\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - E:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - E:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - E:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Copernic Desktop Search 2 - {968631B6-4729-440D-9BF4-251F5593EC9A} - E:\Program Files\Copernic Desktop Search 2\DesktopSearchBand2526.dll
O4 - HKLM\..\Run: [PestPatrol Control Center] E:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [Jet Detection] "E:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] E:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] E:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_RegCleaner] E:\PROGRA~1\Grisoft\AVGFRE~1\avgregcl.exe /BOOT
O4 - HKLM\..\Run: [ISUSPM Startup] E:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "E:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\ng2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\My Shared Folder\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [InCD] E:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "E:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [REGSHAVE] E:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [EPSON Stylus Photo R300 Series (Copy 1)] E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P39 "EPSON Stylus Photo R300 Series (Copy 1)" /M "Stylus Photo R300" /EF "HKCU"
O4 - HKCU\..\Run: [EPSON Stylus Photo R300 Series] E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /M "Stylus Photo R300" /EF "HKCU"
O4 - HKCU\..\Run: [PopUpStopperProfessional] "E:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE"
O4 - HKCU\..\Run: [Copernic Desktop Search 2] "E:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe" /tray
O4 - HKCU\..\Run: [SUPERAntiSpyware] E:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: WinZip Quick Pick.lnk = E:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: PCSuiteForNokia6600 TS.lnk = ?
O4 - Global Startup: PCSuiteForNokia6600 Detect.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://e:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://e:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://e:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - E:\Program Files\MSI\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Similar Pages - res://e:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://e:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - E:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - E:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - E:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - E:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - E:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - E:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - E:\Program Files\MSI\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - E:\Program Files\MSI\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: e:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/win/djvuplugin/en_US/DjVuControl_en_US.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {10ABC6DB-E091-4EAE-98DD-21B5A2460714} (DetInstaller Class) - http://www.pandasoftware.es/avchecker/controles/AvDetInst.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - E:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - E:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - E:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - E:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Unknown owner - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - E:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - E:\Program Files\MSI\Bluetooth Software\bin\btwdins.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - E:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - E:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\ng2003\GHOSTS~2.EXE
O23 - Service: Google Updater Service (gusvc) - Google - E:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - E:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - E:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - E:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\My Shared Folder\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - E:\WINDOWS\system32\ZONELABS\vsmon.exe

Phew

and many thanks for persevering with me.

How's it looking now?

DK


----------



## cybertech (Apr 16, 2002)

I'm not happy with the Avenger results when I see the files in the combofix log.

Restart in Safe Mode.

To boot up in Safe mode, continuously tap the F8 key while starting your computer. 
You should see a black screen displaying the Windows Advanced Menu Options. 
Using your keyboard's arrow keys, select Safe mode, then hit Enter.

Open Windows Explorer. Go to Tools, Folder Options and click on the View tab. Make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files". Now click "Apply to all folders" Click "Apply" then "OK".

