# Solved: spyware + virus, help would be appreciated :)



## theriddler (Jul 23, 2007)

Ok, here is the Hijack this logfile, my computer is running slow when I boot it up, It stays on the windows xp loading screen ( the one where the bar goes from left to right )
what happend it, about a week ago when I tried to boot up my computer it said, error, windows cannot access your license ( something along the lines of that)
so I put in my xp disk and reloaded windows, it worked, but its like as I said running very slow, also if I try and you IE, a pop up just comes up and crashes it, then I have to press control alt delete, to get rid of it, at the bottom of the post I have posted screen shots, cam you tell me is there anything there that is hogging the CPU. thanks guys!

Logfile of HijackThis v1.99.1
Scan saved at 13:52:30, on 23/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\blueyonder\PCguard\fws.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\TVR\RecSche.exe
C:\Program Files\blueyonder\PCguard advisor\PCguardadvisor.exe
C:\Program Files\blueyonder\PCguard\Rps.exe
C:\PROGRA~1\BLUEYO~1\SMARTB~1\blueyonder-istnotifier.exe
C:\Program Files\Mouse Driver\MouseDrv.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
C:\Program Files\blueyonder IST\bin\mpbtn.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\lvhidsvc.exe
c:\Recyclers\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Advanced Browser\browser.exe
C:\Program Files\WinAce\WinAce.exe
C:\DOCUME~1\nick\LOCALS~1\Temp\~AceTemp\hijackthis[1]\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gamefaqs.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by blueyonder
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\blueyonder\PCguard\pkR.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\blueyonder\PCguard\FBHR.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: BHOAd - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\xhelper.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RecSche] "C:\Program Files\TVR\RecSche.exe"
O4 - HKLM\..\Run: [PCguardadvisor.exe] "C:\Program Files\blueyonder\PCguard advisor\PCguardadvisor.exe"
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\blueyonder\PCguard\Rps.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BLUEYO~1\SMARTB~1\blueyonder-istnotifier.exe
O4 - HKLM\..\Run: [CreativeMouse ] "C:\Program Files\Mouse Driver\MouseDrv.exe"
O4 - HKLM\..\Run: [zSPGuard] "c:\program files\pjw\spguard\spguard.exe" /s /r
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SecurityUpdate] rundll32.exe C:\WINDOWS\system32\piyezjd.dll,TurnOn2
O4 - HKLM\..\Run: [PC Pitstop Optimize Scheduler] "C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe" -boot
O4 - HKLM\..\Run: [PCPitstop Optimize Registration Reminder] "C:\Program Files\PCPitstop\Optimize\Reminder.exe"
O4 - HKLM\..\Run: [CreativeMouse] "C:\Program Files\Mouse Driver\MouseDrv.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\blueyonder-istconfig.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZRxdm103YYGB
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/no...opularScreenSaversFWBInitialSetup1.0.0.15.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games  Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1152887403499
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1152887390889
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.blueyonder.co.uk/assets/tool/files/MotivePreQual.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games  Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {F773E7B2-62A9-4524-9109-87D2F0BEFAA4} (ChessControl Class) - http://zone.msn.com/bingame/zpagames/zpa_kqrp.cab56961.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab55579.cab
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: LifeView HID Service (LvHidSvc) - Animation Technologies Inc. - C:\WINDOWS\System32\lvhidsvc.exe
O23 - Service: Messsaanger - Unknown owner - c:\Recyclers\svchost.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\blueyonder\PCguard\fws.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe


----------



## Cookiegal (Aug 27, 2003)

Hi and welcome to TSG,

Download *SDFix* and save it to your Desktop.

Double click *SDFix.exe* and it will extract the files to %systemdrive% 
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in *Safe Mode* by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually
Instead of Windows loading as normal, the Advanced Options Menu should appear
Select the first option, to run Windows in Safe Mode, then press *Enter*
Choose your usual account.

Open the extracted SDFix folder and double click *RunThis.bat* to start the script. 
Type *Y* to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to reboot. 
Press any Key and it will restart the PC. 
When the PC restarts the Fixtool will run again and complete the removal process then display *Finished*, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as *Report.txt* 
(Report.txt will also be copied to the clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log


----------



## theriddler (Jul 23, 2007)

thank you 

here is the SD log

SDFix: Version 1.93

Run by Administrator on 24/07/2007 at 22:15

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Missing Security Center Service 
Restoring Missing SharedAccess Service

Rebooting...

Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\SYSTEM32\ULTRA.DLL - Deleted
C:\Recyclers\svchost.exe - Deleted
C:\WINDOWS\system32\TFTP3120 - Deleted

Folder C:\Recyclers\ - Removed

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.

Final Check:

Remaining Services:
------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedac

cess\parameters\firewallpolicy\standardprofile\authorizedapplications\l

ist]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.ex

e:*:enabledxpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedac

cess\parameters\firewallpolicy\domainprofile\authorizedapplications\lis

t]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.ex

e:*:enabledxpsp2res.dll,-22019"

Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

C:\WINDOWS\system32\Tools\All.exe
C:\WINDOWS\system32\Tools\Change.exe
C:\WINDOWS\system32\Tools\CheckPath.exe
C:\WINDOWS\system32\Tools\Counter.exe
C:\WINDOWS\system32\Tools\DelFolders.exe
C:\WINDOWS\system32\Tools\DirectSetup.exe
C:\WINDOWS\system32\Tools\RegClean.exe
C:\WINDOWS\system32\Tools\Regexe.exe
C:\WINDOWS\system32\Tools\Restart.exe
C:\WINDOWS\system32\Tools\RunRegexe.exe
C:\WINDOWS\system32\B0DE9BE21E.sys
C:\WINDOWS\system32\KGyGaAvL.sys

Finished

and here is the new hijack this log

Logfile of HijackThis v1.99.1
Scan saved at 22:32:18, on 24/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\blueyonder\PCguard\fws.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\lvhidsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\TVR\RecSche.exe
C:\Program Files\blueyonder\PCguard advisor\PCguardadvisor.exe
C:\Program Files\blueyonder\PCguard\Rps.exe
C:\PROGRA~1\BLUEYO~1\SMARTB~1\blueyonder-istnotifier.exe
C:\Program Files\Mouse Driver\MouseDrv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\CameraFixer.exe
C:\WINDOWS\tsnpstd3.exe
C:\WINDOWS\vsnpstd3.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\blueyonder IST\bin\mpbtn.exe
C:\Program Files\Advanced Browser\browser.exe
C:\Documents and Settings\nick\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gamefaqs.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by blueyonder
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\blueyonder\PCguard\pkR.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\blueyonder\PCguard\FBHR.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: BHOAd - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\xhelper.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RecSche] "C:\Program Files\TVR\RecSche.exe"
O4 - HKLM\..\Run: [PCguardadvisor.exe] "C:\Program Files\blueyonder\PCguard advisor\PCguardadvisor.exe"
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\blueyonder\PCguard\Rps.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BLUEYO~1\SMARTB~1\blueyonder-istnotifier.exe
O4 - HKLM\..\Run: [CreativeMouse ] "C:\Program Files\Mouse Driver\MouseDrv.exe"
O4 - HKLM\..\Run: [zSPGuard] "c:\program files\pjw\spguard\spguard.exe" /s /r
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SecurityUpdate] rundll32.exe C:\WINDOWS\system32\piyezjd.dll,TurnOn2
O4 - HKLM\..\Run: [PC Pitstop Optimize Scheduler] "C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe" -boot
O4 - HKLM\..\Run: [PCPitstop Optimize Registration Reminder] "C:\Program Files\PCPitstop\Optimize\Reminder.exe"
O4 - HKLM\..\Run: [CreativeMouse] "C:\Program Files\Mouse Driver\MouseDrv.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [CameraFixer] C:\WINDOWS\CameraFixer.exe
O4 - HKLM\..\Run: [tsnpstd3] C:\WINDOWS\tsnpstd3.exe
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\blueyonder-istconfig.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZRxdm103YYGB
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/no...opularScreenSaversFWBInitialSetup1.0.0.15.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games  Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1152887403499
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1152887390889
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.blueyonder.co.uk/assets/tool/files/MotivePreQual.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games  Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {F773E7B2-62A9-4524-9109-87D2F0BEFAA4} (ChessControl Class) - http://zone.msn.com/bingame/zpagames/zpa_kqrp.cab56961.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab55579.cab
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: LifeView HID Service (LvHidSvc) - Animation Technologies Inc. - C:\WINDOWS\System32\lvhidsvc.exe
O23 - Service: Messsaanger - Unknown owner - c:\Recyclers\svchost.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\blueyonder\PCguard\fws.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

thanks for your help !


----------



## Cookiegal (Aug 27, 2003)

Download *AVG Anti-Spyware* from *HERE* and save that file to your desktop. Note for AVG Free anti-virus users only: this is not the same program that you already have, this is an anti-spyware program.

When the trial period expires it becomes feature-limited freeware but is still worth keeping as a good on-demand scanner.


Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double click it to launch the set up program.
Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
On the main screen select the icon "*Update*" then select the "*Update now*" link.
Next select the "*Start Update*" button. The update will start and a progress bar will show the updates being installed.

Once the update has completed, select the "*Scanner*" icon at the top of the screen, then select the "*Settings*" tab.
Once in the Settings screen click on "*Recommended actions*" and then select "*Quarantine*".
Under "*Reports*"
Select "*Automatically generate report after every scan*"
Un-Select "*Only if threats were found*"

Close AVG Anti-Spyware. Do Not run a scan just yet, we will run it in safe mode.

Reboot your computer into *Safe Mode*. You can do this by restarting your computer and continually tapping the *F8* key until a menu appears. Use your up arrow key to highlight *Safe Mode* then hit enter.

*IMPORTANT:* Do not open any other windows or programs while AVG Anti-Spyware is scanning as it may interfere with the scanning process:


Launch AVG Anti-Spyware by double clicking the icon on your desktop.
Select the "*Scanner*" icon at the top and then the "*Scan*" tab then click on "*Complete System Scan*".
AVG will now begin the scanning process. Please be patient as this may take a little time.
*Once the scan is complete, do the following:*
If you have any infections you will be prompted. Then select "*Apply all actions.*"
Next select the "*Reports*" icon at the top.
Select the "*Save report as*" button in the lower left-hand of the screen and save it to a text file on your system (make sure to remember where you saved that file. This is important).
Close AVG Anti-Spyware and reboot your system back into Normal Mode.

Please go *HERE* to run Panda's ActiveScan
You need to use IE to run this scan
Once you are on the Panda site click the *Scan your PC* button
A new window will open...click the *Check Now* button
Enter your *Country*
Enter your *State/Province*
Enter your *e-mail address* and click *send*
Select either *Home User* or *Company*
Click the big *Scan Now* button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on *My Computer* to start the scan
When the scan completes, if anything malicious is detected, click the *See Report* button, *then Save Report* and save it to a convenient location. Post the contents of the ActiveScan report

*Come back here and post a new HijackThis log along with the logs from the AVG and Panda scans.*


----------



## theriddler (Jul 23, 2007)

damn I done the scan wrong and didnt recieve a report, sorry, I can put up a new hijackthis log, maybe you can see where there have been changes, sorry about that.

these two tojans came up when I used the AVG spyware
C:\windows\system32\piyezjd.dll trojan.BHO.bd
C:\windows\system32\piyezjd.dll trojan.BHO.bd

Logfile of HijackThis v1.99.1
Scan saved at 02:03:28, on 26/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\blueyonder\PCguard\fws.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\lvhidsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\blueyonder\PCguard advisor\PCguardadvisor.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\blueyonder\PCguard\Rps.exe
C:\PROGRA~1\BLUEYO~1\SMARTB~1\blueyonder-istnotifier.exe
C:\Program Files\Mouse Driver\MouseDrv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\CameraFixer.exe
C:\WINDOWS\tsnpstd3.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
C:\Program Files\blueyonder IST\bin\mpbtn.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\Documents and Settings\nick\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gamefaqs.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by blueyonder
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\blueyonder\PCguard\pkR.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\blueyonder\PCguard\FBHR.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RecSche] "C:\Program Files\TVR\RecSche.exe"
O4 - HKLM\..\Run: [PCguardadvisor.exe] "C:\Program Files\blueyonder\PCguard advisor\PCguardadvisor.exe"
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\blueyonder\PCguard\Rps.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BLUEYO~1\SMARTB~1\blueyonder-istnotifier.exe
O4 - HKLM\..\Run: [CreativeMouse ] "C:\Program Files\Mouse Driver\MouseDrv.exe"
O4 - HKLM\..\Run: [zSPGuard] "c:\program files\pjw\spguard\spguard.exe" /s /r
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PC Pitstop Optimize Scheduler] "C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe" -boot
O4 - HKLM\..\Run: [PCPitstop Optimize Registration Reminder] "C:\Program Files\PCPitstop\Optimize\Reminder.exe"
O4 - HKLM\..\Run: [CreativeMouse] "C:\Program Files\Mouse Driver\MouseDrv.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [CameraFixer] C:\WINDOWS\CameraFixer.exe
O4 - HKLM\..\Run: [tsnpstd3] C:\WINDOWS\tsnpstd3.exe
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\blueyonder-istconfig.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZRxdm103YYGB
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://downloadcenter.samsung.com/content/common/cab/DjVuControlLite_EN.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/no...opularScreenSaversFWBInitialSetup1.0.0.15.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games  Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1152887403499
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1152887390889
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.blueyonder.co.uk/assets/tool/files/MotivePreQual.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games  Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {F773E7B2-62A9-4524-9109-87D2F0BEFAA4} (ChessControl Class) - http://zone.msn.com/bingame/zpagames/zpa_kqrp.cab56961.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab55579.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: LifeView HID Service (LvHidSvc) - Animation Technologies Inc. - C:\WINDOWS\System32\lvhidsvc.exe
O23 - Service: Messsaanger - Unknown owner - c:\Recyclers\svchost.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\blueyonder\PCguard\fws.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

this also might be of some help, Its the log file for, superantispyware

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/25/2007 at 11:53 PM

Application Version : 3.9.1008

Core Rules Database Version : 3273
Trace Rules Database Version: 1284

Scan type : Complete Scan
Total Scan Time : 03:12:55

Memory items scanned : 485
Memory threats detected : 0
Registry items scanned : 5622
Registry threats detected : 15
File items scanned : 101231
File threats detected : 20

Adware.MyWebSearch
HKLM\Software\Classes\CLSID\{07B18EA9-A523-4961-B6BB-170DE4475CCA}
HKCR\CLSID\{07B18EA9-A523-4961-B6BB-170DE4475CCA}
HKCR\CLSID\{07B18EA9-A523-4961-B6BB-170DE4475CCA}\Programmable
HKCR\CLSID\{07B18EA9-A523-4961-B6BB-170DE4475CCA}\TypeLib
C:\PROGRAM FILES\EMCO MALWARE DESTROYER\QUARANTINE\HOME-XXOC2DEDWC\NMC.IWON\FILES\PROGRAM FILES\MYWEBSEARCH\BAR\1.BIN\MWSOEMON.EXE
C:\PROGRAM FILES\EMCO MALWARE DESTROYER\QUARANTINE\HOME-XXOC2DEDWC\NMC.MYWEBSEARCH\FILES\PROGRAM FILES\MYWEBSEARCH\BAR\1.BIN\MWSOEMON.EXE

Adware.Agent-XMLHelp
HKLM\Software\Classes\CLSID\{85589B5D-D53D-4237-A677-46B82EA275F3}
HKCR\CLSID\{85589B5D-D53D-4237-A677-46B82EA275F3}
HKCR\CLSID\{85589B5D-D53D-4237-A677-46B82EA275F3}
HKCR\CLSID\{85589B5D-D53D-4237-A677-46B82EA275F3}#AppID
HKCR\CLSID\{85589B5D-D53D-4237-A677-46B82EA275F3}\InprocServer32
HKCR\CLSID\{85589B5D-D53D-4237-A677-46B82EA275F3}\InprocServer32#ThreadingModel
HKCR\CLSID\{85589B5D-D53D-4237-A677-46B82EA275F3}\ProgID
HKCR\CLSID\{85589B5D-D53D-4237-A677-46B82EA275F3}\Programmable
HKCR\CLSID\{85589B5D-D53D-4237-A677-46B82EA275F3}\TypeLib
HKCR\CLSID\{85589B5D-D53D-4237-A677-46B82EA275F3}\VersionIndependentProgID
C:\WINDOWS\XHELPER.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{85589B5D-D53D-4237-A677-46B82EA275F3}

Adware.Tracking Cookie
C:\Documents and Settings\nick\Cookies\[email protected][1].txt

Trojan.Malware
C:\DOCUMENTS AND SETTINGS\NICK\DESKTOP\JUNK FOLDER\ERRORNUKERINSTALLER.EXE

Trojan.SVCHST
C:\PROGRAM FILES\EMCO MALWARE DESTROYER\QUARANTINE\HOME-XXOC2DEDWC\NMC.DOWNLDR.YZ\FILES\DOCUMENTS AND SETTINGS\NICK\LOCAL SETTINGS\TEMP\SVCHST.EXE
C:\PROGRAM FILES\EMCO MALWARE DESTROYER\QUARANTINE\HOME-XXOC2DEDWC\NMC.TORPID.H\FILES\DOCUMENTS AND SETTINGS\NICK\LOCAL SETTINGS\TEMP\SVCHST.EXE

Adware.180solutions/ZangoSearch
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9194D392-2571-44DC-AFE1-2D4FA7AA42CE}\RP125\A0070558.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9194D392-2571-44DC-AFE1-2D4FA7AA42CE}\RP125\A0070559.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9194D392-2571-44DC-AFE1-2D4FA7AA42CE}\RP125\A0070560.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9194D392-2571-44DC-AFE1-2D4FA7AA42CE}\RP125\A0070561.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9194D392-2571-44DC-AFE1-2D4FA7AA42CE}\RP125\A0070562.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9194D392-2571-44DC-AFE1-2D4FA7AA42CE}\RP125\A0070564.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9194D392-2571-44DC-AFE1-2D4FA7AA42CE}\RP125\A0070566.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9194D392-2571-44DC-AFE1-2D4FA7AA42CE}\RP125\A0070567.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9194D392-2571-44DC-AFE1-2D4FA7AA42CE}\RP125\A0070568.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9194D392-2571-44DC-AFE1-2D4FA7AA42CE}\RP125\A0070569.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9194D392-2571-44DC-AFE1-2D4FA7AA42CE}\RP125\A0070571.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9194D392-2571-44DC-AFE1-2D4FA7AA42CE}\RP125\A0070572.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9194D392-2571-44DC-AFE1-2D4FA7AA42CE}\RP125\A0070574.DLL

thanks for you help


----------



## Cookiegal (Aug 27, 2003)

Did you do the Panda scan?


----------



## theriddler (Jul 23, 2007)

I did but it crahsed, my CPU went too 100% then it lagged like mad 
it found 3 viruses beore it crashed, would you like me to do it again?


----------



## Cookiegal (Aug 27, 2003)

Yes, try again please.


----------



## theriddler (Jul 23, 2007)

its like impossiable to do the scan, IE keeps crashing, look at this pic, my computers CPU is being eaten by that, look at the pic, any ideas?, I have got panda working now, do you have any idea what eating my resources :S, my computers getting hammered by all kinds now


----------



## Cookiegal (Aug 27, 2003)

Run Kaspersky online virus scan *Kaspersky Online Scanner*.

After the updates have downloaded, click on the "Scan Settings" button.
Choose the *"Extended database" *for the scan.
Under "Please select a target to scan", click "My Computer".
When the scan is finished, Save the results from the scan!

*Note:* You have to use Internet Explorer to do the online scan.

*Post a new HiJackThis log along with the results from Kaspersky scan*


----------



## theriddler (Jul 23, 2007)

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, July 27, 2007 8:34:13 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 27/07/2007
Kaspersky Anti-Virus database records: 345930
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 106938
Number of viruses found: 16
Number of infected objects: 116 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:34:39