Now take the files from the Avenger list and see if you can delete those.
Files to delete:
c:\windows\g1718312.exe
c:\windows\g3145671.exe
c:\windows\g11829671.exe
c:\windows\g13060765.exe
c:\windows\g14260453.exe
c:\windows\g15449031.exe
c:\windows\g3038968.exe
c:\windows\smanager.7.exe~
c:\windows\g4749890.exe
c:\windows\g5950250.exe
c:\windows\g7152859.exe
c:\windows\g283671.exe
c:\windows\g1745875.exe
c:\windows\g272187.exe
c:\windows\g8353140.exe
c:\windows\g9671796.exe
c:\windows\g1593281.exe
c:\windows\g10993265.exe
c:\windows\g549687.exe
c:\windows\g2793937.exe
c:\windows\g395984.exe
c:\windows\g401765.exe
c:\windows\g12312156.exe
c:\windows\g13632828.exe
c:\windows\g14953078.exe
c:\windows\g16153875.exe
c:\windows\g17474390.exe
c:\windows\g18794687.exe
c:\windows\g1599765.exe
c:\windows\g20114906.exe
c:\windows\g21435250.exe
c:\windows\g10762640.exe
c:\windows\g2920875.exe
c:\windows\g280281.exe
c:\windows\g1481015.exe
c:\windows\g544531.exe
c:\windows\g518953.exe
c:\windows\g917203.exe
c:\windows\g2237187.exe
c:\windows\g3437750.exe
c:\windows\g4758484.exe
c:\windows\g1742312.exe
c:\windows\g2942640.exe
c:\windows\g4269156.exe
c:\windows\g534187.exe
c:\windows\g523625.exe
c:\windows\g767390.exe
c:\windows\g2086031.exe
c:\windows\g3301421.exe
c:\windows\g4493343.exe
c:\windows\g5813234.exe
c:\windows\g7133000.exe
c:\windows\g8334500.exe
c:\windows\g9655750.exe
c:\windows\g10976921.exe
c:\windows\g12297843.exe
c:\windows\g3428031.exe
c:\windows\g13618656.exe
c:\windows\g14939500.exe
c:\windows\g4750406.exe
c:\windows\g5957843.exe
c:\windows\g7154375.exe
c:\windows\g16140515.exe
c:\windows\g8371859.exe
c:\windows\g9561546.exe
c:\windows\g11965203.exe
c:\windows\g13166671.exe
c:\windows\g14371015.exe
c:\windows\g15575359.exe
c:\windows\g16771796.exe
c:\windows\g17972859.exe
c:\windows\g19173296.exe

Then restart in normal mode and run *Panda ActiveScan* *here*

*Post the results from ActiveScan.*


----------



## topman1 (May 20, 2004)

I could not find the files on avenger list to delete.

and here is panda log;

Incident Status Location

Adware:adware/ncase Not disinfected e:\temp\FLEOK 
Adware:adware/cws Not disinfected E:\Documents and Settings\User\Favorites\Insurance 
Adware:adware/superspider Not disinfected Windows Registry  
Potentially unwanted tool:Application/BraveSentry Not disinfected C:\Program Files\BraveSentry\BraveSentry.exe 
Potentially unwanted tool:Application/MalwareAlarm Not disinfected C:\Program Files\BraveSentry\BraveSentry0.dll 
Potentially unwanted tool:Application/BraveSentry Not disinfected C:\Program Files\BraveSentry\BraveSentry2.dll 
Potentially unwanted tool:Application/BraveSentry Not disinfected C:\Program Files\BraveSentry\BraveSentry3.dll 
Adware:Adware/BraveSentry Not disinfected C:\Program Files\BraveSentry\Uninstall.exe 
Virus:Eicar.Mod Not disinfected C:\20050405_060505_User\E\PROGRA~1\PESTPA~1\HELP.CHM.nco[20050405_060505_User\E\PROGRA~1\PESTPA~1\HELP.CHM][/HowCanITestDetection.html] 
Potentially unwanted tool:Application/RegistryCleaner Not disinfected E:\WINDOWS\SYSTEM32\RegistryCleanerSetup.exe[RegistryCleaner.exe] 
Potentially unwanted tool:Application/NirCmd.A Not disinfected E:\WINDOWS\NIRCMD.EXE 
Adware:Adware/DriveCleaner Not disinfected E:\WINDOWS\smanager.7.exe~ 
Potentially unwanted tool:Application/Processor Not disinfected E:\Documents and Settings\User\Desktop\Virus Software\SmitfraudFix.zip[SmitfraudFix/Process.exe] 
Potentially unwanted tool:Application/Processor Not disinfected E:\Documents and Settings\User\Desktop\Virus Software\SDFix\APPS\Process.exe  
Potentially unwanted tool:Application/NirCmd.A Not disinfected E:\Documents and Settings\User\Desktop\Virus Software\ComboFix.exe[ComboFixT\nircmd.exe] 
Potentially unwanted tool:Application/Processor Not disinfected E:\Documents and Settings\User\Desktop\Exe\SDFix.exe[SDFix\apps\Process.exe] 
Potentially unwanted tool:Application/Processor Not disinfected E:\Documents and Settings\User\DoctorWeb\Quarantine\Process.exe 
Potentially unwanted tool:Application/Processor Not disinfected E:\Documents and Settings\User\DoctorWeb\Quarantine\Process0.exe 
Potentially unwanted tool:Application/Processor Not disinfected E:\Documents and Settings\User\DoctorWeb\Quarantine\Process1.exe 
Potentially unwanted tool:Application/Processor Not disinfected E:\Documents and Settings\User\DoctorWeb\Quarantine\A0346926.EXE 
Potentially unwanted tool:Application/VSToolbar Not disinfected E:\Documents and Settings\User\DoctorWeb\Quarantine\A0354086.EXE 
Potentially unwanted tool:Application/VSToolbar Not disinfected E:\Documents and Settings\User\DoctorWeb\Quarantine\ocdhflrl.exe.bad 
Potentially unwanted tool:Application/Processor Not disinfected E:\Documents and Settings\User\DoctorWeb\Quarantine\Process2.exe 
Virus:Eicar.Mod Not disinfected E:\Program Files\PestPatrol\Help.chm[/HowCanITestDetection.html] 
Spyware:Spyware/Apropos Not disinfected E:\Program Files\PestPatrol\Quarantine\20050217064105296.zip[Documents and Settings/User/local settings/temp/autoupdate0/setup.inf]  
Adware:Adware/PurityScan Not disinfected E:\QooBox\Quarantine\E\Program Files\Common Files\SSTEM3~1\??rss.exe 
Potentially unwanted tool:Application/Processor Not disinfected E:\SDFix\APPS\Process.exe