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\blueyonder\PCguard\logs\FirewallService07-27-2007--18-17-37.log	Object is locked	skipped
C:\Documents and Settings\LocalService\Cookies\index.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\NTUSER.DAT	Object is locked	skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG	Object is locked	skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat	Object is locked	skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG	Object is locked	skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT	Object is locked	skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG	Object is locked	skipped
C:\Documents and Settings\nick\Application Data\RadialPoint\ClientGateway\client_gateway.log	Object is locked	skipped
C:\Documents and Settings\nick\Cookies\index.dat	Object is locked	skipped
C:\Documents and Settings\nick\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat	Object is locked	skipped
C:\Documents and Settings\nick\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG	Object is locked	skipped
C:\Documents and Settings\nick\Local Settings\History\History.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\nick\Local Settings\History\History.IE5\MSHist012007072720070728\index.dat	Object is locked	skipped
C:\Documents and Settings\nick\Local Settings\Temp\~DF45B9.tmp	Object is locked	skipped
C:\Documents and Settings\nick\Local Settings\Temporary Internet Files\Content.IE5\89ARW1U3\x5s34[1].exe	Infected: Trojan.Win32.Agent.qt	skipped
C:\Documents and Settings\nick\Local Settings\Temporary Internet Files\Content.IE5\FTV89AZR\xc29[1].exe	Infected: Trojan.Win32.Agent.qt	skipped
C:\Documents and Settings\nick\Local Settings\Temporary Internet Files\Content.IE5\FTV89AZR\xc60[1].exe	Infected: Trojan.Win32.Dialer.qn	skipped
C:\Documents and Settings\nick\Local Settings\Temporary Internet Files\Content.IE5\G1U3KH2R\xc23[1].exe	Infected: Trojan-Downloader.Win32.Alphabet.h	skipped
C:\Documents and Settings\nick\Local Settings\Temporary Internet Files\Content.IE5\G1U3KH2R\xc42[1].exe/data0002	Infected: Trojan-Downloader.Win32.PurityScan.eg	skipped
C:\Documents and Settings\nick\Local Settings\Temporary Internet Files\Content.IE5\G1U3KH2R\xc42[1].exe	NSIS: infected - 1	skipped
C:\Documents and Settings\nick\Local Settings\Temporary Internet Files\Content.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\nick\Local Settings\Temporary Internet Files\Content.IE5\U987VG5F\antzom[1].exe	Infected: Trojan.Win32.Dialer.qn	skipped
C:\Documents and Settings\nick\NTUSER.DAT	Object is locked	skipped
C:\Documents and Settings\nick\ntuser.dat.LOG	Object is locked	skipped
C:\Documents and Settings\nicky\Application Data\Adobe\Acrobat\6.0\AcroForm\MRUFormsList	Object is locked	skipped
C:\Documents and Settings\nicky\Application Data\Adobe\Acrobat\6.0\AdobeComFnt06.lst	Object is locked	skipped
C:\Documents and Settings\nicky\Application Data\Adobe\Acrobat\6.0\Updater\udstore.js	Object is locked	skipped
C:\Documents and Settings\nicky\Application Data\Autograph\Version 3.1\advanced.atb	Object is locked	skipped
C:\Documents and Settings\nicky\Application Data\blueyonder\PCguard\AdBlocker.dat	Object is locked	skipped
C:\Documents and Settings\nicky\Application Data\blueyonder\PCguard\AdBlocker.dat.backup	Object is locked	skipped
C:\Documents and Settings\nicky\Application Data\blueyonder\PCguard\Privacy.dat	Object is locked	skipped
C:\Documents and Settings\nicky\Application Data\blueyonder\PCguard\Privacy.dat.backup	Object is locked	skipped
C:\Documents and Settings\nicky\Application Data\desktop.ini	Object is locked	skipped
C:\Documents and Settings\nicky\Application Data\Lavasoft\Ad-Aware\description.ini	Object is locked	skipped
C:\Documents and Settings\nicky\Application Data\Lavasoft\Ad-Aware\settings.awc	Object is locked	skipped
C:\Documents and Settings\nicky\Application Data\Macromedia\Flash Player\#SharedObjects\ND8PJM32\pagead2.googlesyndication.com\pagead\googleadplayer.swf\mediaPlayerUserSettings.sol	Object is locked	skipped
C:\Documents and Settings\nicky\Application Data\Macromedia\Flash Player\#SharedObjects\ND8PJM32\www.youtube.com\soundData.sol Object is locked	skipped
C:\Documents and Settings\nicky\Application Data\Macromedia\Flash Player\#SharedObjects\ND8PJM32\youtube.com\soundData.sol	Object is locked	skipped
C:\Documents and Settings\nicky\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#pagead2.googlesyndication.com\settings.sol	Object is locked	skipped
C:\Documents and Settings\nicky\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.youtube.com\settings.sol Object is locked	skipped
C:\Documents and Settings\nicky\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#youtube.com\settings.sol	Object is locked	skipped
C:\Documents and Settings\nicky\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol	Object is locked	skipped
C:\Documents and Settings\nicky\Application Data\Microsoft\Address Book\nicky.wab	Object is locked	skipped
C:\Documents and Settings\nicky\Application Data\Microsoft\Address Book\nicky.wab~	Object is locked	skipped
C:\Documents and Settings\nicky\Application Data\Microsoft\Excel\Excel.xlb	Object is locked	skipped
C:\Documents and Settings\nicky\Application Data\Microsoft\HTML Help\hh.dat	Object is locked	skipped
C:\Documents and Settings\nicky\Application Data\Microsoft\Internet Explorer\brndlog.txt	Object is locked	skipped
C:\Documents and Settings\nicky\Application Data\Microsoft\Internet Explorer\Desktop.htt	Object is locked	skipped
C:\Documents and Settings\nicky\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Object is locked	skipped
C:\Documents and Settings\nicky\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf	Object is locked	skipped
C:\Documents and Settings\nicky\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Application Data\Microsoft\Media Player\005EDE70.wpl	Object is locked	skipped
C:\Documents and Settings\nicky\Application Data\Microsoft\Office\Excel.pip	Object is locked	skipped
C:\Documents and Settings\nicky\Application Data\Microsoft\Office\MSO1033.acl	Object is locked	skipped
C:\Documents and Settings\nicky\Application Data\Microsoft\Office\MSO2057.acl	Object is locked	skipped
C:\Documents and Settings\nicky\Application Data\Microsoft\Office\Recent\0999.LNK	Object is locked	skipped
C:\Documents and Settings\nicky\Application Data\Microsoft\Office\Recent\1033.LNK	Object is locked	skipped
C:\Documents and Settings\nicky\Application Data\Microsoft\Office\Recent\3½ Floppy (A).LNK	Object is locked	skipped
C:\Documents and Settings\nicky\Application Data\Microsoft\Office\Recent\4.LNK	Object is locked	skipped
C:\Documents and Settings\nicky\Application Data\Microsoft\Office\Recent\5.LNK	Object is locked	skipped
C:\Documents and Settings\nicky\Application Data\Microsoft\Office\Recent\Analysis and interpretation.LNK	Object is locked	skipped
C:\Documents and Settings\nicky\Application Data\Microsoft\Office\Recent\Copyofmayfield.LNK	Object is locked	skipped
C:\Documents and Settings\nicky\Application Data\Microsoft\Office\Recent\da boz.LNK	Object is locked	skipped
C:\Documents and Settings\nicky\Application Data\Microsoft\Office\Recent\Desktop.LNK	Object is locked	skipped
C:\Documents and Settings\nicky\Application Data\Microsoft\Office\Recent\English.LNK	Object is locked	skipped
C:\Documents and Settings\nicky\Application Data\Microsoft\Office\Recent\hh.LNK	Object is locked	skipped
C:\Documents and Settings\nicky\Application Data\Microsoft\Office\Recent\I will now use a box and whisker to show the weight of a random selection of females against a random selection of the amount of television watched.LNK	Object is locked	skipped
C:\Documents and Settings\nicky\Application Data\Microsoft\Office\Recent\KS3.LNK	Object is locked	skipped
C:\Documents and Settings\nicky\Application Data\Microsoft\Office\Recent\MATHS COURSEWORK 2.LNK	Object is locked	skipped
C:\Documents and Settings\nicky\Application Data\Microsoft\Office\Recent\MATHS COURSEWORK.LNK	Object is locked	skipped
C:\Documents and Settings\nicky\Application Data\Microsoft\Office\Recent\Methodology.LNK	Object is locked	skipped
C:\Documents and Settings\nicky\Application Data\Microsoft\Office\Recent\Monday 8th January 2007.LNK	Object is locked	skipped
C:\Documents and Settings\nicky\Application Data\Microsoft\Office\Recent\My Documents.LNK	Object is locked	skipped
C:\Documents and Settings\nicky\Application Data\Microsoft\Office\Recent\pictogram.LNK	Object is locked	skipped
C:\Documents and Settings\nicky\Application Data\Microsoft\Office\Recent\Settlement hierarchy explanation.LNK	Object is locked	skipped
C:\Documents and Settings\nicky\Application Data\Microsoft\Office\Recent\Shopping survey.LNK	Object is locked	skipped
C:\Documents and Settings\nicky\Application Data\Microsoft\Office\Recent\Templates.LNK	Object is locked	skipped
C:\Documents and Settings\nicky\Application Data\Microsoft\Office\Recent\WOOOOOOOOOOO.LNK	Object is locked	skipped
C:\Documents and Settings\nicky\Application Data\Microsoft\Office\Recent\XL8GALRY.LNK	Object is locked	skipped
C:\Documents and Settings\nicky\Application Data\Microsoft\Office\Word.pip	Object is locked	skipped
C:\Documents and Settings\nicky\Application Data\Microsoft\Proof\CUSTOM.DIC	Object is locked	skipped
C:\Documents and Settings\nicky\Application Data\Microsoft\Protect\CREDHIST	Object is locked	skipped
C:\Documents and Settings\nicky\Application Data\Microsoft\Templates\Normal.dot	Object is locked	skipped
C:\Documents and Settings\nicky\Application Data\Microsoft\Templates\~$Normal.dot	Object is locked	skipped
C:\Documents and Settings\nicky\Application Data\Subversion\config	Object is locked	skipped
C:\Documents and Settings\nicky\Application Data\Subversion\README.txt	Object is locked	skipped
C:\Documents and Settings\nicky\Application Data\Subversion\servers	Object is locked	skipped
C:\Documents and Settings\nicky\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\fphover.class-50373a5e-644ebd6c.class	Object is locked	skipped
C:\Documents and Settings\nicky\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\fphover.class-50373a5e-644ebd6c.idx	Object is locked	skipped
C:\Documents and Settings\nicky\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\fphoverx.class-55436a70-647388a3.class	Object is locked	skipped
C:\Documents and Settings\nicky\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\fphoverx.class-55436a70-647388a3.idx	Object is locked	skipped
C:\Documents and Settings\nicky\Application Data\Sun\Java\Deployment\deployment.properties	Object is locked	skipped
C:\Documents and Settings\nicky\Application Data\Sun\Java\Deployment\log\plugin150_08.trace	Object is locked	skipped
C:\Documents and Settings\nicky\Application Data\Syntrillium\Cool Edit Pro\2.00\COOL.INI	Object is locked	skipped
C:\Documents and Settings\nicky\Application Data\Syntrillium\Cool Edit Pro\2.00\coolcust.ini	Object is locked	skipped
C:\Documents and Settings\nicky\Application Data\Syntrillium\Cool Edit Pro\2.00\flt.dat	Object is locked	skipped
C:\Documents and Settings\nicky\Application Data\Syntrillium\Cool Edit Pro\2.00\recovery.dat	Object is locked	skipped
C:\Documents and Settings\nicky\Application Data\Syntrillium\Cool Edit Pro\2.00\xfm.dat	Object is locked	skipped
C:\Documents and Settings\nicky\Application Data\Telewest\PCguard advisor\CampaignStore.xml	Object is locked	skipped
C:\Documents and Settings\nicky\Application Data\Telewest\PCguard advisor\client_gateway.log	Object is locked	skipped
C:\Documents and Settings\nicky\Application Data\Telewest\PCguard advisor\EventStore.xml	Object is locked	skipped
C:\Documents and Settings\nicky\Application Data\Telewest\PCguard advisor\SoftwarePackageStore.xml	Object is locked	skipped
C:\Documents and Settings\nicky\Application Data\Telewest\PCguard advisor\UpdateStore.xml	Object is locked	skipped
C:\Documents and Settings\nicky\Cookies\index.dat	Object is locked	skipped
C:\Documents and Settings\nicky\Cookies\[email protected][1].txt	Object is locked	skipped
C:\Documents and Settings\nicky\Cookies\[email protected][1].txt	Object is locked	skipped
C:\Documents and Settings\nicky\Cookies\[email protected][1].txt	Object is locked	skipped
C:\Documents and Settings\nicky\Cookies\[email protected][1].txt	Object is locked	skipped
C:\Documents and Settings\nicky\Cookies\[email protected][1].txt	Object is locked	skipped
C:\Documents and Settings\nicky\Cookies\[email protected][2].txt	Object is locked	skipped
C:\Documents and Settings\nicky\Cookies\[email protected][1].txt	Object is locked	skipped
C:\Documents and Settings\nicky\Desktop\cezanne_lowry_landscapes_166.htm	Object is locked	skipped
C:\Documents and Settings\nicky\Desktop\Copyofmayfield.xls	Object is locked	skipped
C:\Documents and Settings\nicky\Favorites\Bexx\Final Fantasy Press.url	Object is locked	skipped
C:\Documents and Settings\nicky\Favorites\Bexx\freelayouts CSI LV generator layout.url	Object is locked	skipped
C:\Documents and Settings\nicky\Favorites\Bexx\freelayouts Movies -- Memoirs of a Geisha.url	Object is locked	skipped
C:\Documents and Settings\nicky\Favorites\Bexx\freelayouts Video Game - Legend of Zelda Twilight Princess.url	Object is locked	skipped
C:\Documents and Settings\nicky\Favorites\Bexx\freelayouts Video games- FFX-2 - 1000 Words (Yuna).url	Object is locked	skipped
C:\Documents and Settings\nicky\Favorites\Bexx\I am a stranger travelling from the west - coughcough.url	Object is locked	skipped
C:\Documents and Settings\nicky\Favorites\Bexx\lixa_turner.url	Object is locked	skipped
C:\Documents and Settings\nicky\Favorites\Bexx\Peekvid Doctor Who - Cybermen Call Centre (funny)!.url	Object is locked	skipped
C:\Documents and Settings\nicky\Favorites\Bexx\The Torchwood Institute -.url	Object is locked	skipped
C:\Documents and Settings\nicky\Favorites\Bexx\Userpics.url	Object is locked	skipped
C:\Documents and Settings\nicky\Favorites\Create A Graph.url	Object is locked	skipped
C:\Documents and Settings\nicky\Favorites\Desktop.ini	Object is locked	skipped
C:\Documents and Settings\nicky\Favorites\freelayouts Music- Ayumi Hamasaki- Real Me.url	Object is locked	skipped
C:\Documents and Settings\nicky\Favorites\freelayouts Music--Ayumi Hamsasaki.url	Object is locked	skipped
C:\Documents and Settings\nicky\Favorites\Links\Customize Links.url	Object is locked	skipped
C:\Documents and Settings\nicky\Favorites\Links\Free Hotmail.url	Object is locked	skipped
C:\Documents and Settings\nicky\Favorites\Links\Windows Marketplace.url	Object is locked	skipped
C:\Documents and Settings\nicky\Favorites\Links\Windows Media.url	Object is locked	skipped
C:\Documents and Settings\nicky\Favorites\Links\Windows.url	Object is locked	skipped
C:\Documents and Settings\nicky\Favorites\MSN.com.url	Object is locked	skipped
C:\Documents and Settings\nicky\Favorites\Radio Station Guide.url	Object is locked	skipped
C:\Documents and Settings\nicky\Favorites\reopen the triangle - bermuda.url	Object is locked	skipped
C:\Documents and Settings\nicky\Favorites\YouTube - Django.url	Object is locked	skipped
C:\Documents and Settings\nicky\Favorites\{noway_icons} SUPERNATURAL.url	Object is locked	skipped
C:\Documents and Settings\nicky\Local Settings\Application Data\Adobe\Acrobat\6.0\Cache\AcroFnt06.lst	Object is locked	skipped
C:\Documents and Settings\nicky\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini	Object is locked	skipped
C:\Documents and Settings\nicky\Local Settings\Application Data\GDIPFONTCACHEV1.DAT	Object is locked	skipped
C:\Documents and Settings\nicky\Local Settings\Application Data\IconCache.db	Object is locked	skipped
C:\Documents and Settings\nicky\Local Settings\Application Data\Identities\{069EADD3-AC61-422E-B291-9AF6DCB75AD4}\Microsoft\Outlook Express\Folders.dbx	Object is locked	skipped
C:\Documents and Settings\nicky\Local Settings\Application Data\Identities\{069EADD3-AC61-422E-B291-9AF6DCB75AD4}\Microsoft\Outlook Express\Inbox.dbx	Object is locked	skipped
C:\Documents and Settings\nicky\Local Settings\Application Data\Identities\{069EADD3-AC61-422E-B291-9AF6DCB75AD4}\Microsoft\Outlook Express\Offline.dbx	Object is locked	skipped
C:\Documents and Settings\nicky\Local Settings\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT	Object is locked	skipped
C:\Documents and Settings\nicky\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_219.wmdb	Object is locked	skipped
C:\Documents and Settings\nicky\Local Settings\Application Data\Microsoft\Media Player\wmpfolders.wmdb	Object is locked	skipped
C:\Documents and Settings\nicky\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat	Object is locked	skipped
C:\Documents and Settings\nicky\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG	Object is locked	skipped
C:\Documents and Settings\nicky\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNS.DTD	Object is locked	skipped
C:\Documents and Settings\nicky\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNS.XML	Object is locked	skipped
C:\Documents and Settings\nicky\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML	Object is locked	skipped
C:\Documents and Settings\nicky\Local Settings\desktop.ini	Object is locked	skipped
C:\Documents and Settings\nicky\Local Settings\History\desktop.ini	Object is locked	skipped
C:\Documents and Settings\nicky\Local Settings\History\History.IE5\desktop.ini	Object is locked	skipped
C:\Documents and Settings\nicky\Local Settings\History\History.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\nicky\Local Settings\History\History.IE5\MSHist012007022420070225\index.dat	Object is locked	skipped
C:\Documents and Settings\nicky\Local Settings\Temporary Internet Files\Content.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\1.agg	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\2.agg	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\3.agg	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\4.doc	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\5.doc	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\0007h532.jpg	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\10373484.gif	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\10665989.gif	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\1139437990_f.jpg	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\11529206.jpg	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\1168314466621.jpg	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\1219038.gif	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\1357889.gif	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\180580526_b04fee00f7_m.jpg	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\1Owen; `Not anymore.` Oooh. Hate for disloyal!Owen..jpg	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\2010_speakfree.gif	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\20925_speakfree.gif	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\23nowyousee.jpg	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\2512572.gif	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\2512572.jpg	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\300who_barrowman.jpg	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\33ianto.jpg	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\4054098.gif	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\48harassment.jpg	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\4bz8q6v.jpg	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\549643.gif	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\5nkvag.gif	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\6171498.gif	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\6340557.gif	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\6456415.gif	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\65giveme.jpg	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\703227.gif	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\703227.jpg	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\8488555.gif	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\8515128.jpg	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\879577.gif	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\9209276.gif	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\97400.gif	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\9761518.gif	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\And she's going to have to kill Gwen...if she can find her gun in her handbag, first..jpg	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\animatedrikulayout8sx.gif	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\ayumik2_speakfree.png	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\ayumik_speakfree.png	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\billisicon5.png	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\crying after doomsday (; _ .gif	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\d8f7217e5e8c64757bead00da8be4ac9.gif	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\df.gif	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\do2_speakfree.gif	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\do4_speakfree.gif	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\Doctor WhoRLS - 10DoctorRose - DavidBillie - I Miss You Fanmix.zip	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\dodger_winslow-_speakfree.gif	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\gackt%20wallpaper.jpg	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\gag15_speakfree.gif	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\gag1_speakfree.gif	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\gag24_speakfree.gif	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\gag2_speakfree.gif	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\gag6_speakfree.gif	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\gag8_speakfree.gif	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\GakuHai.txt	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\hf.gif	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\hfxd.png	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\Ianto VO; `He's our leader.` Awww, love for loyal!Ianto..jpg	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\img969.jpg	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\It's In His Kiss.wmv	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\j2x12_illyria1985.gif	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\j2x17_illyria1985.gif	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\j2x1_illyria1985.gif	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\j2x6_illyria1985.gif	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\jared2.gif	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\jgf.gif	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\jhrd.gif	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\johnandscottattitudenov05.jpg	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\kuygt.gif	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\L'Arc~en~Ciel - 09. Highlights 01 [ken] [Shibuya Seven Days].wmv	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\l5_speakfree.gif	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\l6_speakfree.gif	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\l7_speakfree.gif	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\ll.jpg	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\main.jpg	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\mbhc.gif	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\mhf.jpg	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\mjytg.gif	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\New Text Document.txt	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\Piccys\00003e16.jpg	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\Piccys\000055de.jpg	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\Piccys\00007hsp.jpg	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\Piccys\001khdb6.png	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\Piccys\001kyqkx.png	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\Piccys\001py8b9.png	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\Piccys\00_03_17.jpg	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\Piccys\00_11_59.jpg	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\Piccys\00_35_14.jpg	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\Piccys\00_50_27.jpg	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\Piccys\00_50_35.jpg	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\Piccys\07.png	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\Piccys\10074965.gif	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\Piccys\10074965.jpg	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\Piccys\10187013.jpg	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\Piccys\1084079.gif	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\Piccys\10999987.jpg	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\Piccys\11459135.jpg	Object is locked	skipped


----------



## theriddler (Jul 23, 2007)

C:\Documents and Settings\nicky\My Documents\BEXX\Piccys\28259_torchwood_duringbreak_007_122_517lo.jpg	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\Piccys\28268_torchwood_duringbreak_009_122_501lo.jpg	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\Piccys\28431_torchwood_duringbreak_013_122_595lo.jpg	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\Piccys\28440_torchwood_duringbreak_015_122_468lo.jpg	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\Piccys\28450_torchwood_duringbreak_016_122_507lo.jpg	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\Piccys\3478370.png	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\Piccys\3729951.png	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\Piccys\425127.png	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\Piccys\4838896.gif	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\Piccys\6171498.gif	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\Piccys\6718223.gif	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\Piccys\7807997.gif	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\Piccys\7890936.gif	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\Piccys\7890936.jpg	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\Piccys\854468.png	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\Piccys\8578571.gif	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\Piccys\8578571.jpg	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\Piccys\8965045.gif	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\Piccys\971771.gif	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\Piccys\all of 'em.gif	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\Piccys\captainjack.gif	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\Piccys\CaptainJack.png	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\Piccys\Ep13_006.gif	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\Piccys\headerforlj2.png	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\Piccys\is outraged, Ianto won't give up hope that she can be cured..jpg	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\Piccys\JHG.jpg	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\Piccys\JP.jpg	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\Piccys\JTGF.gif	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\Piccys\jyt.gif	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\Piccys\KJKJ.jpg	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\Piccys\MBHV.gif	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\Piccys\New Text Document (2).txt	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\Piccys\New Text Document (3).txt	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\Piccys\New Text Document (4).txt	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\Piccys\New Text Document (5).txt	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\Piccys\New Text Document (6).txt	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\Piccys\New Text Document (7).txt	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\Piccys\New Text Document (8).txt	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\Piccys\New Text Document (9).txt	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\Piccys\New Text Document.txt	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\Piccys\oooo.gif	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\Piccys\qwenjacklovexf1.jpg	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\Piccys\SDA.jpg	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\Piccys\So, we first meet Captain Jack on series one of Doctor Who and immediately we realize that he's gorgeous.jpg	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\Piccys\the change in Ianto's expression!1.jpg	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\Piccys\the change in Ianto's expression!2.jpg	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\Piccys\Thumbs.db	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\Piccys\Torchwood003.jpg	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\Piccys\YU.gif	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\rj_08.jpg	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\sad_1985_speakfree.png	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\serenitydiary.gif	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\shesback2.gif	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\songs\A Man In Uniform_ A Jack_Ianto Fanmix.zip	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\songs\captain&theteaboy.zip	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\songs\L'Arc~en~Ciel - 00. Opening to Shibuya Seven Days.wmv	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\songs\L'Arc~en~Ciel - 01. Fare Well [Shibuya Seven Days].wmv	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\songs\L'Arc~en~Ciel - 02. Caress of Venus [Shibuya Seven Days].wmv	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\songs\L'Arc~en~Ciel - 06. get our from the shell [Shibuya Seven Days].wmv	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\songs\Thumbs.db	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\songs\Torchwood - JackGwen - Tender Fanmix.zip	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\Supernatural.zip	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\Susie is slid to rest in drawer #006... Also, JB has a very very nice ***! XD.jpg	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\td.gif	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\Thumbs.db	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\top-179.jpg	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\TW Season 2 specs.txt	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\tw.txt	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\untitled.bmp	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\wall_image2_200606.jpg	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\wall_image2_200610.jpg	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\You Belong To Me.avi	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\BEXX\z6307624.jpg	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\desktop.ini	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\English.doc	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\I will now use a box and whisker to show the weight of a random selection of females against a random selection of the amount of television watched.doc	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\KS3.doc	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\MATHS COURSEWORK 2.doc	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\MATHS COURSEWORK.doc	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\My Music\Desktop.ini	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\My Music\Sample Music.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\My Pictures\Desktop.ini	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\My Pictures\Sample Pictures.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\My Pictures\Thumbs.db	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\My Videos\Desktop.ini	Object is locked	skipped
C:\Documents and Settings\nicky\My Documents\R.doc	Object is locked	skipped
C:\Documents and Settings\nicky\ntuser.dat	Object is locked	skipped
C:\Documents and Settings\nicky\ntuser.dat.LOG	Object is locked	skipped
C:\Documents and Settings\nicky\ntuser.ini	Object is locked	skipped
C:\Documents and Settings\nicky\Recent\00_35_14.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Recent\07.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Recent\0999.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Recent\1.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Recent\1Owen; `Not anymore.` Oooh. Hate for disloyal!Owen..lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Recent\2.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Recent\2010_speakfree.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Recent\23nowyousee.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Recent\2512572 (2).lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Recent\3.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Recent\33ianto.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Recent\3478370.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Recent\3½ Floppy (A).lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Recent\48harassment.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Recent\5.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Recent\65giveme.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Recent\A Man In Uniform_ A Jack_Ianto Fanmix.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Recent\And she's going to have to kill Gwen...if she can find her gun in her handbag, first..lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Recent\ayumik2_speakfree.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Recent\ayumik_speakfree.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Recent\back.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Recent\BEXX.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Recent\billisicon5.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Recent\Capital Gold - Celtic Legends - Various.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Recent\captain&theteaboy.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Recent\cezanne_lowry_landscapes_166.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Recent\Copyofmayfield.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Recent\da boz.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Recent\Desktop.ini	Object is locked	skipped
C:\Documents and Settings\nicky\Recent\Doctor WhoRLS - 10DoctorRose - DavidBillie - I Miss You Fanmix.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Recent\English.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Recent\first project completed.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Recent\gag15_speakfree.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Recent\gag1_speakfree.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Recent\gag24_speakfree.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Recent\gag6_speakfree.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Recent\gag8_speakfree.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Recent\GakuHai.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Recent\geography coursework redraft.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Recent\getimage.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Recent\headerforlj2.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Recent\hfxd.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Recent\I will now use a box and whisker to show the weight of a random selection of females against a random selection of the amount of television watched.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Recent\img969.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Recent\It's In His Kiss.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Recent\j2x12_illyria1985.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Recent\j2x17_illyria1985.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Recent\j2x1_illyria1985.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Recent\j2x6_illyria1985.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Recent\killabarbie___iconpostyay5.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Recent\KS3.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Recent\L'Arc~en~Ciel - 00. Opening to Shibuya Seven Days.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Recent\L'Arc~en~Ciel - 01. Fare Well [Shibuya Seven Days].lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Recent\L'Arc~en~Ciel - 02. Caress of Venus [Shibuya Seven Days].lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Recent\L'Arc~en~Ciel - 06. get our from the shell [Shibuya Seven Days].lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Recent\L'Arc~en~Ciel - 09. Highlights 01 [ken] [Shibuya Seven Days].lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Recent\MATHS COURSEWORK 2.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Recent\Methodology.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Recent\Monday 8th January 2007.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Recent\My Documents.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Recent\My Pictures.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Recent\New Text Document (2).lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Recent\New Text Document (4).lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Recent\New Text Document (5).lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Recent\New Text Document (6).lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Recent\New Text Document (7).lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Recent\New Text Document (8).lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Recent\New Text Document (9).lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Recent\New Text Document.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Recent\pictogram.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Recent\R.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Recent\sad_1985_speakfree.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Recent\Settlement hierarchy explanation.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Recent\Shopping survey.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Recent\Supernatural.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Recent\Susie is slid to rest in drawer #006... Also, JB has a very very nice ***! XD.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Recent\Torchwood - JackGwen - Tender Fanmix.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Recent\TW Season 2 specs.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Recent\tw.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Recent\untitled.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Recent\URBAN TRANSECT.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Recent\WOOOOOOOOOOO.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Recent\You Belong To Me.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Recent\z6307624.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\SendTo\Compressed (zipped) Folder.ZFSendToTarget	Object is locked	skipped
C:\Documents and Settings\nicky\SendTo\Desktop (create shortcut).DeskLink	Object is locked	skipped
C:\Documents and Settings\nicky\SendTo\desktop.ini	Object is locked	skipped
C:\Documents and Settings\nicky\SendTo\Mail Recipient.MAPIMail	Object is locked	skipped
C:\Documents and Settings\nicky\SendTo\My Documents.mydocs	Object is locked	skipped
C:\Documents and Settings\nicky\Start Menu\desktop.ini	Object is locked	skipped
C:\Documents and Settings\nicky\Start Menu\Programs\Accessories\Accessibility\desktop.ini	Object is locked	skipped
C:\Documents and Settings\nicky\Start Menu\Programs\Accessories\Accessibility\Magnifier.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Start Menu\Programs\Accessories\Accessibility\Narrator.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Start Menu\Programs\Accessories\Accessibility\On-Screen Keyboard.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Start Menu\Programs\Accessories\Accessibility\Utility Manager.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Start Menu\Programs\Accessories\Address Book.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Start Menu\Programs\Accessories\Command Prompt.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Start Menu\Programs\Accessories\desktop.ini	Object is locked	skipped
C:\Documents and Settings\nicky\Start Menu\Programs\Accessories\Entertainment\desktop.ini	Object is locked	skipped
C:\Documents and Settings\nicky\Start Menu\Programs\Accessories\Entertainment\Windows Media Player.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Start Menu\Programs\Accessories\Notepad.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Start Menu\Programs\Accessories\Program Compatibility Wizard.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Start Menu\Programs\Accessories\Synchronize.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Start Menu\Programs\Accessories\Tour Windows XP.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Start Menu\Programs\Accessories\Windows Explorer.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Start Menu\Programs\desktop.ini	Object is locked	skipped
C:\Documents and Settings\nicky\Start Menu\Programs\Internet Explorer.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Start Menu\Programs\Outlook Express.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Start Menu\Programs\Remote Assistance.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Start Menu\Programs\Startup\desktop.ini	Object is locked	skipped
C:\Documents and Settings\nicky\Start Menu\Programs\Windows Media Player.lnk	Object is locked	skipped
C:\Documents and Settings\nicky\Templates\amipro.sam	Object is locked	skipped
C:\Documents and Settings\nicky\Templates\excel.xls	Object is locked	skipped
C:\Documents and Settings\nicky\Templates\excel4.xls	Object is locked	skipped
C:\Documents and Settings\nicky\Templates\lotus.wk4	Object is locked	skipped
C:\Documents and Settings\nicky\Templates\powerpnt.ppt	Object is locked	skipped
C:\Documents and Settings\nicky\Templates\presenta.shw	Object is locked	skipped
C:\Documents and Settings\nicky\Templates\quattro.wb2	Object is locked	skipped
C:\Documents and Settings\nicky\Templates\sndrec.wav	Object is locked	skipped
C:\Documents and Settings\nicky\Templates\winword.doc	Object is locked	skipped
C:\Documents and Settings\nicky\Templates\winword2.doc	Object is locked	skipped
C:\Documents and Settings\nicky\Templates\wordpfct.wpd	Object is locked	skipped
C:\Documents and Settings\nicky\Templates\wordpfct.wpg	Object is locked	skipped
C:\Documents and Settings\nicky\UserData\index.dat	Object is locked	skipped
C:\Documents and Settings\nicky\UserData\WL29EX8P\IsOnIE6tbPromo[1].xml	Object is locked	skipped
C:\Program Files\blueyonder IST\SmartBridge\AlertFilter.log	Object is locked	skipped
C:\Program Files\blueyonder IST\SmartBridge\blueyonder-istnotifier.exe	Infected: Virus.Win32.Agent.ab	skipped
C:\Program Files\blueyonder IST\SmartBridge\log\httpclient.log	Object is locked	skipped
C:\Program Files\blueyonder IST\SmartBridge\SmartBridge.log	Object is locked	skipped
C:\Program Files\codec_setup.exe/stream/data0006	Infected: Trojan-Downloader.Win32.Zlob.bxn	skipped
C:\Program Files\codec_setup.exe/stream	Infected: Trojan-Downloader.Win32.Zlob.bxn	skipped
C:\Program Files\codec_setup.exe	NSIS: infected - 2	skipped
C:\Program Files\Mouse Driver\MouseDrv.exe	Infected: Virus.Win32.Agent.ab	skipped
C:\Program Files\Multimedia Keyboard\PS2USBKbdDrv.exe	Infected: Virus.Win32.Agent.ab	skipped
C:\Program Files\Veoh Networks\Veoh\client.log	Object is locked	skipped
C:\Program Files\Veoh Networks\Veoh\upload.log	Object is locked	skipped
C:\RECYCLER\S-1-5-21-1844237615-1659004503-725345543-1004\Dc31.jpg	Object is locked	skipped
C:\RECYCLER\S-1-5-21-1844237615-1659004503-725345543-1004\Dc32.png	Object is locked	skipped
C:\System Volume Information\MountPointManagerRemoteDatabase	Object is locked	skipped
C:\System Volume Information\_restore{9194D392-2571-44DC-AFE1-2D4FA7AA42CE}\RP129\A0070673.exe/stream	Infected: Trojan.Win32.DNSChanger.jc	skipped
C:\System Volume Information\_restore{9194D392-2571-44DC-AFE1-2D4FA7AA42CE}\RP129\A0070673.exe	NSIS: infected - 1	skipped
C:\System Volume Information\_restore{9194D392-2571-44DC-AFE1-2D4FA7AA42CE}\RP135\A0075043.exe	Infected: Trojan-Spy.Win32.KeyLogger.nd	skipped
C:\System Volume Information\_restore{9194D392-2571-44DC-AFE1-2D4FA7AA42CE}\RP136\A0075046.exe/data0001	Infected: Trojan-Spy.Win32.KeyLogger.nd	skipped
C:\System Volume Information\_restore{9194D392-2571-44DC-AFE1-2D4FA7AA42CE}\RP136\A0075046.exe	Astrum: infected - 1	skipped
C:\System Volume Information\_restore{9194D392-2571-44DC-AFE1-2D4FA7AA42CE}\RP141\A0075376.exe	Infected: Trojan-Spy.Win32.KeyLogger.nd	skipped
C:\System Volume Information\_restore{9194D392-2571-44DC-AFE1-2D4FA7AA42CE}\RP155\A0088292.com	Infected: Trojan-Downloader.Win32.Small.cxs	skipped
C:\System Volume Information\_restore{9194D392-2571-44DC-AFE1-2D4FA7AA42CE}\RP155\A0088293.exe	Infected: Trojan.Win32.BHO.bd	skipped
C:\System Volume Information\_restore{9194D392-2571-44DC-AFE1-2D4FA7AA42CE}\RP156\A0089566.exe	Infected: Trojan-Proxy.Win32.Dlena.cw	skipped
C:\System Volume Information\_restore{9194D392-2571-44DC-AFE1-2D4FA7AA42CE}\RP156\A0089605.exe/data.rar/keygen.exe	Infected: Trojan-Downloader.Win32.LoadAdv.gen	skipped
C:\System Volume Information\_restore{9194D392-2571-44DC-AFE1-2D4FA7AA42CE}\RP156\A0089605.exe/data.rar/serial.exe	Infected: Trojan.Win32.Dialer.qn	skipped
C:\System Volume Information\_restore{9194D392-2571-44DC-AFE1-2D4FA7AA42CE}\RP156\A0089605.exe/data.rar/install.exe	Infected: Trojan-Downloader.Win32.Small.eqn	skipped
C:\System Volume Information\_restore{9194D392-2571-44DC-AFE1-2D4FA7AA42CE}\RP156\A0089605.exe/data.rar	Infected: Trojan-Downloader.Win32.Small.eqn	skipped
C:\System Volume Information\_restore{9194D392-2571-44DC-AFE1-2D4FA7AA42CE}\RP156\A0089605.exe	RarSFX: infected - 4	skipped
C:\System Volume Information\_restore{9194D392-2571-44DC-AFE1-2D4FA7AA42CE}\RP156\A0089606.exe	Infected: Trojan-Downloader.Win32.Small.eqn	skipped
C:\System Volume Information\_restore{9194D392-2571-44DC-AFE1-2D4FA7AA42CE}\RP156\A0089625.exe	Infected: Backdoor.Win32.VB.kb	skipped
C:\System Volume Information\_restore{9194D392-2571-44DC-AFE1-2D4FA7AA42CE}\RP157\change.log	Object is locked	skipped
C:\WINDOWS\Debug\PASSWD.LOG	Object is locked	skipped
C:\WINDOWS\SchedLgU.Txt	Object is locked	skipped
C:\WINDOWS\smsys.dat	Infected: Trojan-Proxy.Win32.Agent.mx	skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log	Object is locked	skipped
C:\WINDOWS\Sti_Trace.log	Object is locked	skipped
C:\WINDOWS\system32\CatRoot2\edb.log	Object is locked	skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb	Object is locked	skipped
C:\WINDOWS\system32\config\AppEvent.Evt	Object is locked	skipped
C:\WINDOWS\system32\config\default	Object is locked	skipped
C:\WINDOWS\system32\config\default.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\SAM	Object is locked	skipped
C:\WINDOWS\system32\config\SAM.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\SecEvent.Evt	Object is locked	skipped
C:\WINDOWS\system32\config\SECURITY	Object is locked	skipped
C:\WINDOWS\system32\config\SECURITY.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\software	Object is locked	skipped
C:\WINDOWS\system32\config\software.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\SysEvent.Evt	Object is locked	skipped
C:\WINDOWS\system32\config\system	Object is locked	skipped
C:\WINDOWS\system32\config\system.LOG	Object is locked	skipped
C:\WINDOWS\system32\h323log.txt	Object is locked	skipped
C:\WINDOWS\system32\hlpsrv.exe	Infected: Trojan-Clicker.Win32.Small.mv	skipped
C:\WINDOWS\system32\NeroCheck.exe	Infected: Virus.Win32.Agent.ab	skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP	Object is locked	skipped
C:\WINDOWS\system32\winzwr32.dll	Infected: Trojan.Win32.Dialer.qn	skipped
C:\WINDOWS\Temp\1024890.exe	Infected: Trojan-Downloader.Win32.Alphabet.h	skipped
C:\WINDOWS\Temp\1111875.exe	Infected: Trojan-Downloader.Win32.Alphabet.h	skipped
C:\WINDOWS\Temp\1173015.exe	Infected: Trojan-Downloader.Win32.Alphabet.h	skipped
C:\WINDOWS\Temp\1259937.exe	Infected: Trojan-Downloader.Win32.Alphabet.h	skipped
C:\WINDOWS\Temp\1333875.exe	Infected: Trojan-Downloader.Win32.Alphabet.h	skipped
C:\WINDOWS\Temp\1402875.exe	Infected: Trojan-Downloader.Win32.Alphabet.h	skipped
C:\WINDOWS\Temp\1493406.exe	Infected: Trojan-Downloader.Win32.Alphabet.h	skipped
C:\WINDOWS\Temp\1561937.exe	Infected: Trojan-Downloader.Win32.Alphabet.h	skipped
C:\WINDOWS\Temp\1647906.exe	Infected: Trojan-Downloader.Win32.Alphabet.h	skipped
C:\WINDOWS\Temp\1718937.exe	Infected: Trojan-Downloader.Win32.Alphabet.h	skipped
C:\WINDOWS\Temp\1797890.exe	Infected: Trojan-Downloader.Win32.Alphabet.h	skipped
C:\WINDOWS\Temp\1862500.exe	Infected: Trojan-Downloader.Win32.Alphabet.h	skipped
C:\WINDOWS\Temp\1929859.exe	Infected: Trojan-Downloader.Win32.Alphabet.h	skipped
C:\WINDOWS\Temp\1991890.exe	Infected: Trojan-Downloader.Win32.Alphabet.h	skipped
C:\WINDOWS\Temp\2068921.exe	Infected: Trojan-Downloader.Win32.Alphabet.h	skipped
C:\WINDOWS\Temp\2129187.exe	Infected: Trojan-Downloader.Win32.Alphabet.h	skipped
C:\WINDOWS\Temp\2208906.exe	Infected: Trojan-Downloader.Win32.Alphabet.h	skipped
C:\WINDOWS\Temp\2402390.exe	Infected: Trojan-Downloader.Win32.Alphabet.h	skipped
C:\WINDOWS\Temp\2464328.exe	Infected: Trojan-Downloader.Win32.Alphabet.h	skipped
C:\WINDOWS\Temp\2529156.exe	Infected: Trojan-Downloader.Win32.Alphabet.h	skipped
C:\WINDOWS\Temp\2593687.exe	Infected: Trojan-Downloader.Win32.Alphabet.h	skipped
C:\WINDOWS\Temp\2670000.exe	Infected: Trojan-Downloader.Win32.Alphabet.h	skipped
C:\WINDOWS\Temp\2742328.exe	Infected: Trojan-Downloader.Win32.Alphabet.h	skipped
C:\WINDOWS\Temp\2810953.exe	Infected: Trojan-Downloader.Win32.Alphabet.h	skipped
C:\WINDOWS\Temp\2882000.exe	Infected: Trojan-Downloader.Win32.Alphabet.h	skipped
C:\WINDOWS\Temp\2954906.exe	Infected: Trojan-Downloader.Win32.Alphabet.h	skipped
C:\WINDOWS\Temp\3020906.exe	Infected: Trojan-Downloader.Win32.Alphabet.h	skipped
C:\WINDOWS\Temp\3086921.exe	Infected: Trojan-Downloader.Win32.Alphabet.h	skipped
C:\WINDOWS\Temp\3159000.exe	Infected: Trojan-Downloader.Win32.Alphabet.h	skipped
C:\WINDOWS\Temp\3229453.exe	Infected: Trojan-Downloader.Win32.Alphabet.h	skipped
C:\WINDOWS\Temp\3291781.exe	Infected: Trojan-Downloader.Win32.Alphabet.h	skipped
C:\WINDOWS\Temp\3353687.exe	Infected: Trojan-Downloader.Win32.Alphabet.h	skipped
C:\WINDOWS\Temp\3493546.exe	Infected: Trojan-Downloader.Win32.Alphabet.h	skipped
C:\WINDOWS\Temp\3618515.exe	Infected: Trojan-Downloader.Win32.Alphabet.h	skipped
C:\WINDOWS\Temp\3701921.exe	Infected: Trojan-Downloader.Win32.Alphabet.h	skipped


----------



## theriddler (Jul 23, 2007)

C:\WINDOWS\Temp\3782937.exe	Infected: Trojan-Downloader.Win32.Alphabet.h	skipped
C:\WINDOWS\Temp\3944031.exe	Infected: Trojan-Downloader.Win32.Alphabet.h	skipped
C:\WINDOWS\Temp\4017968.exe	Infected: Trojan-Downloader.Win32.Alphabet.h	skipped
C:\WINDOWS\Temp\4083984.exe	Infected: Trojan-Downloader.Win32.Alphabet.h	skipped
C:\WINDOWS\Temp\4151968.exe	Infected: Trojan-Downloader.Win32.Alphabet.h	skipped
C:\WINDOWS\Temp\4229937.exe	Infected: Trojan-Downloader.Win32.Alphabet.h	skipped
C:\WINDOWS\Temp\4295937.exe	Infected: Trojan-Downloader.Win32.Alphabet.h	skipped
C:\WINDOWS\Temp\4363953.exe	Infected: Trojan-Downloader.Win32.Alphabet.h	skipped
C:\WINDOWS\Temp\4432968.exe	Infected: Trojan-Downloader.Win32.Alphabet.h	skipped
C:\WINDOWS\Temp\4516906.exe	Infected: Trojan-Downloader.Win32.Alphabet.h	skipped
C:\WINDOWS\Temp\4582984.exe	Infected: Trojan-Downloader.Win32.Alphabet.h	skipped
C:\WINDOWS\Temp\4656031.exe	Infected: Trojan-Downloader.Win32.Alphabet.h	skipped
C:\WINDOWS\Temp\4734937.exe	Infected: Trojan-Downloader.Win32.Alphabet.h	skipped
C:\WINDOWS\Temp\4809421.exe	Infected: Trojan-Downloader.Win32.Alphabet.h	skipped
C:\WINDOWS\Temp\4876359.exe	Infected: Trojan-Downloader.Win32.Alphabet.h	skipped
C:\WINDOWS\Temp\4939968.exe	Infected: Trojan-Downloader.Win32.Alphabet.h	skipped
C:\WINDOWS\Temp\5023625.exe	Infected: Trojan-Downloader.Win32.Alphabet.h	skipped
C:\WINDOWS\Temp\5092984.exe	Infected: Trojan-Downloader.Win32.Alphabet.h	skipped
C:\WINDOWS\Temp\5352906.exe	Infected: Trojan-Downloader.Win32.Alphabet.h	skipped
C:\WINDOWS\Temp\5419859.exe	Infected: Trojan-Downloader.Win32.Alphabet.h	skipped
C:\WINDOWS\Temp\5577968.exe	Infected: Trojan-Downloader.Win32.Alphabet.h	skipped
C:\WINDOWS\Temp\5643921.exe	Infected: Trojan-Downloader.Win32.Alphabet.h	skipped
C:\WINDOWS\Temp\5720031.exe	Infected: Trojan-Downloader.Win32.Alphabet.h	skipped
C:\WINDOWS\Temp\5811156.exe	Infected: Trojan-Downloader.Win32.Alphabet.h	skipped
C:\WINDOWS\Temp\5874265.exe	Infected: Trojan-Downloader.Win32.Alphabet.h	skipped
C:\WINDOWS\Temp\5950968.exe	Infected: Trojan-Downloader.Win32.Alphabet.h	skipped
C:\WINDOWS\Temp\6027015.exe	Infected: Trojan-Downloader.Win32.Alphabet.h	skipped
C:\WINDOWS\Temp\6100953.exe	Infected: Trojan-Downloader.Win32.Alphabet.h	skipped
C:\WINDOWS\Temp\888890.exe	Infected: Trojan-Downloader.Win32.Alphabet.h	skipped
C:\WINDOWS\Temp\954875.exe	Infected: Trojan-Downloader.Win32.Alphabet.h	skipped
C:\WINDOWS\Temp\hosthost.exe	Infected: Trojan-Clicker.Win32.Small.mv	skipped
C:\WINDOWS\Temp\nseEBF.tmp	Object is locked	skipped
C:\WINDOWS\Temp\win28.tmp.exe	Infected: Trojan-Downloader.Win32.Alphabet.h	skipped
C:\WINDOWS\Temp\win2C.tmp.exe	Infected: Trojan.Win32.Dialer.qn	skipped
C:\WINDOWS\Temp\win41.tmp.exe	Infected: Trojan-Downloader.Win32.Alphabet.h	skipped
C:\WINDOWS\Temp\win45.tmp.exe	Infected: Trojan.Win32.Dialer.qn	skipped
C:\WINDOWS\Temp\win53.tmp.exe	Infected: Trojan-Downloader.Win32.Alphabet.h	skipped
C:\WINDOWS\Temp\win5A9.tmp	Object is locked	skipped
C:\WINDOWS\Temp\win5B8.tmp.exe	Infected: Trojan.Win32.Dialer.qn	skipped
C:\WINDOWS\Temp\win610.tmp.exe	Infected: Trojan-Downloader.Win32.Alphabet.h	skipped
C:\WINDOWS\Temp\win62B.tmp.exe	Infected: Trojan.Win32.Dialer.qn	skipped
C:\WINDOWS\Temp\win63.tmp.exe	Infected: Trojan-Downloader.Win32.Alphabet.h	skipped
C:\WINDOWS\Temp\win642.tmp.exe	Infected: Trojan.Win32.Agent.qt	skipped
C:\WINDOWS\Temp\win653.tmp.exe/data0002	Infected: Trojan-Downloader.Win32.PurityScan.eg	skipped
C:\WINDOWS\Temp\win653.tmp.exe	NSIS: infected - 1	skipped
C:\WINDOWS\Temp\win66B.tmp.exe	Infected: Trojan.Win32.Agent.qt	skipped
C:\WINDOWS\Temp\win77.tmp.exe	Infected: Trojan.Win32.Dialer.qn	skipped
C:\WINDOWS\Temp\win80.tmp.exe	Infected: Trojan.Win32.Agent.qt	skipped
C:\WINDOWS\Temp\winB2.tmp.exe	Infected: Trojan-Downloader.Win32.Alphabet.h	skipped
C:\WINDOWS\Temp\winB6.tmp.exe	Infected: Trojan.Win32.Dialer.qn	skipped
C:\WINDOWS\wiadebug.log	Object is locked	skipped
C:\WINDOWS\wiaservc.log	Object is locked	skipped
C:\WINDOWS\WindowsUpdate.log	Object is locked	skipped

Scan process completed.


----------



## theriddler (Jul 23, 2007)

Logfile of HijackThis v1.99.1
Scan saved at 20:55:35, on 27/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\blueyonder\PCguard\fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\lvhidsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\TVR\RecSche.exe
C:\Program Files\blueyonder\PCguard advisor\PCguardadvisor.exe
C:\Program Files\blueyonder\PCguard\Rps.exe
C:\PROGRA~1\BLUEYO~1\SMARTB~1\blueyonder-istnotifier.exe
C:\Program Files\Mouse Driver\MouseDrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Advanced Browser\browser.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\nick\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gamefaqs.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RecSche] "C:\Program Files\TVR\RecSche.exe"
O4 - HKLM\..\Run: [PCguardadvisor.exe] "C:\Program Files\blueyonder\PCguard advisor\PCguardadvisor.exe"
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\blueyonder\PCguard\Rps.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BLUEYO~1\SMARTB~1\blueyonder-istnotifier.exe
O4 - HKLM\..\Run: [CreativeMouse ] "C:\Program Files\Mouse Driver\MouseDrv.exe"
O4 - HKLM\..\Run: [zSPGuard] "c:\program files\pjw\spguard\spguard.exe" /s /r
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CreativeMouse] "C:\Program Files\Mouse Driver\MouseDrv.exe"
O4 - HKLM\..\Run: [CameraFixer] C:\WINDOWS\CameraFixer.exe
O4 - HKLM\..\Run: [tsnpstd3] C:\WINDOWS\tsnpstd3.exe
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZRxdm103YYGB
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://downloadcenter.samsung.com/content/common/cab/DjVuControlLite_EN.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/no...opularScreenSaversFWBInitialSetup1.0.0.15.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games - Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1152887403499
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1152887390889
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.blueyonder.co.uk/assets/tool/files/MotivePreQual.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games - Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {F773E7B2-62A9-4524-9109-87D2F0BEFAA4} (ChessControl Class) - http://zone.msn.com/bingame/zpagames/zpa_kqrp.cab56961.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab55579.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: LifeView HID Service (LvHidSvc) - Animation Technologies Inc. - C:\WINDOWS\System32\lvhidsvc.exe
O23 - Service: Messsaanger - Unknown owner - c:\Recyclers\svchost.exe (file missing)
O23 - Service: (msupdate) - Unknown owner - C:\WINDOWS\.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\blueyonder\PCguard\fws.exe

im sorry for the sperate posts, but your only allowed 30,000 characters per post, 
is my computer.... going to die


----------



## Cookiegal (Aug 27, 2003)

Download *ComboFix* to your Desktop.

Reboot to Safe mode:

Restart your computer and begin tapping the F8 key on your keyboard just before Windows starts to load. If done properly a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.

Perform the following actions in *Safe Mode*.

Double click *combofix.exe * and follow the prompts.
When finished, it will produce a log for you. Post that log and a new *HijackThis* log in your next reply
*Note: Do not mouseclick combofix's window while it's running as that may cause it to stall*


----------



## theriddler (Jul 23, 2007)

this program would only work in normal mode, when I booted safe it just didnt appear, and when I searched the, it came up with like a million different things, thanks for your help mate 

"nick" - 2007-07-28 1:09:31 - ComboFix 07-07-23.6 - Service Pack 2 NTFS

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\DOCUME~1\nick\APPLIC~1.\macromedia\Flash Player\#SharedObjects\37C6J2U8\www.broadcaster.com
C:\DOCUME~1\nick\APPLIC~1.\macromedia\Flash Player\#SharedObjects\37C6J2U8\www.broadcaster.com\played_list.sol
C:\DOCUME~1\nick\APPLIC~1.\macromedia\Flash Player\#SharedObjects\37C6J2U8\www.broadcaster.com\video_queue.sol
C:\DOCUME~1\nick\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\DOCUME~1\nick\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Program Files\PopsMedia Site Adviser

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_ASC3550U
-------\LEGACY_LDRSVC
-------\LEGACY_RUNTIME
-------\asc3550u

((((((((((((((((((((((((( Files Created from 2007-06-28 to 2007-07-28 )))))))))))))))))))))))))))))))

2007-07-28 01:03 d--------	C:\DOCUME~1\ADMINI~1\APPLIC~1\DivX
2007-07-28 01:00 d--------	C:\DOCUME~1\ADMINI~1\APPLIC~1\Advanced Browser
2007-07-27 20:44	6,466	---hs----	C:\WINDOWS\system32\xybeg.bak1
2007-07-27 18:52	70,312	--a------	C:\Program Files\codec_setup.exe
2007-07-27 18:30	31,254	--a------	C:\WINDOWS\system32\ljjiigd.dll
2007-07-27 18:23	6,507	---hs----	C:\WINDOWS\system32\bbeeg.bak1
2007-07-27 17:45	51,200	--a------	C:\WINDOWS\nircmd.exe
2007-07-27 17:44	6,589	---hs----	C:\WINDOWS\system32\qrutv.ini2
2007-07-27 17:44	6,466	---hs----	C:\WINDOWS\system32\qrutv.bak2
2007-07-27 17:36 d--------	C:\WINDOWS\system32\Kaspersky Lab
2007-07-27 16:00	6,466	---hs----	C:\WINDOWS\system32\qrutv.bak1
2007-07-27 13:37	8,704	--a------	C:\WINDOWS\system32\pfdnnt.exe
2007-07-27 12:21	8,576	--a------	C:\WINDOWS\system32\drivers\opabcojvebht.sys
2007-07-27 12:09	6,467	---hs----	C:\WINDOWS\system32\qtstv.bak1
2007-07-27 00:26	6,467	---hs----	C:\WINDOWS\system32\jlkkj.bak1
2007-07-26 21:07	8,576	--a------	C:\WINDOWS\system32\drivers\cwnsjlwkekub.sys
2007-07-26 20:56	8,576	--a------	C:\WINDOWS\system32\drivers\auctfrvqnwve.sys
2007-07-26 20:54	6,466	---hs----	C:\WINDOWS\system32\abadd.bak1
2007-07-26 02:20	8,576	--a------	C:\WINDOWS\system32\drivers\jibxpfefmjvf.sys
2007-07-26 02:12 d--------	C:\WINDOWS\system32\ActiveScan
2007-07-26 00:37	10,872	--a------	C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-07-25 20:36 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-07-25 20:35 d--------	C:\Program Files\SUPERAntiSpyware
2007-07-25 20:35 d--------	C:\Program Files\Common Files\Wise Installation Wizard
2007-07-25 20:35 d--------	C:\DOCUME~1\nick\APPLIC~1\SUPERAntiSpyware.com
2007-07-25 14:30 d--------	C:\Program Files\LizardTech
2007-07-24 22:14 d--------	C:\WINDOWS\ERUNT
2007-07-24 22:02	786,432	--ah-----	C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-07-24 21:59 d--------	C:\WINDOWS\pss
2007-07-23 21:46	94,208	--a------	C:\WINDOWS\amcap.exe
2007-07-23 21:46	53,248	--a------	C:\WINDOWS\vsnpstd3.dll
2007-07-23 21:46	53,248	--a------	C:\WINDOWS\system32\csnpstd3.dll
2007-07-23 21:46	20,480	--a------	C:\WINDOWS\usnpstd3.exe
2007-07-23 21:46	147,456	--a------	C:\WINDOWS\system32\rsnpstd3.dll
2007-07-23 21:46	10,252,544	--a------	C:\WINDOWS\system32\drivers\snpstd3.sys
2007-07-23 21:46 d--------	C:\Program Files\Common Files\snpstd3
2007-07-22 21:24	626,688	--a------	C:\WINDOWS\system32\msvcr80.dll
2007-07-22 21:24 d--------	C:\Program Files\Spyware Doctor
2007-07-19 23:15 d--------	C:\Program Files\Lavasoft
2007-07-18 20:28 d--------	C:\DOCUME~1\nick\APPLIC~1\Google
2007-07-18 20:28 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-07-18 20:27 d--------	C:\Program Files\Google
2007-07-18 19:58	3,380	--a------	C:\WINDOWS\system32\tmp.reg
2007-07-18 19:57	51,200	--a------	C:\WINDOWS\system32\dumphive.exe
2007-07-18 19:57	288,417	--a------	C:\WINDOWS\system32\SrchSTS.exe
2007-07-17 21:49 d--h-----	C:\WINDOWS\PIF
2007-07-17 21:25 d--------	C:\Program Files\Microsoft Bootvis
2007-07-16 22:54 d--------	C:\Program Files\Game Accelerator
2007-07-16 15:01 d--------	C:\Program Files\WinPopup Speak
2007-07-15 21:41	164	--a------	C:\install.dat
2007-07-15 01:33 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\nView_Profiles
2007-07-15 01:24 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trymedia
2007-07-14 23:27 d--------	C:\Program Files\uTorrent
2007-07-14 16:03 d--------	C:\Program Files\Ace Utilities
2007-07-14 01:32 d--------	C:\Program Files\PCPitstop
2007-07-13 22:07 d--------	C:\Program Files\Speed Gear 5
2007-07-10 13:14 d--------	C:\Program Files\InfiniaChess
2007-07-10 13:14 d--------	C:\log
2007-07-06 23:55	5	--a------	C:\WINDOWS\system32\flmc.dat
2007-07-03 00:48	24	--a------	C:\WINDOWS\twin.dll
2007-07-02 22:44 d--------	C:\Program Files\Remote Desktop Control
2007-07-01 23:26 d--------	C:\Program Files\CamStudio
2007-06-29 20:32 d--------	C:\Program Files\SCAR 3.06

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-28 00:05:42	911	----a-w	C:\Program Files\f3m0.cf
2007-07-28 00:05:40	474	----a-w	C:\Program Files\ComboFix.txt
2007-07-28 00:05:40	135	----a-w	C:\Program Files\ErrDbg.cf
2007-07-28 00:03:05	--------	d-----w	C:\Program Files\Wisdom-soft AutoScreenRecorder
2007-07-27 17:21:11	--------	d-----w	C:\Program Files\Common Files\Command Software
2007-07-27 12:17:44	--------	d-----w	C:\Program Files\TVR
2007-07-27 12:16:21	--------	d-----w	C:\Program Files\Mouse Driver
2007-07-27 12:14:12	--------	d-----w	C:\Program Files\Messenger
2007-07-27 12:05:08	--------	d-----w	C:\Program Files\Common Files\PestPatrol
2007-07-26 20:07:28	--------	d-----w	C:\Program Files\WinAce
2007-07-23 20:46:05	--------	d--h--w	C:\Program Files\InstallShield Installation Information
2007-07-22 22:34:32	--------	d-----w	C:\Program Files\EMCO Malware Destroyer
2007-07-19 22:15:51	--------	d-----w	C:\DOCUME~1\nick\APPLIC~1\Lavasoft
2007-07-15 21:16:14	--------	d-----w	C:\Program Files\SCAR 3.05
2007-07-15 21:15:57	--------	d-----w	C:\Program Files\ServersCheck_RemoteBooting
2007-07-14 17:16:51	1,682	--sha-w	C:\WINDOWS\system32\KGyGaAvL.sys
2007-07-14 17:15:38	56	--sh--r	C:\WINDOWS\system32\B0DE9BE21E.sys
2007-07-01 13:29:48	--------	d-----w	C:\Program Files\Multimedia Keyboard
2007-06-26 21:22:21	--------	d-----w	C:\DOCUME~1\nick\APPLIC~1\Aquarius Soft
2007-06-23 15:17:24	23,600	----a-w	C:\WINDOWS\system32\drivers\TVICHW32.SYS
2007-06-18 19:32:50	--------	d-----w	C:\Program Files\WinPcap
2007-06-14 19:07:04	--------	d-----w	C:\Program Files\Common Files\Enterbrain
2007-06-12 21:17:09	--------	d-----w	C:\Program Files\MessengerDiscovery
2007-06-09 23:36:29	--------	d-----w	C:\Program Files\Zeallsoft
2007-06-09 19:48:53	--------	d-----w	C:\DOCUME~1\nick\APPLIC~1\InternetCalls
2007-06-09 17:55:07	--------	d-----w	C:\Program Files\FDRLab
2007-06-05 21:05:51	--------	d-----w	C:\Program Files\Delta
2007-06-01 23:44:45	--------	d-----w	C:\Program Files\Arena
2007-05-11 17:54:15	524,288	----a-w	C:\WINDOWS\system32\DivXsm.exe
2007-05-11 04:37:15	823,296	----a-w	C:\WINDOWS\system32\divx_xx0c.dll
2007-05-11 04:37:15	823,296	----a-w	C:\WINDOWS\system32\divx_xx07.dll
2007-05-11 04:37:15	802,816	----a-w	C:\WINDOWS\system32\divx_xx11.dll
2007-05-11 04:37:15	740,442	----a-w	C:\WINDOWS\system32\DivX.dll
2006-08-02 23:53:25	4	-c--a-w	C:\Program Files\Common Files\Cvtaqlog.dat
2006-08-01 15:33:54	560	----a-w	C:\Program Files\Global.sw

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 19:42]
"RecSche"="C:\Program Files\TVR\RecSche.exe" [2003-08-05 02:46]
"PCguardadvisor.exe"="C:\Program Files\blueyonder\PCguard advisor\PCguardadvisor.exe" [2006-04-28 15:27]
"Motive SmartBridge"="C:\PROGRA~1\BLUEYO~1\SMARTB~1\blueyonder-istnotifier.exe" [2005-09-22 09:05]
"CreativeMouse "="C:\Program Files\Mouse Driver\MouseDrv.exe" [2004-06-27 14:54]
"zSPGuard"="c:\program files\pjw\spguard\spguard.exe" [2003-07-15 01:45]
"nwiz"="nwiz.exe" [2006-10-22 12:22 C:\WINDOWS\system32\nwiz.exe]
"GameXL"="" []
"CreativeMouse"="C:\Program Files\Mouse Driver\MouseDrv.exe" [2004-06-27 14:54]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 08:56]
"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [2007-05-03 17:43]
"@"="" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\Belkin\Bluetooth Software\BTTray.exe [2005-08-24 14:06:54]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 09:15:54]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"RunStartupScriptSync"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoChangeAnimation"=0 (0x0)
"NoStrCmpLogical"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MemCheckBoxInRunDlg"=0 (0x0)
"NoStrCmpLogical"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]