Thanks again.

Pain ain't it?

Dave K


----------



## cybertech (Apr 16, 2002)

topman1 said:


> I could not find the files on avenger list to delete.


Well that is my fault I'm afraid  they are on the E drive not C !!!

Empty your PestPatrol Quarantine
Empty your DoctorWeb Quarantine

Please *download* the *OTMoveIt by OldTimer*.

 *Save* it to your *desktop*.
 Please double-click *OTMoveIt.exe* to run it.
*Copy the file paths below to the clipboard* by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose copy):

* e:\temp\FLEOK
E:\Documents and Settings\User\Favorites\Insurance 
C:\Program Files\BraveSentry
E:\WINDOWS\SYSTEM32\RegistryCleanerSetup.exe
E:\WINDOWS\smanager.7.exe~
E:\WINDOWS\system32\tmp.reg
e:\windows\g1718312.exe
e:\windows\g3145671.exe
e:\windows\g11829671.exe
e:\windows\g13060765.exe
e:\windows\g14260453.exe
e:\windows\g15449031.exe
e:\windows\g3038968.exe
e:\windows\smanager.7.exe~
e:\windows\g4749890.exe
e:\windows\g5950250.exe
e:\windows\g7152859.exe
e:\windows\g283671.exe
e:\windows\g1745875.exe
e:\windows\g272187.exe
e:\windows\g8353140.exe
e:\windows\g9671796.exe
e:\windows\g1593281.exe
e:\windows\g10993265.exe
e:\windows\g549687.exe
e:\windows\g2793937.exe
e:\windows\g395984.exe
e:\windows\g401765.exe
e:\windows\g12312156.exe
e:\windows\g13632828.exe
e:\windows\g14953078.exe
e:\windows\g16153875.exe
e:\windows\g17474390.exe
e:\windows\g18794687.exe
e:\windows\g1599765.exe
e:\windows\g20114906.exe
e:\windows\g21435250.exe
e:\windows\g10762640.exe
e:\windows\g2920875.exe
e:\windows\g280281.exe
e:\windows\g1481015.exe
e:\windows\g544531.exe
e:\windows\g518953.exe
e:\windows\g917203.exe
e:\windows\g2237187.exe
e:\windows\g3437750.exe
e:\windows\g4758484.exe
e:\windows\g1742312.exe
e:\windows\g2942640.exe
e:\windows\g4269156.exe
e:\windows\g534187.exe
e:\windows\g523625.exe
e:\windows\g767390.exe
e:\windows\g2086031.exe
e:\windows\g3301421.exe
e:\windows\g4493343.exe
e:\windows\g5813234.exe
e:\windows\g7133000.exe
e:\windows\g8334500.exe
e:\windows\g9655750.exe
e:\windows\g10976921.exe
e:\windows\g12297843.exe
e:\windows\g3428031.exe
e:\windows\g13618656.exe
e:\windows\g14939500.exe
e:\windows\g4750406.exe
e:\windows\g5957843.exe
e:\windows\g7154375.exe
e:\windows\g16140515.exe
e:\windows\g8371859.exe
e:\windows\g9561546.exe
e:\windows\g11965203.exe
e:\windows\g13166671.exe
e:\windows\g14371015.exe
e:\windows\g15575359.exe
e:\windows\g16771796.exe
e:\windows\g17972859.exe
e:\windows\g19173296.exe 
*