R0 viasraid;viasraid;C:\WINDOWS\system32\DRIVERS\viasraid.sys
R1 AFD;AFD Networking Support Environment;C:\WINDOWS\system32\drivers\afd.sys
R1 BANTExt;Belarc SMBios Access;C:\WINDOWS\system32\Drivers\BANTExt.sys
R1 Kbdclass;Keyboard Class Driver;C:\WINDOWS\system32\DRIVERS\kbdclass.sys
R1 mnmdd;mnmdd;C:\WINDOWS\system32\drivers\mnmdd.sys
R1 Mouclass;Mouse Class Driver;C:\WINDOWS\system32\DRIVERS\mouclass.sys
R1 Npfs;Npfs;C:\WINDOWS\system32\drivers\Npfs.sys
R1 SASDIFSV;SASDIFSV;\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
R1 SASKUTIL;SASKUTIL;\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
R2 CSS DVP;CSS DVP;C:\WINDOWS\system32\DRIVERS\css-dvp.sys
R2 FreeTdi;Radialpoint Filter (RPS-12798);C:\WINDOWS\system32\Drivers\FreeTdi.sys
R2 lanmanserver;Server;C:\WINDOWS\System32\svchost.exe -k netsvcs
R2 lanmanworkstation;Workstation;C:\WINDOWS\System32\svchost.exe -k netsvcs
R2 winmgmt;Windows Management Instrumentation;C:\WINDOWS\system32\svchost.exe -k netsvcs
R3 Freedom;Freedom Miniport;C:\WINDOWS\system32\DRIVERS\FREEDOM.SYS
R3 Gpc;Generic Packet Classifier;C:\WINDOWS\system32\DRIVERS\msgpc.sys
R3 HidUsb;Microsoft HID Class Driver;C:\WINDOWS\system32\DRIVERS\hidusb.sys
R3 Intels51;Intel(R) 536EP Modem;C:\WINDOWS\system32\DRIVERS\Intels51.sys
R3 LVCap138;TV Card Capture Driver;C:\WINDOWS\system32\DRIVERS\lvcap138.sys
R3 lvtuner;Mercury TV Card WDM TV Tuner;C:\WINDOWS\system32\DRIVERS\lvtuner.sys
R3 sermouse;Serial Mouse Driver;C:\WINDOWS\system32\DRIVERS\sermouse.sys
R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys
R3 wdmaud;Microsoft WINMM WDM Audio Compatibility Driver;C:\WINDOWS\system32\drivers\wdmaud.sys
S2 Ca536av;DigitalCam Pro Video Camera Device;C:\WINDOWS\system32\Drivers\Ca536av.sys
S2 Messsaanger;Messsaanger;c:\Recyclers\svchost.exe
S2 zntport;NTPort Library Driver;\??\C:\WINDOWS\system32\zntport.sys
S3 BTWDNDIS;Bluetooth LAN Access Server;C:\WINDOWS\system32\DRIVERS\btwdndis.sys
S3 FETNDIS;VIA Rhine Family Fast Ethernet Adapter Driver;C:\WINDOWS\system32\DRIVERS\fetnd5b.sys
S3 IpFilterDriver;IP Traffic Filter Driver;C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
S3 mnmsrvc;NetMeeting Remote Desktop Sharing;C:\WINDOWS\System32\mnmsrvc.exe
S3 MRENDIS5;MRENDIS5 NDIS Protocol Driver;\??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS
S3 ndiscm;Motorola SURFboard USB Cable Modem Windows Driver;C:\WINDOWS\system32\DRIVERS\NetMotCM.sys
S3 nm;Network Monitor Driver;C:\WINDOWS\system32\DRIVERS\NMnt.sys
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys
S3 s116bus;Sony Ericsson Device 116 driver (WDM);C:\WINDOWS\system32\DRIVERS\s116bus.sys
S3 s116mdfl;Sony Ericsson Device 116 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\s116mdfl.sys
S3 s116mdm;Sony Ericsson Device 116 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\s116mdm.sys
S3 s116mgmt;Sony Ericsson Device 116 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\s116mgmt.sys
S3 s116nd5;Sony Ericsson Device 116 USB Ethernet Emulation SEMC116 (NDIS);C:\WINDOWS\system32\DRIVERS\s116nd5.sys
S3 s116obex;Sony Ericsson Device 116 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\s116obex.sys
S3 s116unic;Sony Ericsson Device 116 USB Ethernet Emulation SEMC116 (WDM);C:\WINDOWS\system32\DRIVERS\s116unic.sys
S3 SASENUM;SASENUM;\??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
S3 SNPSTD3;USB PC Camera (SNPSTD3);C:\WINDOWS\system32\DRIVERS\snpstd3.sys
S3 TVICHW32;TVICHW32;\??\C:\WINDOWS\system32\DRIVERS\TVICHW32.SYS
S3 usbbus;LGE Mobile Composite USB Device;C:\WINDOWS\system32\DRIVERS\lgusbbus.sys
S3 USBCamera;DigitalCam Pro Still Camera Device;C:\WINDOWS\system32\Drivers\Bulk536.sys
S3 UsbDiag;LGE Mobile USB Serial Port;C:\WINDOWS\system32\DRIVERS\lgusbdiag.sys
S3 USBModem;LGE Mobile USB Modem;C:\WINDOWS\system32\DRIVERS\lgusbmodem.sys
S3 XSHARK;Xploder Driver (xshark.sys);C:\WINDOWS\system32\Drivers\xshark.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8961ca7a-5264-11db-a917-000d87ae9f29}]
AutoRun\command- F:\setup.exe

Contents of the 'Scheduled Tasks' folder
2007-07-27 23:00:00 C:\WINDOWS\tasks\At1.job
2007-07-23 08:00:30 C:\WINDOWS\tasks\At10.job
2007-07-23 09:00:38 C:\WINDOWS\tasks\At11.job
2007-07-23 10:01:11 C:\WINDOWS\tasks\At12.job
2007-07-26 11:02:00 C:\WINDOWS\tasks\At13.job
2007-07-27 12:01:38 C:\WINDOWS\tasks\At14.job
2007-07-27 13:00:00 C:\WINDOWS\tasks\At15.job
2007-07-27 14:00:00 C:\WINDOWS\tasks\At16.job
2007-07-27 15:00:00 C:\WINDOWS\tasks\At17.job
2007-07-27 16:00:00 C:\WINDOWS\tasks\At18.job
2007-07-27 17:00:01 C:\WINDOWS\tasks\At19.job
2007-07-27 00:01:41 C:\WINDOWS\tasks\At2.job
2007-07-27 18:00:00 C:\WINDOWS\tasks\At20.job
2007-07-27 19:00:00 C:\WINDOWS\tasks\At21.job
2007-07-27 20:00:00 C:\WINDOWS\tasks\At22.job
2007-07-27 21:00:00 C:\WINDOWS\tasks\At23.job
2007-07-27 22:00:00 C:\WINDOWS\tasks\At24.job
2007-07-27 01:00:00 C:\WINDOWS\tasks\At3.job
2007-07-26 02:00:35 C:\WINDOWS\tasks\At4.job
2007-07-23 03:00:35 C:\WINDOWS\tasks\At5.job
2007-07-23 04:00:30 C:\WINDOWS\tasks\At6.job
2007-07-23 05:00:49 C:\WINDOWS\tasks\At7.job
2007-07-23 06:00:31 C:\WINDOWS\tasks\At8.job
2007-07-23 07:00:44 C:\WINDOWS\tasks\At9.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-28 01:15:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-28 1:17:34 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-28 01:17

--- E O F ---

Logfile of HijackThis v1.99.1
Scan saved at 01:19:08, on 28/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\blueyonder\PCguard\fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\lvhidsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\TVR\RecSche.exe
C:\Program Files\blueyonder\PCguard advisor\PCguardadvisor.exe
C:\PROGRA~1\BLUEYO~1\SMARTB~1\blueyonder-istnotifier.exe
C:\Program Files\Mouse Driver\MouseDrv.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Advanced Browser\browser.exe
C:\Documents and Settings\nick\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gamefaqs.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [RecSche] "C:\Program Files\TVR\RecSche.exe"
O4 - HKLM\..\Run: [PCguardadvisor.exe] "C:\Program Files\blueyonder\PCguard advisor\PCguardadvisor.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BLUEYO~1\SMARTB~1\blueyonder-istnotifier.exe
O4 - HKLM\..\Run: [CreativeMouse ] "C:\Program Files\Mouse Driver\MouseDrv.exe"
O4 - HKLM\..\Run: [zSPGuard] "c:\program files\pjw\spguard\spguard.exe" /s /r
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [CreativeMouse] "C:\Program Files\Mouse Driver\MouseDrv.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZRxdm103YYGB
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://downloadcenter.samsung.com/content/common/cab/DjVuControlLite_EN.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/no...opularScreenSaversFWBInitialSetup1.0.0.15.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games - Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1152887403499
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1152887390889
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.blueyonder.co.uk/assets/tool/files/MotivePreQual.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games - Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {F773E7B2-62A9-4524-9109-87D2F0BEFAA4} (ChessControl Class) - http://zone.msn.com/bingame/zpagames/zpa_kqrp.cab56961.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab55579.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: LifeView HID Service (LvHidSvc) - Animation Technologies Inc. - C:\WINDOWS\System32\lvhidsvc.exe
O23 - Service: Messsaanger - Unknown owner - c:\Recyclers\svchost.exe (file missing)
O23 - Service: (msupdate) - Unknown owner - C:\WINDOWS\.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\blueyonder\PCguard\fws.exe


----------



## theriddler (Jul 23, 2007)

I got the panda scan to work

Incident Status Location

Potentially unwanted tool:application/funweb Not disinfected c:\windows\downloaded program files\f3initialsetup1.0.0.15.inf 
Potentially unwanted tool:application/mywebsearch Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\&Search\ 
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Administrator\Desktop\ComboFix\nircmd.cfexe 
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Administrator\Desktop\ComboFix\nircmd.exe 
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\nick\Cookies\[email protected][1].txt  
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\nick\Cookies\[email protected][1].txt 
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\nick\Cookies\[email protected][1].txt 
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\nick\Cookies\[email protected][1].txt 
Virus:Generic Trojan Disinfected C:\Documents and Settings\nick\Desktop\ComboFix.exe 
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\nick\Desktop\junk folder\SDFix.exe[SDFix\apps\Process.exe] 
Potentially unwanted tool:Application/SuperFast Not disinfected C:\Documents and Settings\nick\Desktop\junk folder\SmitfraudFix\restart.exe 
Virus:Generic Trojan Not disinfected C:\Documents and Settings\nick\My Documents\Downloads\PC Pitstop Optimize.rar[PC Pitstop Optimize 1.5 + patch\PC Pitstop Optimize 1.5 + patch.rar][run this and send it to the program file\PC Pitstop Optimize 1.5.x.x Patch.exe] 
Potentially unwanted tool:Application/Processor Not disinfected C:\Program Files\Common Files\PestPatrol\Quarantine\ZQ87.tmp 
Potentially unwanted tool:Application/SuperFast Not disinfected C:\Program Files\Common Files\System\Mapi\1033\NT\SmitfraudFix\restart.exe 
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\EMCO Malware Destroyer\Quarantine\HOME-XXOC2DEDWC\NMC.IWON\Files\Program Files\MyWebSearch\bar\1.bin\F3CJPEG.DLL 
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\EMCO Malware Destroyer\Quarantine\HOME-XXOC2DEDWC\NMC.IWON\Files\Program Files\MyWebSearch\bar\1.bin\F3HISTSW.DLL 
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\EMCO Malware Destroyer\Quarantine\HOME-XXOC2DEDWC\NMC.IWON\Files\Program Files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL 
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\EMCO Malware Destroyer\Quarantine\HOME-XXOC2DEDWC\NMC.IWON\Files\Program Files\MyWebSearch\bar\1.bin\F3HTTPCT.DLL 
Potentially unwanted tool:Application/FunWeb Not disinfected C:\Program Files\EMCO Malware Destroyer\Quarantine\HOME-XXOC2DEDWC\NMC.IWON\Files\Program Files\MyWebSearch\bar\1.bin\F3IMSTUB.DLL 
Potentially unwanted tool:Application/FunWeb Not disinfected C:\Program Files\EMCO Malware Destroyer\Quarantine\HOME-XXOC2DEDWC\NMC.IWON\Files\Program Files\MyWebSearch\bar\1.bin\F3POPSWT.DLL 
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\EMCO Malware Destroyer\Quarantine\HOME-XXOC2DEDWC\NMC.IWON\Files\Program Files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR 
Potentially unwanted tool:Application/FunWeb Not disinfected C:\Program Files\EMCO Malware Destroyer\Quarantine\HOME-XXOC2DEDWC\NMC.IWON\Files\Program Files\MyWebSearch\bar\1.bin\F3REPROX.DLL 
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\EMCO Malware Destroyer\Quarantine\HOME-XXOC2DEDWC\NMC.IWON\Files\Program Files\MyWebSearch\bar\1.bin\F3RESTUB.DLL 
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\EMCO Malware Destroyer\Quarantine\HOME-XXOC2DEDWC\NMC.IWON\Files\Program Files\MyWebSearch\bar\1.bin\F3SCHMON.EXE 
Potentially unwanted tool:Application/FunWeb Not disinfected C:\Program Files\EMCO Malware Destroyer\Quarantine\HOME-XXOC2DEDWC\NMC.IWON\Files\Program Files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL 
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\EMCO Malware Destroyer\Quarantine\HOME-XXOC2DEDWC\NMC.IWON\Files\Program Files\MyWebSearch\bar\1.bin\F3SHLLVW.DLL 
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\EMCO Malware Destroyer\Quarantine\HOME-XXOC2DEDWC\NMC.IWON\Files\Program Files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL 
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\EMCO Malware Destroyer\Quarantine\HOME-XXOC2DEDWC\NMC.IWON\Files\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.JAR[contents.rdf] 
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\EMCO Malware Destroyer\Quarantine\HOME-XXOC2DEDWC\NMC.IWON\Files\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.JAR[menu.xul] 
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\EMCO Malware Destroyer\Quarantine\HOME-XXOC2DEDWC\NMC.IWON\Files\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.JAR[toolbarembed.html] 
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\EMCO Malware Destroyer\Quarantine\HOME-XXOC2DEDWC\NMC.IWON\Files\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.MANIFEST 
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\EMCO Malware Destroyer\Quarantine\HOME-XXOC2DEDWC\NMC.IWON\Files\Program Files\MyWebSearch\bar\1.bin\M3IDLE.DLL 
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\EMCO Malware Destroyer\Quarantine\HOME-XXOC2DEDWC\NMC.IWON\Files\Program Files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL 
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\EMCO Malware Destroyer\Quarantine\HOME-XXOC2DEDWC\NMC.IWON\Files\Program Files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL 
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\EMCO Malware Destroyer\Quarantine\HOME-XXOC2DEDWC\NMC.IWON\Files\Program Files\MyWebSearch\bar\1.bin\M3SKIN.DLL 
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\EMCO Malware Destroyer\Quarantine\HOME-XXOC2DEDWC\NMC.IWON\Files\Program Files\MyWebSearch\bar\1.bin\M3SKPLAY.EXE 
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\EMCO Malware Destroyer\Quarantine\HOME-XXOC2DEDWC\NMC.IWON\Files\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL 
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\EMCO Malware Destroyer\Quarantine\HOME-XXOC2DEDWC\NMC.IWON\Files\Program Files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL 
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\EMCO Malware Destroyer\Quarantine\HOME-XXOC2DEDWC\NMC.IWON\Files\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL 
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\EMCO Malware Destroyer\Quarantine\HOME-XXOC2DEDWC\NMC.IWON\Files\Program Files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL 
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\EMCO Malware Destroyer\Quarantine\HOME-XXOC2DEDWC\NMC.IWON\Files\Program Files\MyWebSearch\bar\Game\CHECKERS.F3S 
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\EMCO Malware Destroyer\Quarantine\HOME-XXOC2DEDWC\NMC.IWON\Files\Program Files\MyWebSearch\bar\Game\CHESS.F3S 
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\EMCO Malware Destroyer\Quarantine\HOME-XXOC2DEDWC\NMC.IWON\Files\Program Files\MyWebSearch\bar\Game\REVERSI.F3S 
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\EMCO Malware Destroyer\Quarantine\HOME-XXOC2DEDWC\NMC.IWON\Files\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL 
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\EMCO Malware Destroyer\Quarantine\HOME-XXOC2DEDWC\NMC.IWON\Files\WINDOWS\System32\f3PSSavr.scr 
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\EMCO Malware Destroyer\Quarantine\HOME-XXOC2DEDWC\NMC.MYWEBSEARCH\Files\Program Files\MyWebSearch\bar\1.bin\F3CJPEG.DLL 
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\EMCO Malware Destroyer\Quarantine\HOME-XXOC2DEDWC\NMC.MYWEBSEARCH\Files\Program Files\MyWebSearch\bar\1.bin\F3HISTSW.DLL 
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\EMCO Malware Destroyer\Quarantine\HOME-XXOC2DEDWC\NMC.MYWEBSEARCH\Files\Program Files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL 
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\EMCO Malware Destroyer\Quarantine\HOME-XXOC2DEDWC\NMC.MYWEBSEARCH\Files\Program Files\MyWebSearch\bar\1.bin\F3HTTPCT.DLL 
Potentially unwanted tool:Application/FunWeb Not disinfected C:\Program Files\EMCO Malware Destroyer\Quarantine\HOME-XXOC2DEDWC\NMC.MYWEBSEARCH\Files\Program Files\MyWebSearch\bar\1.bin\F3IMSTUB.DLL 
Potentially unwanted tool:Application/FunWeb Not disinfected C:\Program Files\EMCO Malware Destroyer\Quarantine\HOME-XXOC2DEDWC\NMC.MYWEBSEARCH\Files\Program Files\MyWebSearch\bar\1.bin\F3POPSWT.DLL 
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\EMCO Malware Destroyer\Quarantine\HOME-XXOC2DEDWC\NMC.MYWEBSEARCH\Files\Program Files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR 
Potentially unwanted tool:Application/FunWeb Not disinfected C:\Program Files\EMCO Malware Destroyer\Quarantine\HOME-XXOC2DEDWC\NMC.MYWEBSEARCH\Files\Program Files\MyWebSearch\bar\1.bin\F3REPROX.DLL 
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\EMCO Malware Destroyer\Quarantine\HOME-XXOC2DEDWC\NMC.MYWEBSEARCH\Files\Program Files\MyWebSearch\bar\1.bin\F3RESTUB.DLL 
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\EMCO Malware Destroyer\Quarantine\HOME-XXOC2DEDWC\NMC.MYWEBSEARCH\Files\Program Files\MyWebSearch\bar\1.bin\F3SCHMON.EXE 
Potentially unwanted tool:Application/FunWeb Not disinfected C:\Program Files\EMCO Malware Destroyer\Quarantine\HOME-XXOC2DEDWC\NMC.MYWEBSEARCH\Files\Program Files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL 
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\EMCO Malware Destroyer\Quarantine\HOME-XXOC2DEDWC\NMC.MYWEBSEARCH\Files\Program Files\MyWebSearch\bar\1.bin\F3SHLLVW.DLL 
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\EMCO Malware Destroyer\Quarantine\HOME-XXOC2DEDWC\NMC.MYWEBSEARCH\Files\Program Files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL 
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\EMCO Malware Destroyer\Quarantine\HOME-XXOC2DEDWC\NMC.MYWEBSEARCH\Files\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.JAR[contents.rdf] 
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\EMCO Malware Destroyer\Quarantine\HOME-XXOC2DEDWC\NMC.MYWEBSEARCH\Files\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.JAR[menu.xul] 
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\EMCO Malware Destroyer\Quarantine\HOME-XXOC2DEDWC\NMC.MYWEBSEARCH\Files\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.JAR[toolbarembed.html] 
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\EMCO Malware Destroyer\Quarantine\HOME-XXOC2DEDWC\NMC.MYWEBSEARCH\Files\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.MANIFEST 
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\EMCO Malware Destroyer\Quarantine\HOME-XXOC2DEDWC\NMC.MYWEBSEARCH\Files\Program Files\MyWebSearch\bar\1.bin\M3IDLE.DLL 
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\EMCO Malware Destroyer\Quarantine\HOME-XXOC2DEDWC\NMC.MYWEBSEARCH\Files\Program Files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL 
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\EMCO Malware Destroyer\Quarantine\HOME-XXOC2DEDWC\NMC.MYWEBSEARCH\Files\Program Files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL 
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\EMCO Malware Destroyer\Quarantine\HOME-XXOC2DEDWC\NMC.MYWEBSEARCH\Files\Program Files\MyWebSearch\bar\1.bin\M3SKIN.DLL 
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\EMCO Malware Destroyer\Quarantine\HOME-XXOC2DEDWC\NMC.MYWEBSEARCH\Files\Program Files\MyWebSearch\bar\1.bin\M3SKPLAY.EXE 
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\EMCO Malware Destroyer\Quarantine\HOME-XXOC2DEDWC\NMC.MYWEBSEARCH\Files\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL 
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\EMCO Malware Destroyer\Quarantine\HOME-XXOC2DEDWC\NMC.MYWEBSEARCH\Files\Program Files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL 
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\EMCO Malware Destroyer\Quarantine\HOME-XXOC2DEDWC\NMC.MYWEBSEARCH\Files\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL 
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\EMCO Malware Destroyer\Quarantine\HOME-XXOC2DEDWC\NMC.MYWEBSEARCH\Files\Program Files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL 
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\EMCO Malware Destroyer\Quarantine\HOME-XXOC2DEDWC\NMC.MYWEBSEARCH\Files\Program Files\MyWebSearch\bar\Game\CHECKERS.F3S 
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\EMCO Malware Destroyer\Quarantine\HOME-XXOC2DEDWC\NMC.MYWEBSEARCH\Files\Program Files\MyWebSearch\bar\Game\CHESS.F3S 
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\EMCO Malware Destroyer\Quarantine\HOME-XXOC2DEDWC\NMC.MYWEBSEARCH\Files\Program Files\MyWebSearch\bar\Game\REVERSI.F3S 
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\EMCO Malware Destroyer\Quarantine\HOME-XXOC2DEDWC\NMC.MYWEBSEARCH\Files\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL 
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\nircmd.exe


----------



## Cookiegal (Aug 27, 2003)

OK, I think it would be easier to do this using a different tool:

Download *WinPFind3U.exe* to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

Reboot to safe mode by pressing F8 at boot time & select safe mode in the list on the black screen


Open the WinPFind3u folder and double-click on *WinPFind3U.exe* to start the program.
In the *Processes * group click *Non-Microsoft* 
In the *Win32 Services * group click *Non-Microsoft* 
In the *Driver Services * group click *Non-Microsoft* 
In the *Registry * group click *Non-Microsoft* 
In the *Files Created Within* group click *60 days* Make sure Non-Microsoft only is *CHECKED*
In the *Files Modified Within* group select *30 days* Make sure Non-Microsoft only is *CHECKED*
In the *File String Search* group select *Non-Microsoft*
In the * additional scans section*, please select *only* these 
Reg - Desktop Components
Reg - Disabled MS Config Items
Reg - Safeboot Options
Reg - Security Settings
Reg - Software Policy Settings
Reg - Uninstall list
File - Additional Folder Scans


Now click the *Run Scan* button on the toolbar.
The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file and upload it here as an attachment please.


----------



## theriddler (Jul 23, 2007)

I have put the attachment on I think, thanks


----------



## Cookiegal (Aug 27, 2003)

Disconnect from the Internet and disable your anti-virus and firewall programs. *Be sure to remember to re-start them before going on-line again.*

Open the WinPFind3u folder and double-click on *WinPFind3U.exe* to start the program. Copy and paste the information in the quote box below into the pane where it says "Paste fix here" and then click the Run Fix button. The fix should only take a very short time and then you will be asked if you want to reboot. Choose Yes.

Post the latest .log file from the WinPFind3u folder (it will have a name in the format mmddyyyy_hhmmss.log) back here along with a new HijackThis log please.



> [Kill Explorer]
> [Win32 Services - Non-Microsoft Only]
> YY -> (Messsaanger) Messsaanger [Win32_Own | Auto | Stopped] -> %SystemDrive%\Recyclers\svchost.exe
> YY -> (msupdate) [Win32_Own | Auto | Stopped] ->
> ...


----------



## theriddler (Jul 23, 2007)

I just got a pop up saying I have the anserin virus 

sorry for the late post, the fix kept freezing, thanx 

Explorer killed successfully
[Win32 Services - Non-Microsoft Only]
Unable to stop service Messsaanger .
Unable to delete service Messsaanger .
File C:\Recyclers\svchost.exe not found.
Unable to stop service msupdate .
Unable to delete service msupdate .
File not found.
[Registry - Non-Microsoft Only]
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\&Search not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\\FunWebProducts not found.
[Registry - Additional Scans - Non-Microsoft Only]
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3248F0A8-6813-11D6-A77B-00B0D0150080} not found.
[Files/Folders - Created Within 60 days]
File C:\7F8.tmp not found!
File C:\WINDOWS\Casino.ico not found!
File C:\WINDOWS\tasks\At1.job not found!
File C:\WINDOWS\tasks\At10.job not found!
File C:\WINDOWS\tasks\At11.job not found!
File C:\WINDOWS\tasks\At12.job not found!
File C:\WINDOWS\tasks\At13.job not found!
File C:\WINDOWS\tasks\At14.job not found!
File C:\WINDOWS\tasks\At15.job not found!
File C:\WINDOWS\tasks\At16.job not found!
File C:\WINDOWS\tasks\At17.job not found!
File C:\WINDOWS\tasks\At18.job not found!
File C:\WINDOWS\tasks\At19.job not found!
File C:\WINDOWS\tasks\At2.job not found!
File C:\WINDOWS\tasks\At20.job not found!
File C:\WINDOWS\tasks\At21.job not found!
File C:\WINDOWS\tasks\At22.job not found!
File C:\WINDOWS\tasks\At23.job not found!
File C:\WINDOWS\tasks\At24.job not found!
File C:\WINDOWS\tasks\At3.job not found!
File C:\WINDOWS\tasks\At4.job not found!
File C:\WINDOWS\tasks\At5.job not found!
File C:\WINDOWS\tasks\At6.job not found!
File C:\WINDOWS\tasks\At7.job not found!
File C:\WINDOWS\tasks\At8.job not found!
File C:\WINDOWS\tasks\At9.job not found!
File C:\WINDOWS\SYSTEM32\abadd.bak1 not found!
File C:\WINDOWS\SYSTEM32\abadd.ini not found!
File C:\WINDOWS\SYSTEM32\bbeeg.bak1 not found!
File C:\WINDOWS\SYSTEM32\bbeeg.ini not found!
File C:\WINDOWS\SYSTEM32\jlkkj.bak1 not found!
File C:\WINDOWS\SYSTEM32\jlkkj.ini not found!
File C:\WINDOWS\SYSTEM32\ljjiigd.dll not found!
File C:\WINDOWS\SYSTEM32\mcrh.tmp not found!
File C:\WINDOWS\SYSTEM32\qrutv.bak1 not found!
File C:\WINDOWS\SYSTEM32\qrutv.bak2 not found!
File C:\WINDOWS\SYSTEM32\qrutv.ini not found!
File C:\WINDOWS\SYSTEM32\qrutv.ini2 not found!
File C:\WINDOWS\SYSTEM32\qrutv.tmp not found!
File C:\WINDOWS\SYSTEM32\qtstv.bak1 not found!
File C:\WINDOWS\SYSTEM32\qtstv.ini not found!
File C:\WINDOWS\SYSTEM32\tmp.reg not found!
File C:\WINDOWS\SYSTEM32\xybeg.bak1 not found!
File C:\WINDOWS\SYSTEM32\xybeg.ini not found!
File C:\Documents and Settings\nick\My Documents\-50c.exe not found!
[Files/Folders - Modified Within 30 days]
File C:\7F8.tmp not found!
File C:\WINDOWS\Casino.ico not found!
File C:\WINDOWS\tasks\At1.job not found!
File C:\WINDOWS\tasks\At10.job not found!
File C:\WINDOWS\tasks\At11.job not found!
File C:\WINDOWS\tasks\At12.job not found!
File C:\WINDOWS\tasks\At13.job not found!
File C:\WINDOWS\tasks\At14.job not found!
File C:\WINDOWS\tasks\At15.job not found!
File C:\WINDOWS\tasks\At16.job not found!
File C:\WINDOWS\tasks\At17.job not found!
File C:\WINDOWS\tasks\At18.job not found!
File C:\WINDOWS\tasks\At19.job not found!
File C:\WINDOWS\tasks\At2.job not found!
File C:\WINDOWS\tasks\At20.job not found!
File C:\WINDOWS\tasks\At21.job not found!
File C:\WINDOWS\tasks\At22.job not found!
File C:\WINDOWS\tasks\At23.job not found!
File C:\WINDOWS\tasks\At24.job not found!
File C:\WINDOWS\tasks\At3.job not found!
File C:\WINDOWS\tasks\At4.job not found!
File C:\WINDOWS\tasks\At5.job not found!
File C:\WINDOWS\tasks\At6.job not found!
File C:\WINDOWS\tasks\At7.job not found!
File C:\WINDOWS\tasks\At8.job not found!
File C:\WINDOWS\tasks\At9.job not found!
File C:\WINDOWS\SYSTEM32\abadd.bak1 not found!
File C:\WINDOWS\SYSTEM32\abadd.ini not found!
File C:\WINDOWS\SYSTEM32\bbeeg.bak1 not found!
File C:\WINDOWS\SYSTEM32\bbeeg.ini not found!
File C:\WINDOWS\SYSTEM32\jlkkj.bak1 not found!
File C:\WINDOWS\SYSTEM32\jlkkj.ini not found!
File C:\WINDOWS\SYSTEM32\ljjiigd.dll not found!
File C:\WINDOWS\SYSTEM32\mcrh.tmp not found!
File C:\WINDOWS\SYSTEM32\qrutv.bak1 not found!
File C:\WINDOWS\SYSTEM32\qrutv.bak2 not found!
File C:\WINDOWS\SYSTEM32\qrutv.ini not found!
File C:\WINDOWS\SYSTEM32\qrutv.ini2 not found!
File C:\WINDOWS\SYSTEM32\qrutv.tmp not found!
File C:\WINDOWS\SYSTEM32\qtstv.bak1 not found!
File C:\WINDOWS\SYSTEM32\qtstv.ini not found!
File C:\WINDOWS\SYSTEM32\tmp.reg not found!
File C:\WINDOWS\SYSTEM32\xybeg.bak1 not found!
File C:\WINDOWS\SYSTEM32\xybeg.ini not found!
[File String Scan - Non-Microsoft Only]
File C:\WINDOWS\SYSTEM32\ljjiigd.dll not found!
[Empty Temp Folders]
C:\DOCUME~1\nick\LOCALS~1\Temp\ -> emptied.
C:\Documents and Settings\nick\Local Settings\Temporary Internet Files\Content.IE5\ -> emptied
RecycleBin -> emptied.
Explorer started successfully
< End of log >
Created on 07/29/2007 07:59:17

Logfile of HijackThis v1.99.1
Scan saved at 08:06:55, on 29/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\blueyonder\PCguard\fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\lvhidsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\TVR\RecSche.exe
C:\Program Files\blueyonder\PCguard advisor\PCguardadvisor.exe
C:\PROGRA~1\BLUEYO~1\SMARTB~1\blueyonder-istnotifier.exe
C:\Program Files\Mouse Driver\MouseDrv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\blueyonder\PCguard\Rps.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\nick\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gamefaqs.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [RecSche] "C:\Program Files\TVR\RecSche.exe"
O4 - HKLM\..\Run: [PCguardadvisor.exe] "C:\Program Files\blueyonder\PCguard advisor\PCguardadvisor.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BLUEYO~1\SMARTB~1\blueyonder-istnotifier.exe
O4 - HKLM\..\Run: [zSPGuard] "c:\program files\pjw\spguard\spguard.exe" /s /r
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [CreativeMouse] "C:\Program Files\Mouse Driver\MouseDrv.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PC Pitstop Optimize Scheduler] "C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe" -boot
O4 - HKLM\..\Run: [PCPitstop Optimize Registration Reminder] "C:\Program Files\PCPitstop\Optimize\Reminder.exe"
O4 - HKLM\..\Run: [CameraFixer] C:\WINDOWS\CameraFixer.exe
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\blueyonder\PCguard\Rps.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://downloadcenter.samsung.com/content/common/cab/DjVuControlLite_EN.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/no...opularScreenSaversFWBInitialSetup1.0.0.15.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games  Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1152887403499
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1152887390889
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.blueyonder.co.uk/assets/tool/files/MotivePreQual.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games  Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {F773E7B2-62A9-4524-9109-87D2F0BEFAA4} (ChessControl Class) - http://zone.msn.com/bingame/zpagames/zpa_kqrp.cab56961.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab55579.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: LifeView HID Service (LvHidSvc) - Animation Technologies Inc. - C:\WINDOWS\System32\lvhidsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\blueyonder\PCguard\fws.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: SysEnforce - Unknown owner - C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE (file missing)


----------



## theriddler (Jul 23, 2007)

Look at the Pc guard log, Is it like the worst anti-virus, It failed to disinfect more or less everything


----------



## Cookiegal (Aug 27, 2003)

Anserin steals information like bank accounts, etc. so you'd be well advised to change any passwords, bank account numbers etc. if you have any of that sort of information in your computer.

Download GMER from: http://majorgeeks.com/download.php?det=5198

Save it somewhere on your hard drive and unzip it to desktop.

Double click the gmer.exe to run it and select the rootkit tab and press scan. When the scan is done, click *Copy*. This will copy the report to the clipboard. Paste it into Notepad and save it and also paste the log report back here please.


----------



## theriddler (Jul 23, 2007)

is there like a main site with all these virus fixes etc on?
and what is a the maximus virus It wont go away it like.. regenerates

GMER 1.0.13.12551 - http://www.gmer.net
Rootkit scan 2007-07-29 21:55:45
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.13 ----

SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess

Code 832EAD28 ZwCreateSection
Code 83807698 ZwDuplicateObject
Code 83873D28 ZwSetInformationFile
Code 837A0240 ZwSetSystemInformation
Code 8325B7B8 ZwWriteFile
Code 832EAD27 NtCreateSection
Code 83807697 NtDuplicateObject
Code 83873D27 NtSetInformationFile
Code 8325B7B7  NtWriteFile

---- Kernel code sections - GMER 1.0.13 ----

PAGE ntoskrnl.exe!NtCreateSection 80564B1B 7 Bytes JMP 832EAD2C 
PAGE ntoskrnl.exe!ZwQueryPerformanceCounter + 593 805675D4 7 Bytes JMP 837919DC 
PAGE ntoskrnl.exe!FsRtlCurrentBatchOplock + 28D 805714F2 7 Bytes JMP 836C6D2C 
PAGE ntoskrnl.exe!NtDuplicateObject 805743BE 7 Bytes JMP 8380769C 
PAGE ntoskrnl.exe!NtSetInformationFile 80579E7E 5 Bytes JMP 83873D2C 
PAGE ntoskrnl.exe!NtWriteFile 8057A125 7 Bytes JMP 8325B7BC 
PAGE ntoskrnl.exe!ZwSetSystemInformation 805A5110 5 Bytes JMP 837A0244 
PAGE Fastfat.SYS B9559948 7 Bytes JMP 83850D2C

---- User code sections - GMER 1.0.13 ----

.text C:\Program Files\Spyware Doctor\SDTrayApp.exe[1124] kernel32.dll!CreateThread + 1A 7C810849 4 Bytes [ 2B, 90, C3, 83 ]

Device \FileSystem\Fastfat \FatCdrom IRP_MJ_FILE_SYSTEM_CONTROL Code 83850D28

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_NAMED_PIPE [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_READ [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_WRITE [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_INFORMATION [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_INFORMATION [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_EA [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_EA [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_FLUSH_BUFFERS [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_VOLUME_INFORMATION [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_VOLUME_INFORMATION [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DIRECTORY_CONTROL [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_FILE_SYSTEM_CONTROL [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_LOCK_CONTROL [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_MAILSLOT  [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_SECURITY [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_SECURITY [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_POWER [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SYSTEM_CONTROL [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CHANGE [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_QUOTA [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_QUOTA [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_NAMED_PIPE [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_READ [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_WRITE [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_INFORMATION [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_INFORMATION [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_EA [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_EA [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_FLUSH_BUFFERS [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_VOLUME_INFORMATION [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_VOLUME_INFORMATION [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DIRECTORY_CONTROL [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_FILE_SYSTEM_CONTROL [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_LOCK_CONTROL [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_SECURITY [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_SECURITY [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_POWER [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SYSTEM_CONTROL [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CHANGE [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_QUOTA [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_QUOTA [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_NAMED_PIPE [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_READ [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_WRITE [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_INFORMATION [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_INFORMATION [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_EA [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_EA [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_FLUSH_BUFFERS [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_VOLUME_INFORMATION [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_VOLUME_INFORMATION [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DIRECTORY_CONTROL [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_FILE_SYSTEM_CONTROL [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_LOCK_CONTROL [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_MAILSLOT [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_SECURITY [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_SECURITY [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_POWER [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SYSTEM_CONTROL [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CHANGE [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_QUOTA [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_QUOTA [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_NAMED_PIPE [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_READ [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_WRITE [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_INFORMATION [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_INFORMATION [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_EA [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_EA [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_FLUSH_BUFFERS [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_VOLUME_INFORMATION [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_VOLUME_INFORMATION [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DIRECTORY_CONTROL [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_FILE_SYSTEM_CONTROL [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_LOCK_CONTROL [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_MAILSLOT [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_SECURITY [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_SECURITY [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_POWER [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SYSTEM_CONTROL [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CHANGE [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_QUOTA [F77CCF1A] FreeTdi.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_QUOTA [F77CCF1A] FreeTdi.sys

Device \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL Code 83850D28

---- EOF - GMER 1.0.13 ----


----------



## Cookiegal (Aug 27, 2003)

*Click here* to download ATF Cleaner by Atribune and save it to your desktop.
Double-click *ATF-Cleaner.exe* to run the program.
Under *Main* choose: *Select All*
Click the *Empty Selected* button.
*If you use Firefox:*
Click *Firefox* at the top and choose: *Select All*
Click the *Empty Selected* button.
*NOTE:* If you would like to keep your saved passwords, please click *No* at the prompt.


*If you use Opera:*
Click *Opera* at the top and choose: *Select All*
Click the *Empty Selected* button.
*
[*]NOTE:* If you would like to keep your saved passwords, please click *No* at the prompt.


Click *Exit* on the Main menu to close the program.

Then please run Super AntiSpyware and Kaspersky again and post those logs.


----------



## theriddler (Jul 23, 2007)

This is the kapersky log, Il run the superantispyware scan now, btw why does it keep finding more viruses, where are they coming from :

thanx for your help 

I ran the hijackthis after I done the kapersky

Logfile of HijackThis v1.99.1
Scan saved at 20:59:33, on 30/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\blueyonder\PCguard\fws.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\lvhidsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\TVR\RecSche.exe
C:\Program Files\blueyonder\PCguard advisor\PCguardadvisor.exe
C:\PROGRA~1\BLUEYO~1\SMARTB~1\blueyonder-istnotifier.exe
C:\Program Files\Mouse Driver\MouseDrv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\blueyonder\PCguard\Rps.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\nick\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gamefaqs.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [RecSche] "C:\Program Files\TVR\RecSche.exe"
O4 - HKLM\..\Run: [PCguardadvisor.exe] "C:\Program Files\blueyonder\PCguard advisor\PCguardadvisor.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BLUEYO~1\SMARTB~1\blueyonder-istnotifier.exe
O4 - HKLM\..\Run: [zSPGuard] "c:\program files\pjw\spguard\spguard.exe" /s /r
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [CreativeMouse] "C:\Program Files\Mouse Driver\MouseDrv.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\blueyonder\PCguard\Rps.exe"
O4 - HKLM\..\Run: [PC Pitstop Optimize Scheduler] "C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe" -boot
O4 - HKLM\..\Run: [PCPitstop Optimize Registration Reminder] "C:\Program Files\PCPitstop\Optimize\Reminder.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [CameraFixer] C:\WINDOWS\CameraFixer.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://downloadcenter.samsung.com/content/common/cab/DjVuControlLite_EN.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/no...opularScreenSaversFWBInitialSetup1.0.0.15.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games - Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1152887403499
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1152887390889
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.blueyonder.co.uk/assets/tool/files/MotivePreQual.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games - Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {F773E7B2-62A9-4524-9109-87D2F0BEFAA4} (ChessControl Class) - http://zone.msn.com/bingame/zpagames/zpa_kqrp.cab56961.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab55579.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: LifeView HID Service (LvHidSvc) - Animation Technologies Inc. - C:\WINDOWS\System32\lvhidsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\blueyonder\PCguard\fws.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: SysEnforce - Unknown owner - C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE (file missing)


----------



## theriddler (Jul 23, 2007)

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/31/2007 at 00:51 AM

Application Version : 3.9.1008

Core Rules Database Version : 3275
Trace Rules Database Version: 1286

Scan type : Complete Scan
Total Scan Time : 03:42:36

Memory items scanned : 494
Memory threats detected : 0
Registry items scanned : 5647
Registry threats detected : 0
File items scanned : 105304
File threats detected : 9

Adware.Tracking Cookie
C:\Documents and

Settings\nick\Cookies\[email protected][1].txt
C:\Documents and Settings\nick\Cookies\[email protected][1].txt
C:\Documents and

Settings\nick\Cookies\[email protected][2].txt
C:\Documents and

Settings\nick\Cookies\[email protected][2].txt
C:\Documents and

Settings\nick\Cookies\[email protected][2].txt
C:\Documents and

Settings\nick\Cookies\[email protected][1].txt
C:\Documents and

Settings\nick\Cookies\[email protected][2].txt
C:\Documents and Settings\nick\Cookies\[email protected][2].txt

Trojan.Downloader-Gen/HitItQuitIt
C:\DOCUMENTS AND SETTINGS\NICK\DESKTOP\JUNK

FOLDER\CATMAN\MOVEDFILES\WINDOWS\SYSTEM32\LJJIIGD.DL

L


----------



## Cookiegal (Aug 27, 2003)

Did you create this folder?

C:\Documents and Settings\nick\Desktop\junk folder\CATMAN\*MovedFiles*


----------



## theriddler (Jul 23, 2007)

the program winpufinder you gave me was in that folder :S
I made a folder called catman ( so I could find it in search mode, when I was in safe )
the moved files was there before but the last time I checked it was empty , now its got 3 things in it, im guessing that 7f8 thing is some sort of virus ?,

I didnt create the folder called moved files, It was there when I downloaded the program and extraced it 
this is what was in when I downloaded it

http://tinypic.com/view.php?pic=4yk22ix










http://tinypic.com/view.php?pic=6czh7ah


----------



## Cookiegal (Aug 27, 2003)

That's what threw me off. The MovedFiles folder should be in the WinpFind3u folder. WinpFind3u.exe should just be extracted to the desktop where it will create its own folder. This could be why it didn't work. How did your Documents and Settings and Windows folders get in there? Open them both and tell me what files they contain please.


----------



## theriddler (Jul 23, 2007)

It did create its own folder lol, I renamed it catman so it is easy to remember, when I boot up in safemode it doesnt show any of my folder files, so I have to use the search option lol, its not an easy name to remember " winpufind " ( I think ) so I call it that instead 

this is whats in the documents file  , take a look at this, it freezes email addresses, I just tried it on my own 

im guessing these programs dont come with the one you sent me, it doesnt make sense, I never even knew there where email freezers :S


















the windows also has a few mad files in it, I dont know what they are, look


----------



## Cookiegal (Aug 27, 2003)

OK, they are all the bad things that have been moved there by WinpFind3u so it looks like it worked or at least partially.

Delete the entire Catman folder and remove the WinpFind3u program.

Now redownload it but don't rename anything or create any new directories. Save it to the desktop and extract its own folder there.

Then boot to safe mode and run a new scan with it and post the log please so I can see if anything remains to be addressed.


----------



## theriddler (Jul 23, 2007)

its to big for the thread I have put it as an attatchment, thanx


----------



## Cookiegal (Aug 27, 2003)

There are a couple of .reg files I'd like to see what they contain so please do this for each of these:

*C:\Windows\totals.reg
C:\Windows\System32\outfix.reg*

You may have to unhide files first:

Go to Start > Search and under "More advanced search options". 
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Right click on the file and select "open with" and Notepad and then copy and paste the contents here please.

Now, go to the following link and upload each of the following files for analysis and let me know what the results are please:

http://virusscan.jotti.org/

C:\Windows\System32\*B0DE9BE21E.sys*


----------



## theriddler (Jul 23, 2007)

where the more advance search option, sorry


----------



## Cookiegal (Aug 27, 2003)

Click on All Files and folders and then you will see it.


----------



## theriddler (Jul 23, 2007)

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\WareSoft Software\XP Smoker]
"ProtectionEnabled"="YES"
"TotalSites"="37548"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{FB7199AB-79BF-11d2-8D94-0000F875C541}\LocalServer32]
@=""

[HKEY_CLASSES_ROOT\CLSID\{FB7199AB-79BF-11d2-8D94-0000F875C541}\InProcServer32]
@=""
"ThreadingModel"="Apartment"

Scan taken on 02 Aug 2007 00:38:55 (GMT) 
A-Squared Found nothing 
AntiVir Found nothing 
ArcaVir Found nothing 
Avast Found nothing 
AVG Antivirus Found nothing 
BitDefender Found nothing 
ClamAV Found nothing 
CPsecure Found nothing 
Dr.Web Found nothing 
F-Prot Antivirus Found nothing 
F-Secure Anti-Virus Found nothing 
Fortinet Found nothing 
Kaspersky Anti-Virus Found nothing 
NOD32 Found nothing 
Norman Virus Control Found nothing 
Panda Antivirus Found nothing 
Rising Antivirus Found nothing 
Sophos Antivirus Found nothing 
VirusBuster Found nothing 
VBA32 Found nothing

um the XP smoker thing is a program I just downloaded, I hope its not a virus iv only just got it, btw do some of these registry programs lie, I use registry mechanic and its find like 10, then I used another one of the internet, and it says like you have 100000 errors, remove now or your computer will cras, and you have to pay too fix them lol


----------



## Cookiegal (Aug 27, 2003)

No, the program seems fine and the other reg file appears to be a tweak so those are OK.

Disconnect from the Internet and disable your anti-virus and firewall programs. *Be sure to remember to re-start them before going on-line again.*

Open the WinPFind3u folder and double-click on *WinPFind3U.exe* to start the program. Copy and paste the information in the quote box below into the pane where it says "Paste fix here" and then click the Run Fix button. The fix should only take a very short time and then you will be asked if you want to reboot. Choose Yes.

Post the latest .log file from the WinPFind3u folder (it will have a name in the format mmddyyyy_hhmmss.log) back here along with a new HijackThis log please.



> [Kill Explorer]
> [Unregister Dlls]
> [Files/Folders - Created Within 60 days]
> NY -> @Alternate Data Stream - 129 bytes -> %AllUsersAppData%\TEMP:44DAF2F1
> ...


----------



## theriddler (Jul 23, 2007)

Explorer killed successfully
[Files/Folders - Created Within 60 days]
Unable to delete ADS C:\Documents and Settings\All Users\Application Data\TEMP:44DAF2F1 .
Unable to delete ADS C:\Documents and Settings\All Users\Application Data\TEMP1B5B4F1 .
[Empty Temp Folders]
C:\DOCUME~1\nick\LOCALS~1\Temp\ -> emptied.
C:\Documents and Settings\nick\Local Settings\Temporary Internet Files\Content.IE5\ -> emptied
RecycleBin -> emptied.
Explorer started successfully
< End of log >
Created on 08/02/2007 20:48:21

I had to delete the reboot bit off the end because it kept freezing up, I hope this doesnt affect the outcome, it still aksed me to reboot though.

thanx for your help


----------



## theriddler (Jul 23, 2007)

Logfile of HijackThis v1.99.1
Scan saved at 22:18:22, on 02/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\blueyonder\PCguard\fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\lvhidsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\TVR\RecSche.exe
C:\Program Files\blueyonder\PCguard advisor\PCguardadvisor.exe
C:\PROGRA~1\BLUEYO~1\SMARTB~1\blueyonder-istnotifier.exe
C:\Program Files\Mouse Driver\MouseDrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\SpywareBlaster\spywareblaster.exe
C:\Documents and Settings\nick\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gamefaqs.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [RecSche] "C:\Program Files\TVR\RecSche.exe"
O4 - HKLM\..\Run: [PCguardadvisor.exe] "C:\Program Files\blueyonder\PCguard advisor\PCguardadvisor.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BLUEYO~1\SMARTB~1\blueyonder-istnotifier.exe
O4 - HKLM\..\Run: [zSPGuard] "c:\program files\pjw\spguard\spguard.exe" /s /r
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [CreativeMouse] "C:\Program Files\Mouse Driver\MouseDrv.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [InternetCalls] "C:\program files\internetcalls.com\internetcalls\internetcalls.exe" -nosplash -minimized
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://downloadcenter.samsung.com/content/common/cab/DjVuControlLite_EN.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/no...opularScreenSaversFWBInitialSetup1.0.0.15.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games  Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1152887403499
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1152887390889
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.blueyonder.co.uk/assets/tool/files/MotivePreQual.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games  Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {F773E7B2-62A9-4524-9109-87D2F0BEFAA4} (ChessControl Class) - http://zone.msn.com/bingame/zpagames/zpa_kqrp.cab56961.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab55579.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: LifeView HID Service (LvHidSvc) - Animation Technologies Inc. - C:\WINDOWS\System32\lvhidsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\blueyonder\PCguard\fws.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: SysEnforce - Unknown owner - C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE (file missing)


----------



## Cookiegal (Aug 27, 2003)

Rescan with HijackThis and fix this entry:
*
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...up1.0.0.15.cab*

How are things now?


----------



## theriddler (Jul 23, 2007)

my computer seems to be running pefect :up: 

no more resource eaters  your a hero !


----------



## Cookiegal (Aug 27, 2003)

Please run one more Kaspersky scan as there may be some lingering files.

I'd also like to run this tool please:

*Click here* to download FindAWF.exe and save it to your desktop.
Double-click on the FindAWF.exe file to run it.
It will open a command prompt and ask you to "Press any key to continue".
Press any key and the FindAWF tool will begin scanning your computer for the infected AWF files and the backups the trojan created.
It may take a few minutes to complete so be patient.
When it is complete, it will open a text file in notepad called AWF.txt which will automatically be saved to your desktop or whatever location you ran the file from.
Come back here to this thread and copy and paste the contents of the AWF.txt file in your next reply.