 Return to OTMoveIt, right click on the *"Paste List of Files/Folders to be moved"* window and choose *Paste*.
Click the red *Moveit!* button.
Close *OTMoveIt*
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose *Yes.*

*Download and scan with* *SUPERAntiSypware* Free for Home Users
Double-click *SUPERAntiSypware.exe* and use the default settings for installation. 
An icon will be created on your desktop. Double-click that icon to launch the program. 
If asked to update the program definitions, click "*Yes*". If not, update the definitions before scanning by selecting "*Check for Updates*". (_If you encounter any problems while downloading the updates, manually download and unzip them from here._) 
Under "*Configuration and Preferences*", click the *Preferences* button. 
Click the *Scanning Control* tab. 
Under *Scanner Options* make sure the following are checked _(leave all others unchecked)_:
_Close browsers before scanning._ 
_Scan for tracking cookies._ 
_Terminate memory threats before quarantining._

Click the "*Close*" button to leave the control center screen. 
Back on the main screen, under "*Scan for Harmful Software*" click *Scan your computer*. 
On the left, make sure you check *C:\Fixed Drive*. 
On the right, under "*Complete Scan*", choose *Perform Complete Scan*. 
Click "*Next*" to start the scan. Please be patient while it scans your computer. 
After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "*OK*". 
Make sure everything has a checkmark next to it and click "*Next*". 
A notification will appear that "_Quarantine and Removal is Complete_". Click "*OK*" and then click the "*Finish*" button to return to the main menu. 
If asked if you want to reboot, click "*Yes*". 
To retrieve the removal information after reboot, launch SUPERAntispyware again.
_Click *Preferences*, then click the *Statistics/Logs* tab._ 
_Under Scanner Logs, double-click *SUPERAntiSpyware Scan Log*._ 
_If there are several logs, click the current dated log and press *View log*. A text file will open in your default text editor._ 
_Please copy and paste the Scan Log results in your next reply._

Click *Close* to exit the program.


----------



## topman1 (May 20, 2004)

latest antispy log

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/31/2007 at 10:59 PM

Application Version : 3.8.1002

Core Rules Database Version : 3247
Trace Rules Database Version: 1258

Scan type : Complete Scan
Total Scan Time : 02:03:53

Memory items scanned : 536
Memory threats detected : 0
Registry items scanned : 7520
Registry threats detected : 0
File items scanned : 130085
File threats detected : 19

Trojan.SmitFraud Variant
C:\WINDOWS\XPUPDATE.EXE

Malware.MalwareStopper
C:\SYSTEM VOLUME INFORMATION\_RESTORE{100CCA3A-5156-4318-A36F-963CFE5C296E}\RP742\A0361021.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{100CCA3A-5156-4318-A36F-963CFE5C296E}\RP742\A0361022.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{100CCA3A-5156-4318-A36F-963CFE5C296E}\RP742\A0361023.DLL