----------



## theriddler (Jul 23, 2007)

my computers infested again 

I dont undestand, it never found all this the last time, I dont think

I have put it as an attatchment, Il post the log of the other tool in 5 mins




Find AWF report by noahdfear ©2006


bak folders found
~~~~~~~~~~~



Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report


----------



## Cookiegal (Aug 27, 2003)

No, it's because it's picking up some of the programs we've used as false positives and that's normal but there are a few things from the first log that are still there so please do the following:

Navigate to this folder:

C:\Documents and Settings\nick\Local Settings\*Temp*

Open the Temp folder and delete everything it contains but not the folder itself.

If the Junk folder that you created on your desktop was only for things we've run and you have nothing you want to keep in there, delete the entire folder.

Uninstall these programs from Add/Remove programs if there's an entry there:

*SnadBoy's Revelation v2
kh2_screensaver*

Boot to safe mode and delete these files and folders:

C:\Documents and Settings\nick\My Documents\Bexx\*kh2_screensaver*
C:\Documents and Settings\nick\My Documents\*ca_setup.exe*
C:\Program Files\*codec_setup.exe*
C:\Program Files\*SnadBoy's Revelation v2*

Empty the quarantine folder of this program:
C:\Program Files\EMCO Malware Destroyer\Quarantine

After you've done all of the above, reboot and run Kaspersky again and post the log please.


----------



## theriddler (Jul 23, 2007)

I cant delete the temp files, it gets this error, I deleted some folders though, my junk folder is more of a misc, anything I know I wont use again I put in there, also things that take up space on my desktop, there are not of files in there, I still need them, but if its for the better should I delete them anyway, I will get rid of the folder in safe mode, thanks for your help 










I deleted the docuements bar one, the snadboy relevation wasnt there, when I uninstalled it on the add/remove, it might have deleted it.

I will leave the kapersky scan running over night.


----------



## Cookiegal (Aug 27, 2003)

Actually, it's mainly the contents of the CATMAN folder that should be deleted.

The JVM temp files are related to Java and some temp files will not delete within 24 hours of being set up so don't worry if some won't go.


----------



## theriddler (Jul 23, 2007)

I have deleted the catman folder, I have put the kapersky report as a attatchment

once again thanx for your help :up:


----------



## Cookiegal (Aug 27, 2003)

There are two things there that I believe are false positives but I'd like to get them checked out.

Go to Start > Search - All Files and Folders and under "More advanced search options". 
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Now, go to the following link and upload each of the following files for analysis and let me know what the results are please:

http://virusscan.jotti.org/

*C:\Program Files\Mouse Driver\MouseDrv.exe
C:\Program Files\Multimedia Keyboard\PS2USBKbdDrv.exe*

Also, empty your recycle bin.


----------



## theriddler (Jul 23, 2007)

C:\Program Files\Mouse Driver\MouseDrv.exe

Scan taken on 04 Aug 2007 19:35:26 (GMT) 
A-Squared Found nothing 
AntiVir Found HEUR/Malware 
ArcaVir Found nothing 
Avast Found nothing 
AVG Antivirus Found Win32/PEPatch 
BitDefender Found Win32.Cuter.A 
ClamAV Found W32.Cuter 
CPsecure Found nothing 
Dr.Web Found Trojan.Inject.351 
F-Prot Antivirus Found nothing 
F-Secure Anti-Virus Found Virus.Win32.Agent.ab 
Fortinet Found nothing 
Kaspersky Anti-Virus Found Virus.Win32.Agent.ab 
NOD32 Found Win32/Agent.AB 
Norman Virus Control Found nothing 
Panda Antivirus Found nothing 
Rising Antivirus Found Virus.Win32.Agent.b 
Sophos Antivirus Found nothing 
VirusBuster Found Trojan.Patched.S 
VBA32 Found nothing 




C:\Program Files\Multimedia Keyboard\PS2USBKbdDrv.exe




A-Squared Found nothing 
AntiVir Found HEUR/Malware 
ArcaVir Found nothing 
Avast Found nothing 
AVG Antivirus Found Win32/PEPatch 
BitDefender Found Win32.Cuter.A 
ClamAV Found W32.Cuter 
CPsecure Found nothing 
Dr.Web Found Trojan.Inject.351 
F-Prot Antivirus Found nothing 
F-Secure Anti-Virus Found Virus.Win32.Agent.ab 
Fortinet Found nothing 
Kaspersky Anti-Virus Found Virus.Win32.Agent.ab 
NOD32 Found Win32/Agent.AB 
Norman Virus Control Found nothing 
Panda Antivirus Found nothing 
Rising Antivirus Found Virus.Win32.Agent.b 
Sophos Antivirus Found nothing 
VirusBuster Found Trojan.Patched.S 
VBA32 Found nothing 


if these things get a connection to the internet what can they do, it kept coming up through pc guard that the mouse wanted access to the internet, because I have like 3 mice on my computer I just allowed it, although I thought it was strange a mouse would need access to the internet


----------



## Cookiegal (Aug 27, 2003)

Do not continue to allow them. It seems they have been infected.

*Click here* to download *Dr.Web CureIt* and save it to your desktop.

Doubleclick the *drweb-cureit.exe* file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the *green arrow* at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found:








If so, click it and then click the next icon right below and select *Move incurable* as you'll see in next image:








This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
After selecting, in the Dr.Web CureIt menu on top, click *file* and choose *save report list*
Save the report to your desktop. The report will be called *DrWeb.csv*
Close Dr.Web Cureit.
*Reboot* your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web you saved previously in your next reply along with a new Hijack This log.


----------



## theriddler (Jul 23, 2007)

blueyonder-istnotifier.exe;c:\program files\blueyonder ist\smartbridge;Trojan.Inject.351;Will be cured after reboot.;
mousedrv.exe;c:\program files\mouse driver;Trojan.Inject.351;Will be cured after reboot.;
nerocheck.exe;c:\windows\system32;Trojan.Inject.351;Cured.;
restart.exe;C:\Documents and Settings\nick\Desktop\junk folder\SmitfraudFix;Tool.ShutDown.11;Incurable.Moved.;
SktInstall.exe;C:\Program Files\blueyonder\PCguard;Probably BINARYRES;Incurable.Moved.;
blueyonder-istnotifier.exe.delete_on_reboot;C:\Program Files\blueyonder IST\SmartBridge;Trojan.Inject.351;Will be cured after reboot.;
restart.exe;C:\Program Files\Common Files\System\Mapi\1033\NT\SmitfraudFix;Tool.ShutDown.11;Incurable.Moved.;



It comes out in an excel format :S

I tried to upload it, but it doesnt recognise it.

the stuff above is whats in excel


----------



## Cookiegal (Aug 27, 2003)

Go *here* and do the BitDefender online virus scan.

Click "I Agree" to agree to the EULA.
Allow the ActiveX control to install when prompted.
Click "Click here to scan" to begin the scan.
Please refrain from using the computer until the scan is finished.
When the scan is finished, click on "Click here to export the scan results"
Save the report to your desktop then come back here and *attach* it to your next reply along with a new Hijack This log..

*Note:* You have to use Internet Explorer to do the online scan.


----------



## theriddler (Jul 23, 2007)

the scan report is as an attatchment at the bottom, thanks 

Logfile of HijackThis v1.99.1
Scan saved at 13:52:09, on 05/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\blueyonder\PCguard\fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\lvhidsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\TVR\RecSche.exe
C:\Program Files\blueyonder\PCguard advisor\PCguardadvisor.exe
C:\PROGRA~1\BLUEYO~1\SMARTB~1\blueyonder-istnotifier.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mouse Driver\MouseDrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\blueyonder\PCguard\Rps.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
C:\Program Files\Advanced Browser\browser.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\nick\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gamefaqs.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [RecSche] "C:\Program Files\TVR\RecSche.exe"
O4 - HKLM\..\Run: [PCguardadvisor.exe] "C:\Program Files\blueyonder\PCguard advisor\PCguardadvisor.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BLUEYO~1\SMARTB~1\blueyonder-istnotifier.exe
O4 - HKLM\..\Run: [zSPGuard] "c:\program files\pjw\spguard\spguard.exe" /s /r
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [CreativeMouse] "C:\Program Files\Mouse Driver\MouseDrv.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [PCguard] C:\Program Files\blueyonder\PCguard\Rps.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [InternetCalls] "C:\program files\internetcalls.com\internetcalls\internetcalls.exe" -nosplash -minimized
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://downloadcenter.samsung.com/content/common/cab/DjVuControlLite_EN.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games - Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1152887403499
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1152887390889
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.blueyonder.co.uk/assets/tool/files/MotivePreQual.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games - Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {F773E7B2-62A9-4524-9109-87D2F0BEFAA4} (ChessControl Class) - http://zone.msn.com/bingame/zpagames/zpa_kqrp.cab56961.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab55579.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: LifeView HID Service (LvHidSvc) - Animation Technologies Inc. - C:\WINDOWS\System32\lvhidsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\blueyonder\PCguard\fws.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: SysEnforce - Unknown owner - C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE (file missing)


----------



## Cookiegal (Aug 27, 2003)

That seems to have taken care of the things Kaspersky found. Would you like to run another Kaspersky scan so I can see what it looks like now please?


----------



## theriddler (Jul 23, 2007)

lol it found more than it ever did


----------



## Cookiegal (Aug 27, 2003)

No, it looks good. Many are the tools we used and the restore points but we'll flush those out when we're done.

So how are things running now?


----------



## theriddler (Jul 23, 2007)

my computer,
It runs perfect, its no longer slow but that mouse drive thing is still lingering










can I ask, how did you know that there would be a virus in

C:\Program Files\Mouse Driver\MouseDrv.exe
C:\Program Files\Multimedia Keyboard\PS2USBKbdDrv.exe


----------



## theriddler (Jul 23, 2007)

somethings still resource hogging 










that mouse thing is trying to add values to my registry too


----------



## Cookiegal (Aug 27, 2003)

When did you get Ad-Watch? I didn't see it in your logs before. It's saying something wants to delete the mousedrv.exe.

Those two files were flagged by Kaspersky in the initial scan. I thought they were false positives but then when you had them scanned, there were a few positives there as well. That's why I had you run CureIt and BitDefender. It could be one of those programs is trying to delete the registry key and hasn't been able to because Ad-Watch is blocking it. I'm still not sure if this is a false positive or not. 

Do you have a Creative Mouse and Multimedia Keyboard? If so, can you uninstall the software and reinstall it? If there is infection, that will kill it.

Also, what process is using the CPU?


----------



## theriddler (Jul 23, 2007)

I have had it since the start, when you go on adaware its like on one of the tabs, but it doesnt work until you load it up, I dont think it blocked kapersky from deleting the riegistry key as I only put it on afterwards, but when I did put it on, it was detecting 1000s of registry changes, they just kept popping up, a few from AVG came uup too,

How do I know which one is the creative mouse?
I have 3 mice plugged into my computer, a wireless, another wireless and a standard one with the ball in it, il uninstall my keyboard now,

for the proccess, its nothing, when I look at the processes nothings there, there all like 0s, and like one 10, but yet on the performance bit its goes up too 100 %

thanx


----------



## Cookiegal (Aug 27, 2003)

Open HijackThis and click on the "Open the Misc Tools Section" button. Click on the "Open Uninstall Manager" button. Click the "Save List" botton. Copy and paste that list here please.


----------



## theriddler (Jul 23, 2007)

Ace Utilities
Ad-Aware SE Professional
Adobe Reader 8.1.0
Advanced Browser (remove only)
ArcSoft PhotoImpression
ArcSoft Software Suite
Arena 1.1
Avant Browser (remove only)
AVG Anti-Spyware 7.5
Belarc Advisor 6.0
Belkin Bluetooth Software
blueyonder Instant Support Tool
blueyonder PCguard
BOSS Fonts Manager
CameraMate ProPix OnTV v1.4
CameraMate ProPix Sound
CamStudio
Camtasia Studio 4
Concord 3045 Camera Drivers
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
DVD Shrink 3.1.7
EMCO Malware Destroyer
EPSON Copy Utility
EPSON Photo Print
EPSON PhotoQuicker3.2
EPSON Printer Software
EPSON Smart Panel
EPSON TWAIN 5
Hemera Photo-Objects 5000
Hoyle Board Games 2003
Iconoid Version 3.4.0
Intel(R) 536EP V.92 Modem
Java(TM) SE Development Kit 6 Update 1
Java(TM) SE Runtime Environment 6 Update 1
Kaspersky Online Scanner
LG PhoneManager
LG SyncManager
LG USB Modem driver
Microsoft .NET Framework 2.0
Microsoft Bootvis
Microsoft Office 2000 SR-1 Professional
Microsoft Works 7.0
Microsoft XML Parser and SDK
Moraff's MarbleJongg 1.11 Freeware
Mouse Driver
Nero Suite
NJStar Japanese WP
NVIDIA Drivers
Panda ActiveScan
PCguard advisor 1.3.22
PowerDVD
Registry Mechanic 6.0
RGSS-RTP Standard
Sid Meier's Civilization 4
Space Invaders OpenGL (remove only)
Speed Gear 5.00
Spyware Doctor 5.0
SpywareBlaster v3.5.1
StartPage Guard 2.51
SUPERAntiSpyware Professional
SuperCleaner
Tomb Raider II
USB PC Camera
Veoh Player
VIA Audio Driver Setup Program
VIA Integrated Setup Wizard
VIA Rhine-Family Fast Ethernet Adapter
WinAce Archiver
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Service Pack 2
WinPcap 4.0
WinZip 11.1
Wisdom-soft AutoScreenRecorder 2.1 Pro
Worms World Party
XP Smoker Pro 5.1
YouTube Downloader 2.4


----------



## Cookiegal (Aug 27, 2003)

Let's take a closer look at that file.

Go to Start > Search and under "More advanced search options". 
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Go to the forum *here* and upload this (these) file(s):

*C:\Program Files\Mouse Driver\MouseDrv.exe *

Here are the directions for uploading the file:

Just click "New Topic", fill in the needed details and post a link to your thread here. Click the "Browse" button. Navigate to the file on your computer. When the file is listed in the window click "Post" to upload the file.

*C:\Program Files\Mouse Driver\MouseDrv.exe*


----------



## theriddler (Jul 23, 2007)

I uploaded it heres the link to the thread

http://www.thespykiller.co.uk/index.php?topic=4685.new#new

I ran the mouse through the scanner that scans it wil like 20 different AV's it found nothing in it, when my mouse was virused, did the virus get into it, or was it already there


----------



## Cookiegal (Aug 27, 2003)

I don't know. I still think it may have been a false positive. We'll know more once this file is analyzed.


----------



## theriddler (Jul 23, 2007)

my computers dead, the internet went down yesteray, and when I rebooted my computer, everything couldnt be read, it just has the white box with a few cogs in it, I cant even start ot ion safe mode because when I do the tap F8 thing the keyboard doesnt work when I want to move up to safe, I typed msconfig in the run box, it just comes up with windows cannot read this program please use either the web to locate a suitable component.

I thought using my XP disk might help, but when I put it in it doesn't load on the boot up, and when I put it in when im already on windows it loads but if I click anything it doesnt do anything,

am I going to have to get my hardrive wiped?



Oo no matter devilhimelf helped me get it back to normal again


----------



## Cookiegal (Aug 27, 2003)

So how did you fix it? What is the status now?


----------



## theriddler (Jul 23, 2007)

http://www.dougknox.com/xp/file_assoc.htm

he told me to merge some of these with my registry

and to type things like assoc.ink=inkfile on the command promt

these keep coming up for registry changes too










and the last thing is poker online keeps coming up as a pop up on the IE

http://www.pokerstars.com/sites/10/?utm_id=102

sorry about all this 










http://www.errorsafe.com/pages/scan...f67602ffffff_12de42ed44d54751835b5e11558d17f4


----------



## Cookiegal (Aug 27, 2003)

Who told you to merge things in the registry?


----------



## theriddler (Jul 23, 2007)

his user is devilhimself, he didnt say merge, he said just click on it and it should restore the defaults of the files, it wouldnt work so he told me to import them into the registry by using the regedit, il try find the thread, its in the XP section


----------



## Cookiegal (Aug 27, 2003)

You shouldn't have started a new thread for that problem as we were working on your computer in this one. Since you did a system restore, is everything OK now?


----------



## theriddler (Jul 23, 2007)

the system resotre didnt do anything, the crazy registry thing fixed it, yep everythings going ok now,

I started a new thread because I thought that it probally wasnt a virus, and the orignal thing was I wanted to know how to get the system resotre up, sorry


----------



## Cookiegal (Aug 27, 2003)

It's OK but FYI, malware can disable system restore so it could have been related. We are still waiting for word on the file you uploaded though.


----------



## theriddler (Jul 23, 2007)

I ran the mouse thing through at multiple scanner thing, it came up clean, what do those people do with the file I uploaded? do they scan it or do they have there own special way of finding out if its infected


----------



## theriddler (Jul 23, 2007)

is this safe 

O2 - BHO: WeeklyExecuter Class - {f015f320-ab08-11db-abbd-0800200c9a66} - C:\WINDOWS\inetloader.dll (file missing)

Logfile of HijackThis v1.99.1
Scan saved at 22:28:54, on 12/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\blueyonder\PCguard\fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\lvhidsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\nick\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gamefaqs.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: WeeklyExecuter Class - {f015f320-ab08-11db-abbd-0800200c9a66} - C:\WINDOWS\inetloader.dll (file missing)
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://downloadcenter.samsung.com/content/common/cab/DjVuControlLite_EN.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games  Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1152887403499
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1152887390889
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.blueyonder.co.uk/assets/tool/files/MotivePreQual.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games  Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {F773E7B2-62A9-4524-9109-87D2F0BEFAA4} (ChessControl Class) - http://zone.msn.com/bingame/zpagames/zpa_kqrp.cab56961.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab55579.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: LifeView HID Service (LvHidSvc) - Animation Technologies Inc. - C:\WINDOWS\System32\lvhidsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\blueyonder\PCguard\fws.exe


----------



## Cookiegal (Aug 27, 2003)

No, not good.

Please download *SmitfraudFix* (by *S!Ri*)

Extract (unzip) the content (a folder named *SmitfraudFix*) to your Desktop.

Open the *SmitfraudFix* folder and double-click *smitfraudfix.cmd*
Select option #1 - *Search* by typing *1* and press "*Enter*"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

*Note* : *process.exe* is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

Warning: Do not run Option #2 until you are instructed to do so. Running option #2 on a non infected computer will remove your Desktop background.


----------



## Cookiegal (Aug 27, 2003)

theriddler said:


> I ran the mouse thing through at multiple scanner thing, it came up clean, what do those people do with the file I uploaded? do they scan it or do they have there own special way of finding out if its infected


They unpack it and analyze it thoroughly.


----------



## theriddler (Jul 23, 2007)

SmitFraudFix v2.211

Scan done at 23:13:40.93, 12/08/2007
Run from C:\Documents and Settings\nick\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\blueyonder\PCguard\fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\lvhidsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\blueyonder\PCguard\Rps.exe
C:\Program Files\blueyonder\PCguard advisor\PCguardadvisor.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\nick

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\nick\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\nick\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: VIA Rhine II Fast Ethernet Adapter
DNS Server Search Order: 192.168.2.1
DNS Server Search Order: 62.30.0.39
DNS Server Search Order: 195.188.53.175
DNS Server Search Order: 62.31.112.39

HKLM\SYSTEM\CCS\Services\Tcpip\..\{81963E5C-0CD6-4227-9B4A-0EE5E2E58B85}: DhcpNameServer=192.168.2.1 62.30.0.39 195.188.53.175 62.31.112.39
HKLM\SYSTEM\CS1\Services\Tcpip\..\{81963E5C-0CD6-4227-9B4A-0EE5E2E58B85}: DhcpNameServer=192.168.2.1 62.30.0.39 195.188.53.175 62.31.112.39
HKLM\SYSTEM\CS3\Services\Tcpip\..\{81963E5C-0CD6-4227-9B4A-0EE5E2E58B85}: DhcpNameServer=192.168.2.1 62.30.0.39 195.188.53.175 62.31.112.39
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1 62.30.0.39 195.188.53.175 62.31.112.39
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1 62.30.0.39 195.188.53.175 62.31.112.39
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1 62.30.0.39 195.188.53.175 62.31.112.39

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

this also popped up










sorry for wasting so much of your time


----------



## Cookiegal (Aug 27, 2003)

Reboot to Safe mode:

Restart your computer and begin tapping the F8 key on your keyboard just before Windows starts to load. If done properly a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.

Perform the following actions in *Safe Mode*.

Double click *combofix.exe * and follow the prompts.
When finished, it will produce a log for you. Post that log and a new *HijackThis* log in your next reply
*Note: Do not mouseclick combofix's window while it's running as that may cause it to stall*


----------



## theriddler (Jul 23, 2007)

where is combo fix 

found it, il reboot in safe now, thanks !


----------



## Cookiegal (Aug 27, 2003)

Download *ComboFix* to your Desktop.

And what happened to your anti-virus program? You're not running one?


----------



## theriddler (Jul 23, 2007)

I must have, Pc guard is always on, I think it may have came off becuase I disabled it at the startup, it lags my computer so bad 

I have turned it on manually maybe now it will appear in the hijackthis log

I ran combo fix, but it doesnt create a logfile, it gets to this point then goes back to the desktop










Logfile of HijackThis v1.99.1
Scan saved at 00:24, on 2007-08-13
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\blueyonder\PCguard\fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\lvhidsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Documents and Settings\nick\Desktop\ComboFix\catchme.cfexe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Documents and Settings\nick\Desktop\ComboFix\catchme.cfexe
C:\WINDOWS\explorer.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\blueyonder\PCguard\Rps.exe
C:\Program Files\blueyonder\PCguard advisor\PCguardadvisor.exe
C:\Documents and Settings\nick\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gamefaqs.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: WeeklyExecuter Class - {f015f320-ab08-11db-abbd-0800200c9a66} - (no file)
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\RunOnce: [combofix] C:\WINDOWS\system32\cmd.exe /c Combobatch.bat
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://downloadcenter.samsung.com/content/common/cab/DjVuControlLite_EN.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games  Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1152887403499
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1152887390889
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.blueyonder.co.uk/assets/tool/files/MotivePreQual.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games  Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {F773E7B2-62A9-4524-9109-87D2F0BEFAA4} (ChessControl Class) - http://zone.msn.com/bingame/zpagames/zpa_kqrp.cab56961.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab55579.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: LifeView HID Service (LvHidSvc) - Animation Technologies Inc. - C:\WINDOWS\System32\lvhidsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\blueyonder\PCguard\fws.exe


----------



## Cookiegal (Aug 27, 2003)

Did you download it to your desktop? It looks like you have downloaded it to the C root directory. If that's the case, it can't run from there as it will delete itself.


----------



## Cookiegal (Aug 27, 2003)

And PCGuard is not an anti-virus program, it's a firewall.

Go to the following link and download AVG Free Anti-virus:

http://free.grisoft.com/doc/download-free-anti-virus/us/frt/0


----------



## theriddler (Jul 23, 2007)

that solved that, thanks il try and get AVG now, I have the spyware one, I didnt realise they where spearate things.

ComboFix 07-08-09.3 - "nick" 2007-08-13 0:50:18.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.413 [GMT 1:00]
* Created a new restore point

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\DOCUME~1\nick\APPLIC~1\__c00C0860.exe
C:\WINDOWS\Free Online Dating.ico
C:\WINDOWS\ServicePackFiles\barloe.dll
C:\WINDOWS\Spyware Remover.ico

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_DOMAINSERVICE
-------\LEGACY_MSUPDATE

((((((((((((((((((((((((( Files Created from 2007-07-12 to 2007-08-12 )))))))))))))))))))))))))))))))

2007-08-12 12:55 d--------	C:\DOCUME~1\nick\APPLIC~1\uTorrent
2007-08-11 20:50 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-11 13:00 d--------	C:\Program Files\IDoser
2007-08-10 23:32 d--------	C:\Program Files\Advanced GIF Animator
2007-08-10 18:50 d--------	C:\Program Files\Windows Live
2007-08-09 21:59 d--------	C:\DOCUME~1\nick\Contacts
2007-08-09 21:57 d----c---	C:\WINDOWS\system32\DRVSTORE
2007-08-09 21:53 d--------	C:\Program Files\MSN Messenger
2007-08-09 21:43 d--------	C:\VundoFix Backups
2007-08-08 14:32	556	--a------	C:\WINDOWS\system32\tmp.reg
2007-08-08 14:31	53,248	--a------	C:\WINDOWS\system32\Process.exe
2007-08-08 14:31	51,200	--a------	C:\WINDOWS\system32\dumphive.exe
2007-08-08 14:31	288,417	--a------	C:\WINDOWS\system32\SrchSTS.exe
2007-08-08 13:15	8,790	--a------	C:\DOCUME~1\nick\install.exe
2007-08-08 13:15	7,168	--a------	C:\DOCUME~1\nick\keygen.exe
2007-08-08 13:15	7,168	--a------	C:\DOCUME~1\nick\crack.exe
2007-08-08 13:15	48	--a------	C:\DOCUME~1\nick\readme.bat
2007-08-08 12:30 d--------	C:\EmergencyUtils
2007-08-08 10:50	3,732	--a------	C:\DOCyoyo.reg
2007-08-07 22:21	84,992	--a------	C:\WINDOWS\system32\atl70.dll
2007-08-07 22:21	262,416	--a------	C:\WINDOWS\system32\ASFV2.DLL
2007-08-07 22:21	15,360	--a------	C:\WINDOWS\system32\asfsipc.dll
2007-08-07 21:05 d--------	C:\Program Files\Support Tools
2007-08-05 11:31 d--------	C:\WINDOWS\BDOSCAN8
2007-08-05 01:13 d--------	C:\Program Files\Advanced Browser
2007-08-04 21:31 d--------	C:\DOCUME~1\nick\DoctorWeb
2007-08-02 22:10 d--------	C:\Program Files\SpywareBlaster
2007-08-02 07:11 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinZip
2007-08-01 21:18	107,864	--a------	C:\WINDOWS\system32\tsccvid.dll
2007-08-01 21:18 d--------	C:\WINDOWS\system32\QuickTime
2007-08-01 21:17 d--------	C:\Program Files\TechSmith
2007-08-01 21:17 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\TechSmith
2007-08-01 16:23 d--------	C:\DOCUME~1\nick\APPLIC~1\Avant Profiles
2007-08-01 16:21 d--------	C:\DOCUME~1\nick\APPLIC~1\Avant Browser
2007-08-01 16:20 d--------	C:\Program Files\Avant Browser
2007-07-31 21:21	674	--a------	C:\WINDOWS\ie-ads-uninst.reg
2007-07-31 21:21	53,248	--a------	C:\WINDOWS\system32\SSubTmr6.dll
2007-07-31 21:21	492	--a------	C:\WINDOWS\system32\outfix.reg
2007-07-31 21:21	39,770	--a------	C:\WINDOWS\system32\tcpipbak.reg
2007-07-31 21:21	32,768	--a------	C:\WINDOWS\system32\ServiceRepair.exe
2007-07-31 21:21	300	--a------	C:\WINDOWS\totals.reg
2007-07-31 21:21	10,210,348	--a------	C:\WINDOWS\ie-ads.reg
2007-07-31 21:21 d--------	C:\Program Files\XP Smoker
2007-07-28 23:00	159,744	--a------	C:\WINDOWS\system32\hasher.dll
2007-07-28 13:17 d--------	C:\Program Files\Common Files\iS3
2007-07-28 13:17 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\STOPzilla!
2007-07-28 02:11 d--------	C:\DOCUME~1\nick\APPLIC~1\BitTorrent
2007-07-28 02:00	8,576	--a------	C:\WINDOWS\system32\drivers\ljnelkliyanu.sys
2007-07-28 01:03 d--------	C:\DOCUME~1\ADMINI~1\APPLIC~1\DivX
2007-07-28 01:00 d--------	C:\DOCUME~1\ADMINI~1\APPLIC~1\Advanced Browser
2007-07-27 17:45	51,200	--a------	C:\WINDOWS\nircmd.exe
2007-07-27 17:36 d--------	C:\WINDOWS\system32\Kaspersky Lab
2007-07-27 13:37	8,704	--a------	C:\WINDOWS\system32\pfdnnt.exe
2007-07-27 12:21	8,576	--a------	C:\WINDOWS\system32\drivers\opabcojvebht.sys
2007-07-26 21:07	8,576	--a------	C:\WINDOWS\system32\drivers\cwnsjlwkekub.sys
2007-07-26 20:56	8,576	--a------	C:\WINDOWS\system32\drivers\auctfrvqnwve.sys
2007-07-26 02:20	8,576	--a------	C:\WINDOWS\system32\drivers\jibxpfefmjvf.sys
2007-07-26 02:12 d--------	C:\WINDOWS\system32\ActiveScan
2007-07-26 00:37	10,872	--a------	C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-07-25 20:36 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-07-25 20:35 d--------	C:\Program Files\SUPERAntiSpyware
2007-07-25 20:35 d--------	C:\Program Files\Common Files\Wise Installation Wizard
2007-07-25 20:35 d--------	C:\DOCUME~1\nick\APPLIC~1\SUPERAntiSpyware.com
2007-07-25 14:30 d--------	C:\Program Files\LizardTech
2007-07-24 22:14 d--------	C:\WINDOWS\ERUNT
2007-07-24 22:02	786,432	--a------	C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-07-24 21:59 d--------	C:\WINDOWS\pss
2007-07-23 21:46	94,208	--a------	C:\WINDOWS\amcap.exe
2007-07-23 21:46	53,248	--a------	C:\WINDOWS\vsnpstd3.dll
2007-07-23 21:46	53,248	--a------	C:\WINDOWS\system32\csnpstd3.dll
2007-07-23 21:46	20,480	--a------	C:\WINDOWS\usnpstd3.exe
2007-07-23 21:46	147,456	--a------	C:\WINDOWS\system32\rsnpstd3.dll
2007-07-23 21:46	10,252,544	--a------	C:\WINDOWS\system32\drivers\snpstd3.sys
2007-07-23 21:46 d--------	C:\Program Files\Common Files\snpstd3
2007-07-22 21:24	626,688	--a------	C:\WINDOWS\system32\msvcr80.dll
2007-07-22 21:24 d--------	C:\Program Files\Spyware Doctor
2007-07-19 23:15 d--------	C:\Program Files\Lavasoft
2007-07-18 20:28 d--------	C:\DOCUME~1\nick\APPLIC~1\Google
2007-07-18 20:28 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-07-17 21:49 d--h-----	C:\WINDOWS\PIF
2007-07-17 21:25 d--------	C:\Program Files\Microsoft Bootvis
2007-07-16 22:54 d--------	C:\Program Files\Game Accelerator
2007-07-16 15:01 d--------	C:\Program Files\WinPopup Speak
2007-07-15 21:41	164	--a------	C:\install.dat
2007-07-15 01:33 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\nView_Profiles
2007-07-15 01:24 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trymedia
2007-07-14 23:27 d--------	C:\Program Files\uTorrent
2007-07-14 16:03 d--------	C:\Program Files\Ace Utilities
2007-07-14 01:32 d--------	C:\Program Files\PCPitstop
2007-07-13 22:07 d--------	C:\Program Files\Speed Gear 5

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-13 00:19	315	--a------	C:\Program Files\ErrDbg.cf
2007-08-13 00:19	1221	--a------	C:\Program Files\f3m0.cf
2007-08-13 00:19	1106	--a------	C:\Program Files\ComboFix.txt
2007-08-12 22:56	---------	d--------	C:\Program Files\WinAce
2007-08-12 22:56	---------	d--------	C:\Program Files\Ubisoft
2007-08-12 22:56	---------	d--------	C:\Program Files\DivX
2007-08-12 22:56	---------	d--------	C:\Program Files\ChessPlanet
2007-08-12 22:56	---------	d--------	C:\Program Files\Ahead
2007-08-12 00:13	---------	d--------	C:\Program Files\MessengerDiscovery
2007-08-11 20:53	9344	--a------	C:\WINDOWS\system32\drivers\NSDriver.sys
2007-08-11 20:53	8320	--a------	C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-08 15:28	---------	d--------	C:\Program Files\Arena
2007-08-08 13:36	---------	d--------	C:\Program Files\EMCO Malware Destroyer
2007-08-08 11:51	---------	d--------	C:\Program Files\Common Files\PestPatrol
2007-08-06 21:54	---------	d--h-----	C:\Program Files\InstallShield Installation Information
2007-08-06 21:29	---------	d--------	C:\Program Files\Mouse Driver
2007-08-06 21:28	---------	d--------	C:\Program Files\Multimedia Keyboard
2007-08-02 01:00	---------	d--------	C:\Program Files\Remote Desktop Control
2007-07-31 12:31	---------	d--------	C:\DOCUME~1\nick\APPLIC~1\InternetCalls
2007-07-28 02:55	---------	d--------	C:\Program Files\TVR
2007-07-28 02:52	---------	d--------	C:\Program Files\Messenger
2007-07-28 02:38	---------	d--------	C:\Program Files\Common Files\Command Software
2007-07-23 12:54	---------	d--------	C:\Program Files\InfiniaChess
2007-07-19 23:15	---------	d--------	C:\DOCUME~1\nick\APPLIC~1\Lavasoft
2007-07-15 22:16	---------	d--------	C:\Program Files\SCAR 3.06
2007-07-15 22:16	---------	d--------	C:\Program Files\SCAR 3.05
2007-07-15 22:15	---------	d--------	C:\Program Files\ServersCheck_RemoteBooting
2007-07-15 01:03	24	--a------	C:\WINDOWS\twin.dll
2007-07-14 18:16	1682	--ahs----	C:\WINDOWS\system32\KGyGaAvL.sys
2007-07-14 18:15	56	-r-hs----	C:\WINDOWS\system32\B0DE9BE21E.sys
2007-07-12 18:18	50520	--a------	C:\WINDOWS\system32\csvidcap.dll
2007-07-01 23:31	---------	d--------	C:\Program Files\CamStudio
2007-06-26 22:22	---------	d--------	C:\DOCUME~1\nick\APPLIC~1\Aquarius Soft
2007-06-23 16:17	23600	--a------	C:\WINDOWS\system32\drivers\TVICHW32.SYS
2007-06-18 20:32	---------	d--------	C:\Program Files\WinPcap
2007-06-14 20:07	---------	d--------	C:\Program Files\Common Files\Enterbrain
2006-08-03 00:53	4	--a--c---	C:\Program Files\Common Files\Cvtaqlog.dat
2006-08-01 16:33	560	--a------	C:\Program Files\Global.sw

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f015f320-ab08-11db-abbd-0800200c9a66}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders	msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background
"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
"<NO NAME>"=
"CTFMON.EXE"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
"RecSche"="C:\Program Files\TVR\RecSche.exe"
"GameXL"=
"CreativeMouse"="C:\Program Files\Mouse Driver\MouseDrv.exe"
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe

R0 viasraid;viasraid;C:\WINDOWS\system32\DRIVERS\viasraid.sys
R1 SASDIFSV;SASDIFSV;\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
R1 SASKUTIL;SASKUTIL;\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
R2 CSS DVP;CSS DVP;C:\WINDOWS\system32\DRIVERS\css-dvp.sys
R2 FreeTdi;Radialpoint Filter (RPS-12798);C:\WINDOWS\system32\Drivers\FreeTdi.sys
R3 Freedom;Freedom Miniport;C:\WINDOWS\system32\DRIVERS\FREEDOM.SYS
R3 Intels51;Intel(R) 536EP Modem;C:\WINDOWS\system32\DRIVERS\Intels51.sys
R3 LVCap138;TV Card Capture Driver;C:\WINDOWS\system32\DRIVERS\lvcap138.sys
R3 lvtuner;Mercury TV Card WDM TV Tuner;C:\WINDOWS\system32\DRIVERS\lvtuner.sys
R3 SASENUM;SASENUM;\??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
R3 sermouse;Serial Mouse Driver;C:\WINDOWS\system32\DRIVERS\sermouse.sys
R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys
S0 szkg;szkg;C:\WINDOWS\system32\DRIVERS\szkg.sys
S2 Ca536av;DigitalCam Pro Video Camera Device;C:\WINDOWS\system32\Drivers\Ca536av.sys
S2 zntport;NTPort Library Driver;\??\C:\WINDOWS\system32\zntport.sys
S3 FETNDIS;VIA Rhine Family Fast Ethernet Adapter Driver;C:\WINDOWS\system32\DRIVERS\fetnd5b.sys
S3 MRENDIS5;MRENDIS5 NDIS Protocol Driver;\??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS
S3 ndiscm;Motorola SURFboard USB Cable Modem Windows Driver;C:\WINDOWS\system32\DRIVERS\NetMotCM.sys
S3 nm;Network Monitor Driver;C:\WINDOWS\system32\DRIVERS\NMnt.sys
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys
S3 s116bus;Sony Ericsson Device 116 driver (WDM);C:\WINDOWS\system32\DRIVERS\s116bus.sys
S3 s116mdfl;Sony Ericsson Device 116 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\s116mdfl.sys
S3 s116mdm;Sony Ericsson Device 116 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\s116mdm.sys
S3 s116mgmt;Sony Ericsson Device 116 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\s116mgmt.sys
S3 s116nd5;Sony Ericsson Device 116 USB Ethernet Emulation SEMC116 (NDIS);C:\WINDOWS\system32\DRIVERS\s116nd5.sys
S3 s116obex;Sony Ericsson Device 116 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\s116obex.sys
S3 s116unic;Sony Ericsson Device 116 USB Ethernet Emulation SEMC116 (WDM);C:\WINDOWS\system32\DRIVERS\s116unic.sys
S3 SNPSTD3;USB PC Camera (SNPSTD3);C:\WINDOWS\system32\DRIVERS\snpstd3.sys
S3 usbbus;LGE Mobile Composite USB Device;C:\WINDOWS\system32\DRIVERS\lgusbbus.sys
S3 USBCamera;DigitalCam Pro Still Camera Device;C:\WINDOWS\system32\Drivers\Bulk536.sys
S3 UsbDiag;LGE Mobile USB Serial Port;C:\WINDOWS\system32\DRIVERS\lgusbdiag.sys
S3 USBModem;LGE Mobile USB Modem;C:\WINDOWS\system32\DRIVERS\lgusbmodem.sys
S3 XSHARK;Xploder Driver (xshark.sys);C:\WINDOWS\system32\Drivers\xshark.sys

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-13 00:54:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-13 0:55:57 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-13 00:55
C:\ComboFix2.txt ... 2007-07-28 01:17

--- E O F ---


----------



## Cookiegal (Aug 27, 2003)

Before we go any further, I would like to see a HijackThis log showing an anti-virus program installed please.


----------



## theriddler (Jul 23, 2007)

just downloaded panda 

im going to leave it running over night, I have to go now, thanx for your help !

Logfile of HijackThis v1.99.1
Scan saved at 01:31, on 2007-08-13
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\pavsrv51.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\AVENGINE.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\TPSrv.exe
C:\Program Files\blueyonder\PCguard\fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\lvhidsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\PsCtrls.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
c:\program files\panda security\panda antivirus + firewall 2008\firewall\PSHOST.EXE
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\PsImSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Advanced Browser\browser.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\AvltMain.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\Apvxdwin.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\WebProxy.exe
C:\Documents and Settings\nick\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gamefaqs.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: WeeklyExecuter Class - {f015f320-ab08-11db-abbd-0800200c9a66} - (no file)
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\APVXDWIN.EXE" /s
O4 - HKLM\..\RunOnce: [BorraT2006TMP] cmd /C RD /s/q "C:\DOCUME~1\nick\LOCALS~1\Temp\T2006tmp\"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://downloadcenter.samsung.com/content/common/cab/DjVuControlLite_EN.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games - Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1152887403499
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1152887390889
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.blueyonder.co.uk/assets/tool/files/MotivePreQual.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games - Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {F773E7B2-62A9-4524-9109-87D2F0BEFAA4} (ChessControl Class) - http://zone.msn.com/bingame/zpagames/zpa_kqrp.cab56961.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab55579.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: LifeView HID Service (LvHidSvc) - Animation Technologies Inc. - C:\WINDOWS\System32\lvhidsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\PsCtrls.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\pavsrv51.exe
O23 - Service: Panda Host Service (PSHost) - Panda Software International - c:\program files\panda security\panda antivirus + firewall 2008\firewall\PSHOST.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\PsImSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\blueyonder\PCguard\fws.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\TPSrv.exe


----------



## Cookiegal (Aug 27, 2003)

Did Panda find anything?


----------



## theriddler (Jul 23, 2007)

most of them where cookies  

Can you help me with panda ?, im guessing I have to buy it or something, I must be running of an evalutation, but it doesnt state anywhere how I activate it, I think I must have to go online or somehting


----------



## Cookiegal (Aug 27, 2003)

Did you downloaded a crack for the XP Smoker program?  

crack\xpsmoker.exe


----------



## theriddler (Jul 23, 2007)

no.. I payed 39.95$ for that program, hang on I want to see what that thing actually does

I have ran it it comes up as this, is that any help 
does it have a directory, what kind of file path is just crack?


----------



## Cookiegal (Aug 27, 2003)

If you look at the Panda scan you will see it. It seems to be a .rar file in your junk folder:

Location: C:\Documents and Settings\nick\Desktop\junk folder\p[1]..sm..pr5_rar.vir[crack\xpsmoker.exe]


----------



## theriddler (Jul 23, 2007)

I looked in my junk folder, none of my rar folders have anything to do with xp smoker, but I found this file, I opened it but it just comes up with a box reading, windows does not recognise this component. it looks like file name you mentioned in the panda scan.


----------



## Cookiegal (Aug 27, 2003)

That file has been renamed, probably by one of the programs we've run, but delete it anyway.

Now, I'd like to know what this batch file says but it's important that you *do NOT double click on it. We do NOT want it to run*. What I want you to do is right click on it and select "edit". It will open up in Notepad. Copy and paste the contents in a reply here please.

C:\DOCUMENTS AND SETTINGS\nick\*readme.bat*


----------



## theriddler (Jul 23, 2007)

I dont have an edit button


----------



## Cookiegal (Aug 27, 2003)

I don't know what you're right clicking on there but you're in the wrong directory. Please check the path I gave you.


----------



## theriddler (Jul 23, 2007)

sorry im in a world of my own at the moment, some guy on the thread wants me banned 



il do the file now thanx


----------



## theriddler (Jul 23, 2007)

its unreadable, there is no edit either, so I clicked open and then clicked open with wordpad, what the hell is it supposed to be ?


----------



## Cookiegal (Aug 27, 2003)

Does that file still have the .bat extension? It's possible it was renamed and if it no longer has that extension, that could explain why there's no edit on the right click.

I'm sending a batch file as a test. Unzip it and save it to your desktop. Right click on it. Do you have the edit function in the menu?


----------



## theriddler (Jul 23, 2007)

it came out as a little white box with cogs in it, I ran it and it opened wordpad

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"APVXDWIN"="\"C:\\Program Files\\Panda Security\\Panda Antivirus + Firewall 2008\\APVXDWIN.EXE\" /s"

I can see the edit button too, btw what did that just do?


----------



## Cookiegal (Aug 27, 2003)

It didn't actually "do" anything other than read a registry key as a test.

Open Notepad and copy and paste the text in the quote box below into it:



> File::
> C:\DOCUME~1\nick\install.exe
> C:\DOCUME~1\nick\keygen.exe
> C:\DOCUME~1\nick\crack.exe
> ...


Save the file to you desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.


----------



## theriddler (Jul 23, 2007)

panda just doesnt want to know combo fix it keeps blocking it, I have turned it off, it wants me to get rid of xp smoker and bug doctor, it classes them as "unwanted programs"
I have uninstalled them both,

when I put the file in combo fix is it supposed to disappear or remain on the desktop, here is the log it gave.

ComboFix 07-08-14.4 - "nick" 2007-08-14 20:46:20.2 - NTFSx86 
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.344 [GMT 1:00]
Command switches used :: C:\Documents and Settings\nick\Desktop\cfscript.txt
* Created a new restore point

FILE::
C:\DOCUME~1\nick\install.exe
C:\DOCUME~1\nick\keygen.exe
C:\DOCUME~1\nick\crack.exe
C:\DOCUME~1\nick\readme.bat

((((((((((((((((((((((((( Files Created from 2007-07-14 to 2007-08-14 )))))))))))))))))))))))))))))))

2007-08-14 20:41	51,200	--a------	C:\WINDOWS\nircmd.exe
2007-08-13 01:15	13,880	--a------	C:\WINDOWS\system32\drivers\COMFiltr.sys
2007-08-13 01:15 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\sentinel
2007-08-13 01:14	83,640	--a------	C:\WINDOWS\system32\drivers\pavdrv51.sys
2007-08-13 01:14	51,256	--a------	C:\WINDOWS\system32\drivers\dsaflt.sys
2007-08-13 01:14	37,304	--a------	C:\WINDOWS\system32\drivers\smsflt.sys
2007-08-13 01:14	30,648	--a------	C:\WINDOWS\system32\drivers\wnmflt.sys
2007-08-13 01:14	281	--a------	C:\WINDOWS\system32\PavCPL.dat
2007-08-13 01:14	244,952	--a------	C:\WINDOWS\system32\drivers\APPFCONT.DAT
2007-08-13 01:14	191,672	--a------	C:\WINDOWS\system32\drivers\idsflt.sys
2007-08-13 01:13	71,736	--a------	C:\WINDOWS\system32\drivers\APPFLT.SYS
2007-08-13 01:13	63,024	--a------	C:\WINDOWS\system32\pavipc.dll
2007-08-13 01:13	50,736	--a------	C:\WINDOWS\system32\avldr.dll
2007-08-13 01:13	292,144	--a------	C:\WINDOWS\system32\PavSHook.dll
2007-08-13 01:13	24,760	--a------	C:\WINDOWS\system32\drivers\cpoint.sys
2007-08-13 01:13	22,072	--a------	C:\WINDOWS\system32\drivers\fnetmon.sys
2007-08-13 01:13	161,328	--a------	C:\WINDOWS\system32\TpUtil.dll
2007-08-13 01:13	142,128	--a------	C:\WINDOWS\system32\drivers\netimflt.sys
2007-08-13 01:13	132,920	--a------	C:\WINDOWS\system32\drivers\NETFLTDI.SYS
2007-08-13 01:13	101,888	--a------	C:\WINDOWS\system32\SYSTOOLS.DLL
2007-08-13 01:13 d--------	C:\WINDOWS\system32\PAV
2007-08-13 01:13 d--------	C:\Program Files\Panda Security
2007-08-13 01:12	38,968	--a------	C:\WINDOWS\system32\drivers\ShlDrv51.sys
2007-08-13 01:12	178,872	--a------	C:\WINDOWS\system32\drivers\PavProc.sys
2007-08-13 01:08 d--------	C:\Program Files\Common Files\Panda Software
2007-08-12 12:55 d--------	C:\DOCUME~1\nick\APPLIC~1\uTorrent
2007-08-11 20:50 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-11 13:00 d--------	C:\Program Files\IDoser
2007-08-10 23:32 d--------	C:\Program Files\Advanced GIF Animator
2007-08-10 18:50 d--------	C:\Program Files\Windows Live
2007-08-09 21:59 d--------	C:\DOCUME~1\nick\Contacts
2007-08-09 21:57 d----c---	C:\WINDOWS\system32\DRVSTORE
2007-08-09 21:53 d--------	C:\Program Files\MSN Messenger
2007-08-09 21:43 d--------	C:\VundoFix Backups
2007-08-08 14:32	556	--a------	C:\WINDOWS\system32\tmp.reg
2007-08-08 14:31	51,200	--a------	C:\WINDOWS\system32\dumphive.exe
2007-08-08 14:31	288,417	--a------	C:\WINDOWS\system32\SrchSTS.exe
2007-08-08 12:30 d--------	C:\EmergencyUtils
2007-08-08 10:50	3,732	--a------	C:\DOCyoyo.reg
2007-08-07 22:21	84,992	--a------	C:\WINDOWS\system32\atl70.dll
2007-08-07 22:21	262,416	--a------	C:\WINDOWS\system32\ASFV2.DLL
2007-08-07 22:21	15,360	--a------	C:\WINDOWS\system32\asfsipc.dll
2007-08-07 21:05 d--------	C:\Program Files\Support Tools
2007-08-05 11:31 d--------	C:\WINDOWS\BDOSCAN8
2007-08-05 01:13 d--------	C:\Program Files\Advanced Browser
2007-08-04 21:31 d--------	C:\DOCUME~1\nick\DoctorWeb
2007-08-02 22:10 d--------	C:\Program Files\SpywareBlaster
2007-08-02 07:11 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinZip
2007-08-01 21:18	107,864	--a------	C:\WINDOWS\system32\tsccvid.dll
2007-08-01 21:18 d--------	C:\WINDOWS\system32\QuickTime
2007-08-01 21:17 d--------	C:\Program Files\TechSmith
2007-08-01 21:17 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\TechSmith
2007-08-01 16:23 d--------	C:\DOCUME~1\nick\APPLIC~1\Avant Profiles
2007-08-01 16:21 d--------	C:\DOCUME~1\nick\APPLIC~1\Avant Browser
2007-08-01 16:20 d--------	C:\Program Files\Avant Browser
2007-07-31 21:21	674	--a------	C:\WINDOWS\ie-ads-uninst.reg
2007-07-31 21:21	39,770	--a------	C:\WINDOWS\system32\tcpipbak.reg
2007-07-31 21:21	32,768	--a------	C:\WINDOWS\system32\ServiceRepair.exe
2007-07-28 23:00	159,744	--a------	C:\WINDOWS\system32\hasher.dll
2007-07-28 13:17 d--------	C:\Program Files\Common Files\iS3
2007-07-28 13:17 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\STOPzilla!
2007-07-28 02:11 d--------	C:\DOCUME~1\nick\APPLIC~1\BitTorrent
2007-07-28 02:00	8,576	--a------	C:\WINDOWS\system32\drivers\ljnelkliyanu.sys
2007-07-28 01:03 d--------	C:\DOCUME~1\ADMINI~1\APPLIC~1\DivX
2007-07-28 01:00 d--------	C:\DOCUME~1\ADMINI~1\APPLIC~1\Advanced Browser
2007-07-27 17:36 d--------	C:\WINDOWS\system32\Kaspersky Lab
2007-07-27 13:37	8,704	--a------	C:\WINDOWS\system32\pfdnnt.exe
2007-07-27 12:21	8,576	--a------	C:\WINDOWS\system32\drivers\opabcojvebht.sys
2007-07-26 21:07	8,576	--a------	C:\WINDOWS\system32\drivers\cwnsjlwkekub.sys
2007-07-26 20:56	8,576	--a------	C:\WINDOWS\system32\drivers\auctfrvqnwve.sys
2007-07-26 02:20	8,576	--a------	C:\WINDOWS\system32\drivers\jibxpfefmjvf.sys
2007-07-26 02:12 d--------	C:\WINDOWS\system32\ActiveScan
2007-07-25 20:36 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-07-25 20:35 d--------	C:\Program Files\SUPERAntiSpyware
2007-07-25 20:35 d--------	C:\Program Files\Common Files\Wise Installation Wizard
2007-07-25 20:35 d--------	C:\DOCUME~1\nick\APPLIC~1\SUPERAntiSpyware.com
2007-07-25 14:30 d--------	C:\Program Files\LizardTech
2007-07-24 22:14 d--------	C:\WINDOWS\ERUNT
2007-07-24 22:02	786,432	--a------	C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-07-24 21:59 d--------	C:\WINDOWS\pss
2007-07-23 21:46	94,208	--a------	C:\WINDOWS\amcap.exe
2007-07-23 21:46	53,248	--a------	C:\WINDOWS\vsnpstd3.dll
2007-07-23 21:46	53,248	--a------	C:\WINDOWS\system32\csnpstd3.dll
2007-07-23 21:46	20,480	--a------	C:\WINDOWS\usnpstd3.exe
2007-07-23 21:46	147,456	--a------	C:\WINDOWS\system32\rsnpstd3.dll
2007-07-23 21:46	10,252,544	--a------	C:\WINDOWS\system32\drivers\snpstd3.sys
2007-07-23 21:46 d--------	C:\Program Files\Common Files\snpstd3
2007-07-22 21:24	626,688	--a------	C:\WINDOWS\system32\msvcr80.dll
2007-07-22 21:24 d--------	C:\Program Files\Spyware Doctor
2007-07-19 23:15 d--------	C:\Program Files\Lavasoft
2007-07-18 20:28 d--------	C:\DOCUME~1\nick\APPLIC~1\Google
2007-07-18 20:28 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-07-17 21:49 d--h-----	C:\WINDOWS\PIF
2007-07-17 21:25 d--------	C:\Program Files\Microsoft Bootvis
2007-07-16 22:54 d--------	C:\Program Files\Game Accelerator
2007-07-16 15:01 d--------	C:\Program Files\WinPopup Speak
2007-07-15 21:41	164	--a------	C:\install.dat
2007-07-15 01:33 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\nView_Profiles
2007-07-15 01:24 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trymedia
2007-07-14 23:27 d--------	C:\Program Files\uTorrent

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-14 20:49	244952	--a------	C:\WINDOWS\system32\drivers\APPFCONT.DAT.bck
2007-08-14 20:20	1204	--a------	C:\WINDOWS\system32\drivers\APPFLTR.CFG.bck
2007-08-14 20:20	1204	--a------	C:\WINDOWS\system32\drivers\APPFLTR.CFG
2007-08-13 01:13	---------	d--h-----	C:\Program Files\InstallShield Installation Information
2007-08-13 00:19	315	--a------	C:\Program Files\ErrDbg.cf
2007-08-13 00:19	1221	--a------	C:\Program Files\f3m0.cf
2007-08-13 00:19	1106	--a------	C:\Program Files\ComboFix.txt
2007-08-12 22:56	---------	d--------	C:\Program Files\WinAce
2007-08-12 22:56	---------	d--------	C:\Program Files\Ubisoft
2007-08-12 22:56	---------	d--------	C:\Program Files\DivX
2007-08-12 22:56	---------	d--------	C:\Program Files\ChessPlanet
2007-08-12 22:56	---------	d--------	C:\Program Files\Ahead
2007-08-12 00:13	---------	d--------	C:\Program Files\MessengerDiscovery
2007-08-11 20:53	9344	--a------	C:\WINDOWS\system32\drivers\NSDriver.sys
2007-08-11 20:53	8320	--a------	C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-08 15:28	---------	d--------	C:\Program Files\Arena
2007-08-08 13:36	---------	d--------	C:\Program Files\EMCO Malware Destroyer
2007-08-08 11:51	---------	d--------	C:\Program Files\Common Files\PestPatrol
2007-08-07 21:05	3270	--a------	C:\WINDOWS\pchealth\HELPCTR\PackageStore\SkuStore.bin
2007-08-06 21:29	---------	d--------	C:\Program Files\Mouse Driver
2007-08-06 21:28	---------	d--------	C:\Program Files\Multimedia Keyboard
2007-08-02 01:00	---------	d--------	C:\Program Files\Remote Desktop Control
2007-07-31 12:31	---------	d--------	C:\DOCUME~1\nick\APPLIC~1\InternetCalls
2007-07-28 02:55	---------	d--------	C:\Program Files\TVR
2007-07-28 02:52	---------	d--------	C:\Program Files\Messenger
2007-07-28 02:38	---------	d--------	C:\Program Files\Common Files\Command Software
2007-07-23 12:54	---------	d--------	C:\Program Files\InfiniaChess
2007-07-19 23:15	---------	d--------	C:\DOCUME~1\nick\APPLIC~1\Lavasoft
2007-07-15 22:16	---------	d--------	C:\Program Files\SCAR 3.06
2007-07-15 22:16	---------	d--------	C:\Program Files\SCAR 3.05
2007-07-15 22:15	---------	d--------	C:\Program Files\ServersCheck_RemoteBooting
2007-07-15 01:03	24	--a------	C:\WINDOWS\twin.dll
2007-07-14 18:16	1682	--ahs----	C:\WINDOWS\system32\KGyGaAvL.sys
2007-07-14 18:15	56	-r-hs----	C:\WINDOWS\system32\B0DE9BE21E.sys
2007-07-13 22:15	---------	d--------	C:\Program Files\Speed Gear 5
2007-07-12 18:18	50520	--a------	C:\WINDOWS\system32\csvidcap.dll
2007-07-01 23:31	---------	d--------	C:\Program Files\CamStudio
2007-06-26 22:22	---------	d--------	C:\DOCUME~1\nick\APPLIC~1\Aquarius Soft
2007-06-23 16:17	23600	--a------	C:\WINDOWS\system32\drivers\TVICHW32.SYS
2007-06-18 20:32	---------	d--------	C:\Program Files\WinPcap
2007-06-14 20:07	---------	d--------	C:\Program Files\Common Files\Enterbrain
2006-08-03 00:53	4	--a--c---	C:\Program Files\Common Files\Cvtaqlog.dat
2006-08-01 16:33	560	--a------	C:\Program Files\Global.sw

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22]
"APVXDWIN"="C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\APVXDWIN.exe" [2007-07-19 15:23]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr] 
avldr.dll 2007-02-15 20:02 50736 C:\WINDOWS\system32\avldr.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders	msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background
"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
"<NO NAME>"=
"CTFMON.EXE"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
"RecSche"="C:\Program Files\TVR\RecSche.exe"
"GameXL"=
"CreativeMouse"="C:\Program Files\Mouse Driver\MouseDrv.exe"
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe

R0 viasraid;viasraid;C:\WINDOWS\system32\DRIVERS\viasraid.sys
R1 APPFLT;App Filter Plugin;\??\C:\WINDOWS\system32\Drivers\APPFLT.SYS
R1 DSAFLT;DSA Filter Plugin;\??\C:\WINDOWS\system32\Drivers\DSAFLT.SYS
R1 FNETMON;NetMon Filter Plugin;\??\C:\WINDOWS\system32\Drivers\fnetmon.SYS
R1 IDSFLT;Ids Filter Plugin;\??\C:\WINDOWS\system32\Drivers\IDSFLT.SYS
R1 NETFLTDI;Panda Net Driver [TDI Layer];\??\C:\WINDOWS\system32\Drivers\NETFLTDI.SYS
R1 ShldDrv;Panda File Shield Driver;C:\WINDOWS\system32\Drivers\ShlDrv51.sys
R1 SMSFLT;SMS Filter Plugin;\??\C:\WINDOWS\system32\Drivers\SMSFLT.SYS
R1 WNMFLT;Wifi Monitor Filter Plugin;\??\C:\WINDOWS\system32\Drivers\WNMFLT.SYS
R2 cpoint;Panda CPoint Driver;C:\WINDOWS\system32\Drivers\cpoint.sys
R2 PAVDRV;pavdrv;C:\WINDOWS\system32\DRIVERS\pavdrv51.sys
R2 PavProc;Panda Process Protection Driver;\??\C:\WINDOWS\system32\DRIVERS\PavProc.sys
R3 AvFlt;Antivirus Filter Driver;C:\WINDOWS\system32\drivers\av5flt.sys
R3 ComFiltr;Panda Anti-Dialer;\??\C:\WINDOWS\system32\DRIVERS\COMFiltr.sys
R3 Intels51;Intel(R) 536EP Modem;C:\WINDOWS\system32\DRIVERS\Intels51.sys
R3 LVCap138;TV Card Capture Driver;C:\WINDOWS\system32\DRIVERS\lvcap138.sys
R3 lvtuner;Mercury TV Card WDM TV Tuner;C:\WINDOWS\system32\DRIVERS\lvtuner.sys
R3 NETIMFLT;PANDA NDIS IM Filter Miniport;C:\WINDOWS\system32\DRIVERS\netimflt.sys
R3 PavSRK.sys;PavSRK.sys;\??\C:\WINDOWS\system32\PavSRK.sys
R3 PavTPK.sys;PavTPK.sys;\??\C:\WINDOWS\system32\PavTPK.sys
R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys
S0 szkg;szkg;C:\WINDOWS\system32\DRIVERS\szkg.sys
S2 Ca536av;DigitalCam Pro Video Camera Device;C:\WINDOWS\system32\Drivers\Ca536av.sys
S3 FETNDIS;VIA Rhine Family Fast Ethernet Adapter Driver;C:\WINDOWS\system32\DRIVERS\fetnd5b.sys
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys
S3 s116bus;Sony Ericsson Device 116 driver (WDM);C:\WINDOWS\system32\DRIVERS\s116bus.sys
S3 s116mdfl;Sony Ericsson Device 116 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\s116mdfl.sys
S3 s116mdm;Sony Ericsson Device 116 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\s116mdm.sys
S3 s116mgmt;Sony Ericsson Device 116 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\s116mgmt.sys