Adware.ClickSpring
E:\SYSTEM VOLUME INFORMATION\_RESTORE{100CCA3A-5156-4318-A36F-963CFE5C296E}\RP737\A0355206.EXE
E:\SYSTEM VOLUME INFORMATION\_RESTORE{100CCA3A-5156-4318-A36F-963CFE5C296E}\RP740\A0359778.EXE
E:\QooBox\Quarantine\E\Program Files\Common Files\SSTEM3~1\RSS~1.EXE

Unclassified.Unknown Origin
E:\SYSTEM VOLUME INFORMATION\_RESTORE{100CCA3A-5156-4318-A36F-963CFE5C296E}\RP740\A0359779.DLL

Trojan.BraveSentry
E:\_OTMOVEIT\MOVEDFILES\PROGRAM FILES\BRAVESENTRY\BRAVESENTRY.EXE
E:\_OTMOVEIT\MOVEDFILES\PROGRAM FILES\BRAVESENTRY\BRAVESENTRY0.BS
E:\_OTMOVEIT\MOVEDFILES\PROGRAM FILES\BRAVESENTRY\BRAVESENTRY0.DLL
E:\_OTMOVEIT\MOVEDFILES\PROGRAM FILES\BRAVESENTRY\BRAVESENTRY1.BS
E:\_OTMOVEIT\MOVEDFILES\PROGRAM FILES\BRAVESENTRY\BRAVESENTRY2.DLL
E:\_OTMOVEIT\MOVEDFILES\PROGRAM FILES\BRAVESENTRY\BRAVESENTRY3.DLL
E:\_OTMOVEIT\MOVEDFILES\PROGRAM FILES\BRAVESENTRY\UNINSTALL.EXE
E:\_OTMOVEIT\MOVEDFILES\PROGRAM FILES\BRAVESENTRY\BRAVESENTRY.LIC

Trojan.Unknown Origin
E:\_OTMOVEIT\MOVEDFILES\WINDOWS\SMANAGER.7.EXE~

Trojan.Downloader-Gen/SwampDonk
E:\QOOBOX\QUARANTINE\E\WINDOWS\SYSTEM32\KHFGDED.DLL.VIR
E:\QOOBOX\QUARANTINE\E\WINDOWS\SYSTEM32\LJJHEEC.DLL.VIR

DK


----------



## cybertech (Apr 16, 2002)

How is it running now?
Please post your hijackthis log again.


----------



## topman1 (May 20, 2004)

it is running a lot better. haven't noticed anything yet!!!!

latest hjt log

Logfile of HijackThis v1.99.1
Scan saved at 19:42:27, on 01/06/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\csrss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\System32\SCardSvr.exe
E:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\MSI\Bluetooth Software\bin\btwdins.exe
E:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\ng2003\GHOSTS~2.EXE
E:\WINDOWS\System32\nvsvc32.exe
E:\Program Files\Spyware Doctor\sdhelp.exe
E:\WINDOWS\System32\snmp.exe
E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
E:\WINDOWS\System32\svchost.exe
C:\My Shared Folder\WRSSSDK.exe
E:\WINDOWS\System32\wdfmgr.exe
E:\Program Files\Canon\CAL\CALMAIN.exe
E:\WINDOWS\Explorer.EXE
E:\PROGRA~1\PESTPA~1\PPControl.exe
E:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
E:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ng2003\GhostStartTrayApp.exe
E:\Program Files\QuickTime\qttask.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\My Shared Folder\SpySweeper.exe
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
E:\PROGRA~1\PESTPA~1\CookiePatrol.exe
E:\Program Files\MSN Messenger\MsnMsgr.Exe
E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
E:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE
E:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe
E:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\WINDOWS\System32\wuauclt.exe
E:\Program Files\WinZip\WZQKPICK.EXE
E:\Program Files\Netropa\Onscreen Display\OSD.exe
E:\Program Files\Nokia\PC Suite for Nokia 6600\ectaskscheduler.exe
E:\PROGRA~1\Nokia\PCSUIT~1\Elogerr.exe
E:\Program Files\Nokia\PC Suite for Nokia 6600\connmngmntbox.exe
E:\Program Files\Intuwave\Shared\mRouterRunTime\mRouterRuntime.exe
E:\PROGRA~1\Intuwave\Shared\MROUTE~1\MROUTE~2.EXE
E:\PROGRA~1\MOZILL~1\FIREFOX.EXE
E:\Hjt\dave.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 213.107.224.24:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - E:\PROGRA~1\SPYWAR~3\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - E:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - E:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - E:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Copernic Desktop Search 2 - {968631B6-4729-440D-9BF4-251F5593EC9A} - E:\Program Files\Copernic Desktop Search 2\DesktopSearchBand2526.dll
O4 - HKLM\..\Run: [PestPatrol Control Center] E:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [Jet Detection] "E:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] E:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] E:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_RegCleaner] E:\PROGRA~1\Grisoft\AVGFRE~1\avgregcl.exe /BOOT
O4 - HKLM\..\Run: [ISUSPM Startup] E:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "E:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\ng2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\My Shared Folder\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [InCD] E:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "E:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [REGSHAVE] E:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CookiePatrol] E:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [EPSON Stylus Photo R300 Series (Copy 1)] E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P39 "EPSON Stylus Photo R300 Series (Copy 1)" /M "Stylus Photo R300" /EF "HKCU"
O4 - HKCU\..\Run: [EPSON Stylus Photo R300 Series] E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /M "Stylus Photo R300" /EF "HKCU"
O4 - HKCU\..\Run: [PopUpStopperProfessional] "E:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE"
O4 - HKCU\..\Run: [Copernic Desktop Search 2] "E:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe" /tray
O4 - HKCU\..\Run: [SUPERAntiSpyware] E:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: WinZip Quick Pick.lnk = E:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: PCSuiteForNokia6600 TS.lnk = ?
O4 - Global Startup: PCSuiteForNokia6600 Detect.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://e:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://e:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://e:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - E:\Program Files\MSI\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Similar Pages - res://e:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://e:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - E:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - E:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - E:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - E:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - E:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - E:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - E:\Program Files\MSI\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - E:\Program Files\MSI\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: e:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/win/djvuplugin/en_US/DjVuControl_en_US.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {10ABC6DB-E091-4EAE-98DD-21B5A2460714} (DetInstaller Class) - http://www.pandasoftware.es/avchecker/controles/AvDetInst.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - E:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - E:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - E:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - E:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Unknown owner - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - E:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - E:\Program Files\MSI\Bluetooth Software\bin\btwdins.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - E:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - E:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\ng2003\GHOSTS~2.EXE
O23 - Service: Google Updater Service (gusvc) - Google - E:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - E:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - E:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - E:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\My Shared Folder\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - E:\WINDOWS\system32\ZONELABS\vsmon.exe

and if this is now cured, I thank you most sincerely for your perseverance and wisdom.

Much appreciated.

Dave K


----------



## cybertech (Apr 16, 2002)

Looks good to me! 

You can remove all of the tools I requested you to download and/or folders associated with them now.

SUPERAntiSpyware is a trial version so you can keep that until the trial is over and then uninstall.

It's a good idea to Flush your System Restore after removing malware:


 On the Desktop, right-click My Computer. 
 Click Properties. 
 Click the System Restore tab. 
 Check Turn off System Restore. 
 Click Apply, and then click OK. 
 Restart the computer. 

To create a new restore point: 

On the Desktop, right-click My Computer. 
 Click Properties. 
 Click the System Restore tab. 
 Check Turn on System Restore. 
 Click Apply, and then click OK.

Here are some additional links for you to check out to help you with your computer security.

Secunia software inspector & update checker

Good free tools and advice on how to tighten your security settings.

Security Help Tools

You're welcome!


----------