S3 s116nd5;Sony Ericsson Device 116 USB Ethernet Emulation SEMC116 (NDIS);C:\WINDOWS\system32\DRIVERS\s116nd5.sys
S3 s116obex;Sony Ericsson Device 116 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\s116obex.sys
S3 s116unic;Sony Ericsson Device 116 USB Ethernet Emulation SEMC116 (WDM);C:\WINDOWS\system32\DRIVERS\s116unic.sys
S3 usbbus;LGE Mobile Composite USB Device;C:\WINDOWS\system32\DRIVERS\lgusbbus.sys
S3 USBCamera;DigitalCam Pro Still Camera Device;C:\WINDOWS\system32\Drivers\Bulk536.sys
S3 UsbDiag;LGE Mobile USB Serial Port;C:\WINDOWS\system32\DRIVERS\lgusbdiag.sys
S3 USBModem;LGE Mobile USB Modem;C:\WINDOWS\system32\DRIVERS\lgusbmodem.sys
S3 XSHARK;Xploder Driver (xshark.sys);C:\WINDOWS\system32\Drivers\xshark.sys

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-14 20:50:04
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwEnumerateKey, ZwClose, ZwEnumerateValueKey, ZwQueryValueKey, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-14 20:51:58
C:\ComboFix-quarantined-files.txt ... 2007-08-14 20:51
C:\ComboFix2.txt ... 2007-08-13 00:55
C:\ComboFix3.txt ... 2007-07-28 01:17

--- E O F ---


----------



## Cookiegal (Aug 27, 2003)

What is the situation now? What problems, if any, remain?


----------



## theriddler (Jul 23, 2007)

my computer is fine in terms of viruses, no more hijacked web browsers and no more stupid pop ups, but the Cpu usgae keeps jumping so high, it like drops then rises, drops then rises etc, could be becaise I have got so much software on my computer, eg, sas, panda, pc guard, adaware, adaware 2007, spywareblaster, emco malware, could they confilct with each other or something?

come to think of emco found 2 viruses the other day, a NMC.BIT.TORRENT and a NMC.FUBALCA.N, it quarantined them so there proabally dead by now


----------



## Cookiegal (Aug 27, 2003)

What process is using the CPU at that time?

Emco has had a reputation in the past as being prone to false positives. I don't know if that's been corrected but I would uninstall this program.


----------



## theriddler (Jul 23, 2007)

the task manager its self, which makes no sense to me at all


----------



## theriddler (Jul 23, 2007)

also my internet keeps on disconnecting, it just goes off everynow and again, and it wont come back on, I try unplugging the modem and plugging it back in, I tried using the blueyonder support which tests the connection. the only way I can get it back on is to restart my computer


----------



## Cookiegal (Aug 27, 2003)

Go to *Start * *Run *- type *msconfig*  click OK and click on the *startup tab*. Uncheck everything there. Then reboot and let me know if the problem persists please.

Be sure to re-enable your anti-virus program before going back on-line.


----------



## theriddler (Jul 23, 2007)

the stupid taskmanager is still resource hogging, I tried turning off the startup programs but it didnt make much difference.

my computer now boots about 100 times faster now though, thanks


----------



## Cookiegal (Aug 27, 2003)

Go back into msconfig and select the "services" tab and check hide Microsoft Services

Then try unchecking all the NON Microsoft services and reboot. Let me know if that solves the problem.


----------



## theriddler (Jul 23, 2007)

great I just downloaded some stupid addon for Windows live messenger, and its just wiped the floor with my comp, I have used vindo fix to remove the vundo, but something else has got in.

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\printer.exe
O4 - HKLM\..\Run: [smgr] mgrs.exe
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

Logfile of HijackThis v1.99.1
Scan saved at 23:30, on 2007-08-15
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\pavsrv51.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\AVENGINE.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\TPSrv.exe
C:\Program Files\blueyonder\PCguard\fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\PsCtrls.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
c:\program files\panda security\panda antivirus + firewall 2008\firewall\PSHOST.EXE
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\PsImSvc.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\avciman.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\psimreal.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\APVXDWIN.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\??stem32\e?plorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\WebProxy.exe
C:\Documents and Settings\nick\Desktop\VundoFix.exe
C:\Documents and Settings\nick\Desktop\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\printer.exe
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKLM\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Lfjusga] "C:\Program Files\??stem32\e?plorer.exe"
O4 - HKCU\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe
O4 - Startup: system.exe
O4 - Global Startup: autorun.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://downloadcenter.samsung.com/content/common/cab/DjVuControlLite_EN.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games  Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1152887403499
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1152887390889
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.blueyonder.co.uk/assets/tool/files/MotivePreQual.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games  Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {F773E7B2-62A9-4524-9109-87D2F0BEFAA4} (ChessControl Class) - http://zone.msn.com/bingame/zpagames/zpa_kqrp.cab56961.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab55579.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\hanonvt.ini
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\PsCtrls.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\pavsrv51.exe
O23 - Service: Panda Host Service (PSHost) - Panda Software International - c:\program files\panda security\panda antivirus + firewall 2008\firewall\PSHOST.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\PsImSvc.exe
O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\blueyonder\PCguard\fws.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\TPSrv.exe

il run the panda scan over night and see what it comes up with, sorry


----------



## Cookiegal (Aug 27, 2003)

What am I going to do with you?   


Please run ComboFix again, in safe mode, and post the log.


----------



## theriddler (Jul 23, 2007)

Lol 

I ran both panda and SAS, sas didnt give me a report though it made me reboot first, I though maybe it would come up after the reboot but it didnt  , I ran the combo fix but it got to the bit where it tells me its prepearing a log, then it just went too this screen, I have left it like this for the past 20 minutes and it doesn't look like its going to do anything else


----------



## theriddler (Jul 23, 2007)

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/16/2007 at 03:06 PM

Application Version : 3.9.1008

Core Rules Database Version : 3284
Trace Rules Database Version: 1295

Scan type : Complete Scan
Total Scan Time : 02:36:58

Memory items scanned : 422
Memory threats detected : 1
Registry items scanned : 5834
Registry threats detected : 10
File items scanned : 109152
File threats detected : 30

Adware.ClickSpring/Resident
C:\PROGRA~1\STEM32~1\EPLORE~1.EXE
C:\PROGRA~1\STEM32~1\EPLORE~1.EXE

Trojan.Net-AVP/AVT
[WinAVX] C:\WINDOWS\SYSTEM32\WINAVXX.EXE
C:\WINDOWS\SYSTEM32\WINAVXX.EXE
[WinAVX] C:\WINDOWS\SYSTEM32\WINAVXX.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\STARTUP\AUTORUN.EXE
C:\DOCUMENTS AND SETTINGS\NICK\START MENU\PROGRAMS\STARTUP\SYSTEM.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9194D392-2571-44DC-AFE1-2D4FA7AA42CE}\RP197\A0111332.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9194D392-2571-44DC-AFE1-2D4FA7AA42CE}\RP197\A0111333.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9194D392-2571-44DC-AFE1-2D4FA7AA42CE}\RP197\A0111334.EXE
C:\WINDOWS\SYSTEM32\PRINTER.EXE
C:\WINDOWS\Prefetch\PRINTER.EXE-0E099EB1.pf
C:\WINDOWS\Prefetch\WINAVXX.EXE-050EF48B.pf

Adware.Tracking Cookie
C:\Documents and Settings\nick\Cookies\[email protected][1].txt
C:\Documents and Settings\nick\Cookies\[email protected][1].txt

Trojan.Unknown Origin
HKLM\SOFTWARE\Microsoft\MSSMGR
HKLM\SOFTWARE\Microsoft\MSSMGR#Data
HKLM\SOFTWARE\Microsoft\MSSMGR#LSTV
HKLM\SOFTWARE\Microsoft\MSSMGR#Brnd
HKLM\SOFTWARE\Microsoft\MSSMGR#MSLIST
HKLM\SOFTWARE\Microsoft\MSSMGR#PID
HKLM\SOFTWARE\Microsoft\MSSMGR#Rid
HKLM\SOFTWARE\Microsoft\MSSMGR#LID
C:\WINDOWS\SYSTEM32\WCPSU.EXE

Adware.ClickSpring/Outer Info Network
C:\Program Files\Outerinfo\OiUninstaller.exe
C:\Program Files\Outerinfo\outerinfo.ico
C:\Program Files\Outerinfo\Terms.rtf
C:\Program Files\Outerinfo
C:\Documents and Settings\nick\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\nick\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Documents and Settings\nick\Start Menu\Programs\Outerinfo

Adware.ClickSpring
C:\DOCUMENTS AND SETTINGS\NICK\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\23C7Q9OV\!UPDATE-4395[1].0000

Adware.Search2Find
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9194D392-2571-44DC-AFE1-2D4FA7AA42CE}\RP197\A0111309.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9194D392-2571-44DC-AFE1-2D4FA7AA42CE}\RP197\A0111310.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9194D392-2571-44DC-AFE1-2D4FA7AA42CE}\RP197\A0111311.LNK

Trojan.Downloader-Gen/HitItQuitIt
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9194D392-2571-44DC-AFE1-2D4FA7AA42CE}\RP197\A0111323.DLL
C:\WINDOWS\SYSTEM32\LJJKKHG.DLL

Trojan.Downloader-Gen/NoMultiTask
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9194D392-2571-44DC-AFE1-2D4FA7AA42CE}\RP197\A0111347.DLL

Adware.ClickSpring/Yazzle
C:\WINDOWS\PREFETCH\YAZZLE1162OINADMIN.EXE-04B49B8B.PF

Trace.Known Threat Sources
C:\Documents and Settings\nick\Local Settings\Temporary Internet Files\Content.IE5\89ABCDEF\dohinst-103[1].sig
C:\Documents and Settings\nick\Local Settings\Temporary Internet Files\Content.IE5\ZFLT1D9Y\ctxad-558[1].0001


----------



## Cookiegal (Aug 27, 2003)

Are you sure you're running ComboFix from the desktop and not from your C root?


----------



## theriddler (Jul 23, 2007)

yep 100%, it does all the fixing stuff, reboots its just when its creating a log it went off, Il try again it might have just been a freak accident


----------



## theriddler (Jul 23, 2007)

Hey! it worked this time, I cant see it finding much as it must have already cleaned out anything bad the first time I tried

ComboFix 07-08-14.4 - "nick" 2007-08-16 22:18:28.5 - NTFSx86 
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.401 [GMT 1:00]

((((((((((((((((((((((((( Files Created from 2007-07-16 to 2007-08-16 )))))))))))))))))))))))))))))))

2007-08-16 15:30	51,200	--a------	C:\WINDOWS\nircmd.exe
2007-08-13 01:15	13,880	--a------	C:\WINDOWS\system32\drivers\COMFiltr.sys
2007-08-13 01:15 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\sentinel
2007-08-13 01:14	83,640	--a------	C:\WINDOWS\system32\drivers\pavdrv51.sys
2007-08-13 01:14	51,256	--a------	C:\WINDOWS\system32\drivers\dsaflt.sys
2007-08-13 01:14	37,304	--a------	C:\WINDOWS\system32\drivers\smsflt.sys
2007-08-13 01:14	30,648	--a------	C:\WINDOWS\system32\drivers\wnmflt.sys
2007-08-13 01:14	281	--a------	C:\WINDOWS\system32\PavCPL.dat
2007-08-13 01:14	265,092	--a------	C:\WINDOWS\system32\drivers\APPFCONT.DAT
2007-08-13 01:14	191,672	--a------	C:\WINDOWS\system32\drivers\idsflt.sys
2007-08-13 01:13	71,736	--a------	C:\WINDOWS\system32\drivers\APPFLT.SYS
2007-08-13 01:13	63,024	--a------	C:\WINDOWS\system32\pavipc.dll
2007-08-13 01:13	50,736	--a------	C:\WINDOWS\system32\avldr.dll
2007-08-13 01:13	292,144	--a------	C:\WINDOWS\system32\PavSHook.dll
2007-08-13 01:13	24,760	--a------	C:\WINDOWS\system32\drivers\cpoint.sys
2007-08-13 01:13	22,072	--a------	C:\WINDOWS\system32\drivers\fnetmon.sys
2007-08-13 01:13	161,328	--a------	C:\WINDOWS\system32\TpUtil.dll
2007-08-13 01:13	142,128	--a------	C:\WINDOWS\system32\drivers\netimflt.sys
2007-08-13 01:13	132,920	--a------	C:\WINDOWS\system32\drivers\NETFLTDI.SYS
2007-08-13 01:13	101,888	--a------	C:\WINDOWS\system32\SYSTOOLS.DLL
2007-08-13 01:13 d--------	C:\WINDOWS\system32\PAV
2007-08-13 01:13 d--------	C:\Program Files\Panda Security
2007-08-13 01:12	38,968	--a------	C:\WINDOWS\system32\drivers\ShlDrv51.sys
2007-08-13 01:12	178,872	--a------	C:\WINDOWS\system32\drivers\PavProc.sys
2007-08-13 01:08 d--------	C:\Program Files\Common Files\Panda Software
2007-08-12 12:55 d--------	C:\DOCUME~1\nick\APPLIC~1\uTorrent
2007-08-11 20:50 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-11 13:00 d--------	C:\Program Files\IDoser
2007-08-10 23:32 d--------	C:\Program Files\Advanced GIF Animator
2007-08-10 18:50 d--------	C:\Program Files\Windows Live
2007-08-09 21:59 d--------	C:\DOCUME~1\nick\Contacts
2007-08-09 21:57 d----c---	C:\WINDOWS\system32\DRVSTORE
2007-08-09 21:53 d--------	C:\Program Files\MSN Messenger
2007-08-09 21:43 d--------	C:\VundoFix Backups
2007-08-08 14:32	556	--a------	C:\WINDOWS\system32\tmp.reg
2007-08-08 14:31	51,200	--a------	C:\WINDOWS\system32\dumphive.exe
2007-08-08 14:31	288,417	--a------	C:\WINDOWS\system32\SrchSTS.exe
2007-08-08 12:30 d--------	C:\EmergencyUtils
2007-08-08 10:50	3,732	--a------	C:\DOCyoyo.reg
2007-08-07 22:21	84,992	--a------	C:\WINDOWS\system32\atl70.dll
2007-08-07 22:21	262,416	--a------	C:\WINDOWS\system32\ASFV2.DLL
2007-08-07 22:21	15,360	--a------	C:\WINDOWS\system32\asfsipc.dll
2007-08-07 21:05 d--------	C:\Program Files\Support Tools
2007-08-05 11:31 d--------	C:\WINDOWS\BDOSCAN8
2007-08-05 01:13 d--------	C:\Program Files\Advanced Browser
2007-08-04 21:31 d--------	C:\DOCUME~1\nick\DoctorWeb
2007-08-02 22:10 d--------	C:\Program Files\SpywareBlaster
2007-08-02 07:11 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinZip
2007-08-01 21:18	107,864	--a------	C:\WINDOWS\system32\tsccvid.dll
2007-08-01 21:18 d--------	C:\WINDOWS\system32\QuickTime
2007-08-01 21:17 d--------	C:\Program Files\TechSmith
2007-08-01 21:17 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\TechSmith
2007-08-01 16:23 d--------	C:\DOCUME~1\nick\APPLIC~1\Avant Profiles
2007-08-01 16:21 d--------	C:\DOCUME~1\nick\APPLIC~1\Avant Browser
2007-08-01 16:20 d--------	C:\Program Files\Avant Browser
2007-07-31 21:21	674	--a------	C:\WINDOWS\ie-ads-uninst.reg
2007-07-31 21:21	39,770	--a------	C:\WINDOWS\system32\tcpipbak.reg
2007-07-31 21:21	32,768	--a------	C:\WINDOWS\system32\ServiceRepair.exe
2007-07-28 23:00	159,744	--a------	C:\WINDOWS\system32\hasher.dll
2007-07-28 13:17 d--------	C:\Program Files\Common Files\iS3
2007-07-28 13:17 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\STOPzilla!
2007-07-28 02:11 d--------	C:\DOCUME~1\nick\APPLIC~1\BitTorrent
2007-07-28 02:00	8,576	--a------	C:\WINDOWS\system32\drivers\ljnelkliyanu.sys
2007-07-28 01:03 d--------	C:\DOCUME~1\ADMINI~1\APPLIC~1\DivX
2007-07-28 01:00 d--------	C:\DOCUME~1\ADMINI~1\APPLIC~1\Advanced Browser
2007-07-27 17:36 d--------	C:\WINDOWS\system32\Kaspersky Lab
2007-07-27 12:21	8,576	--a------	C:\WINDOWS\system32\drivers\opabcojvebht.sys
2007-07-26 21:07	8,576	--a------	C:\WINDOWS\system32\drivers\cwnsjlwkekub.sys
2007-07-26 20:56	8,576	--a------	C:\WINDOWS\system32\drivers\auctfrvqnwve.sys
2007-07-26 02:20	8,576	--a------	C:\WINDOWS\system32\drivers\jibxpfefmjvf.sys
2007-07-26 02:12 d--------	C:\WINDOWS\system32\ActiveScan
2007-07-25 20:36 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-07-25 20:35 d--------	C:\Program Files\SUPERAntiSpyware
2007-07-25 20:35 d--------	C:\Program Files\Common Files\Wise Installation Wizard
2007-07-25 20:35 d--------	C:\DOCUME~1\nick\APPLIC~1\SUPERAntiSpyware.com
2007-07-25 14:30 d--------	C:\Program Files\LizardTech
2007-07-24 22:14 d--------	C:\WINDOWS\ERUNT
2007-07-24 22:02	786,432	--a------	C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-07-24 21:59 d--------	C:\WINDOWS\pss
2007-07-23 21:46	94,208	--a------	C:\WINDOWS\amcap.exe
2007-07-23 21:46	53,248	--a------	C:\WINDOWS\vsnpstd3.dll
2007-07-23 21:46	53,248	--a------	C:\WINDOWS\system32\csnpstd3.dll
2007-07-23 21:46	20,480	--a------	C:\WINDOWS\usnpstd3.exe
2007-07-23 21:46	147,456	--a------	C:\WINDOWS\system32\rsnpstd3.dll
2007-07-23 21:46	10,252,544	--a------	C:\WINDOWS\system32\drivers\snpstd3.sys
2007-07-23 21:46 d--------	C:\Program Files\Common Files\snpstd3
2007-07-22 21:24	626,688	--a------	C:\WINDOWS\system32\msvcr80.dll
2007-07-22 21:24 d--------	C:\Program Files\Spyware Doctor
2007-07-19 23:15 d--------	C:\Program Files\Lavasoft
2007-07-18 20:28 d--------	C:\DOCUME~1\nick\APPLIC~1\Google
2007-07-18 20:28 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-07-17 21:49 d--h-----	C:\WINDOWS\PIF
2007-07-17 21:25 d--------	C:\Program Files\Microsoft Bootvis
2007-07-16 22:54 d--------	C:\Program Files\Game Accelerator
2007-07-16 15:01 d--------	C:\Program Files\WinPopup Speak

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-16 22:17	1204	--a------	C:\WINDOWS\system32\drivers\APPFLTR.CFG.bck
2007-08-16 22:17	1204	--a------	C:\WINDOWS\system32\drivers\APPFLTR.CFG
2007-08-16 21:50	265092	--a------	C:\WINDOWS\system32\drivers\APPFCONT.DAT.bck
2007-08-13 01:13	---------	d--h-----	C:\Program Files\InstallShield Installation Information
2007-08-13 00:19	315	--a------	C:\Program Files\ErrDbg.cf
2007-08-13 00:19	1221	--a------	C:\Program Files\f3m0.cf
2007-08-13 00:19	1106	--a------	C:\Program Files\ComboFix.txt
2007-08-12 22:56	---------	d--------	C:\Program Files\WinAce
2007-08-12 22:56	---------	d--------	C:\Program Files\Ubisoft
2007-08-12 22:56	---------	d--------	C:\Program Files\DivX
2007-08-12 22:56	---------	d--------	C:\Program Files\ChessPlanet
2007-08-12 22:56	---------	d--------	C:\Program Files\Ahead
2007-08-12 00:13	---------	d--------	C:\Program Files\MessengerDiscovery
2007-08-08 15:28	---------	d--------	C:\Program Files\Arena
2007-08-08 13:36	---------	d--------	C:\Program Files\EMCO Malware Destroyer
2007-08-08 11:51	---------	d--------	C:\Program Files\Common Files\PestPatrol
2007-08-07 21:05	3270	--a------	C:\WINDOWS\pchealth\HELPCTR\PackageStore\SkuStore.bin
2007-08-06 21:29	---------	d--------	C:\Program Files\Mouse Driver
2007-08-06 21:28	---------	d--------	C:\Program Files\Multimedia Keyboard
2007-08-02 01:00	---------	d--------	C:\Program Files\Remote Desktop Control
2007-07-31 12:31	---------	d--------	C:\DOCUME~1\nick\APPLIC~1\InternetCalls
2007-07-28 02:55	---------	d--------	C:\Program Files\TVR
2007-07-28 02:52	---------	d--------	C:\Program Files\Messenger
2007-07-28 02:38	---------	d--------	C:\Program Files\Common Files\Command Software
2007-07-28 02:35	---------	d--------	C:\Program Files\Ace Utilities
2007-07-23 12:54	---------	d--------	C:\Program Files\InfiniaChess
2007-07-22 00:06	---------	d--------	C:\Program Files\PCPitstop
2007-07-19 23:15	---------	d--------	C:\DOCUME~1\nick\APPLIC~1\Lavasoft
2007-07-15 22:16	---------	d--------	C:\Program Files\SCAR 3.06
2007-07-15 22:16	---------	d--------	C:\Program Files\SCAR 3.05
2007-07-15 22:15	---------	d--------	C:\Program Files\ServersCheck_RemoteBooting
2007-07-15 01:03	24	--a------	C:\WINDOWS\twin.dll
2007-07-14 23:27	---------	d--------	C:\Program Files\uTorrent
2007-07-14 18:16	1682	--ahs----	C:\WINDOWS\system32\KGyGaAvL.sys
2007-07-14 18:15	56	-r-hs----	C:\WINDOWS\system32\B0DE9BE21E.sys
2007-07-13 22:15	---------	d--------	C:\Program Files\Speed Gear 5
2007-07-12 18:18	50520	--a------	C:\WINDOWS\system32\csvidcap.dll
2007-07-01 23:31	---------	d--------	C:\Program Files\CamStudio
2007-06-26 22:22	---------	d--------	C:\DOCUME~1\nick\APPLIC~1\Aquarius Soft
2007-06-23 16:17	23600	--a------	C:\WINDOWS\system32\drivers\TVICHW32.SYS
2007-06-18 20:32	---------	d--------	C:\Program Files\WinPcap
2006-08-03 00:53	4	--a--c---	C:\Program Files\Common Files\Cvtaqlog.dat
2006-08-01 16:33	560	--a------	C:\Program Files\Global.sw

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A0B67065-4957-40B2-8EF8-E2C34781292B}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 08:56]
"Lfjusga"="C:\Program Files\??stem32\e?plorer.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"AceUtils"="C:\Program Files\Ace Utilities\au.exe" /ebh

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr] 
avldr.dll 2007-02-15 20:02 50736 C:\WINDOWS\system32\avldr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awttqno] 
awttqno.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winzlo32] 
winzlo32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\WINDOWS\system32\hanonvt.ini

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders	msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)
"rpcapd"=3 (0x3)
"LvHidSvc"=2 (0x2)
"EpsonBidirectionalService"=3 (0x3)
"aawservice"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background
"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
"<NO NAME>"=
"CTFMON.EXE"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
"RecSche"="C:\Program Files\TVR\RecSche.exe"
"GameXL"=
"CreativeMouse"="C:\Program Files\Mouse Driver\MouseDrv.exe"
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe

R0 viasraid;viasraid;C:\WINDOWS\system32\DRIVERS\viasraid.sys
R1 APPFLT;App Filter Plugin;\??\C:\WINDOWS\system32\Drivers\APPFLT.SYS
R1 DSAFLT;DSA Filter Plugin;\??\C:\WINDOWS\system32\Drivers\DSAFLT.SYS
R1 FNETMON;NetMon Filter Plugin;\??\C:\WINDOWS\system32\Drivers\fnetmon.SYS
R1 IDSFLT;Ids Filter Plugin;\??\C:\WINDOWS\system32\Drivers\IDSFLT.SYS
R1 NETFLTDI;Panda Net Driver [TDI Layer];\??\C:\WINDOWS\system32\Drivers\NETFLTDI.SYS
R1 ShldDrv;Panda File Shield Driver;C:\WINDOWS\system32\Drivers\ShlDrv51.sys
R1 SMSFLT;SMS Filter Plugin;\??\C:\WINDOWS\system32\Drivers\SMSFLT.SYS
R1 WNMFLT;Wifi Monitor Filter Plugin;\??\C:\WINDOWS\system32\Drivers\WNMFLT.SYS
R2 cpoint;Panda CPoint Driver;C:\WINDOWS\system32\Drivers\cpoint.sys
R2 PAVDRV;pavdrv;C:\WINDOWS\system32\DRIVERS\pavdrv51.sys
R2 PavProc;Panda Process Protection Driver;\??\C:\WINDOWS\system32\DRIVERS\PavProc.sys
R3 AvFlt;Antivirus Filter Driver;C:\WINDOWS\system32\drivers\av5flt.sys
R3 Intels51;Intel(R) 536EP Modem;C:\WINDOWS\system32\DRIVERS\Intels51.sys
R3 LVCap138;TV Card Capture Driver;C:\WINDOWS\system32\DRIVERS\lvcap138.sys
R3 lvtuner;Mercury TV Card WDM TV Tuner;C:\WINDOWS\system32\DRIVERS\lvtuner.sys
R3 NETIMFLT;PANDA NDIS IM Filter Miniport;C:\WINDOWS\system32\DRIVERS\netimflt.sys
R3 PavSRK.sys;PavSRK.sys;\??\C:\WINDOWS\system32\PavSRK.sys
R3 PavTPK.sys;PavTPK.sys;\??\C:\WINDOWS\system32\PavTPK.sys
R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys
S0 szkg;szkg;C:\WINDOWS\system32\DRIVERS\szkg.sys
S2 Ca536av;DigitalCam Pro Video Camera Device;C:\WINDOWS\system32\Drivers\Ca536av.sys
S3 FETNDIS;VIA Rhine Family Fast Ethernet Adapter Driver;C:\WINDOWS\system32\DRIVERS\fetnd5b.sys
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys
S3 s116bus;Sony Ericsson Device 116 driver (WDM);C:\WINDOWS\system32\DRIVERS\s116bus.sys
S3 s116mdfl;Sony Ericsson Device 116 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\s116mdfl.sys
S3 s116mdm;Sony Ericsson Device 116 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\s116mdm.sys
S3 s116mgmt;Sony Ericsson Device 116 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\s116mgmt.sys
S3 s116nd5;Sony Ericsson Device 116 USB Ethernet Emulation SEMC116 (NDIS);C:\WINDOWS\system32\DRIVERS\s116nd5.sys
S3 s116obex;Sony Ericsson Device 116 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\s116obex.sys
S3 s116unic;Sony Ericsson Device 116 USB Ethernet Emulation SEMC116 (WDM);C:\WINDOWS\system32\DRIVERS\s116unic.sys
S3 usbbus;LGE Mobile Composite USB Device;C:\WINDOWS\system32\DRIVERS\lgusbbus.sys
S3 USBCamera;DigitalCam Pro Still Camera Device;C:\WINDOWS\system32\Drivers\Bulk536.sys
S3 UsbDiag;LGE Mobile USB Serial Port;C:\WINDOWS\system32\DRIVERS\lgusbdiag.sys
S3 USBModem;LGE Mobile USB Modem;C:\WINDOWS\system32\DRIVERS\lgusbmodem.sys
S3 XSHARK;Xploder Driver (xshark.sys);C:\WINDOWS\system32\Drivers\xshark.sys

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-16 22:22:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-16 22:24:46
C:\ComboFix-quarantined-files.txt ... 2007-08-16 22:24
C:\ComboFix2.txt ... 2007-08-14 20:51
C:\ComboFix3.txt ... 2007-08-13 00:55

--- E O F ---


----------



## Cookiegal (Aug 27, 2003)

Open Notepad and copy and paste the text in the quote box below into it:



> Registry::
> [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
> "Lfjusga"=-
> [-KEY_LOCAL_MACHINE\software\microsoft\windows t\currentversion\winlogon\notify\awttqno]
> ...


Save the file to you desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.


----------



## theriddler (Jul 23, 2007)

it all went pear shaped 

I used the script like you said and then the screen went blank, when it came back on all the icons where wrecked again, I cant even get on system restore, Its exactly the same problem devilhimself had helped me with before


----------



## Cookiegal (Aug 27, 2003)

So you're saying this is exactly what happened before and the file associations regfix fixed it?


----------



## theriddler (Jul 23, 2007)

I just used those assosiation fixes again and the shortcuts are working, just I still cant see the icons inside of them, there still just white boxes with cogs in, im sure that will clean up when I reboot,

one last problem, I have been using adaware pro SE, I put it on the scan for ADS, what ever that it  , it finds 610 critical items and when I try and get rid of them it just freezes.

you must be getting annoyed with me now, sorry


----------



## Cookiegal (Aug 27, 2003)

ADS is Alternative Data Streams that are attached to files and/or directories and many are legit. Is Ad-Aware flagging them all as bad? We can scan for ADS with HJT so please do this:

Open HijackThis and click on "config" and then on "misc tools" and "Open ADS Spy". Click "Scan" and then "Save log" and post the log here please.


----------



## theriddler (Jul 23, 2007)

when I click save log, hijack this closes


----------



## Cookiegal (Aug 27, 2003)

Are you sure you're clicking on the right Scan button (the upper one)?


----------



## theriddler (Jul 23, 2007)

yep im using the top one, same problem though 

I dont think my computer letting notepad open Il restart and try it


----------



## Cookiegal (Aug 27, 2003)

Ok.


----------



## theriddler (Jul 23, 2007)

the desktop keeps disappearing, coming back on then leaveing again, I managed to run smithfraud and it came up with some stuff and cleaned it, I used virtomonde clean tool, it found a virtumonde.

and some pop up keeps coming up from microsoft telling me to get winantiviruspto 2007, and system doctor, no matter what I click it opens it up in the webpag and when I close it the desktop leaves again

in safe mode its okay though, so im going to try hijackthis in safemode, maybe il have some luck there


im also getting random desktop items like, free online casino, free online dating and some other icons that are rude


----------



## theriddler (Jul 23, 2007)

C:\Documents and Settings\All Users\Application Data\TEMP : 4B7BEAFF (103 bytes)
C:\Documents and Settings\All Users\Application Data\TEMP : D1B5B4F1 (160 bytes)
C:\Documents and Settings\All Users\Application Data\TEMP : 4B7BEAFF (103 bytes)
C:\Documents and Settings\All Users\Application Data\TEMP : D1B5B4F1 (160 bytes)


I unticked the quickscan, but I left the " ignore safe system info streams" ticked


----------



## Cookiegal (Aug 27, 2003)

I believe we've used WinpFind3u before and if so, then you don't have to redownload it but I'm posting my entire instructions for it.

Download *WinPFind3U.exe* to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

Open the WinPFind3u folder and double-click on *WinPFind3U.exe* to start the program.

In the *Processes * group click *ALL* 
In the *Win32 Services * group click *ALL* 
In the *Driver Services * group click *ALL* 
In the *Registry * group click *ALL* 
In the *Files Created Within* group click *60 days* Make sure Non-Microsoft only is *UNCHECKED*
In the *Files Modified Within* group select *30 days* Make sure Non-Microsoft only is *UNCHECKED*
In the *File String Search* group select *ALL*
in the Additional scans sections please press select *ALL* 
Now click the *Run Scan* button on the toolbar.
The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file but click on the "Format" menu and make sure that "word wrap" is not checked. If it is then click on it to uncheck it.
Please post the resulting log here as an attachment.


----------



## theriddler (Jul 23, 2007)

wow, thats one massive log, Its so big Im not even aloud to put it as a attatchment  

I have sepearated it into two log, I have done the scan on my brother user  this wont make any difference to the results will it ?


----------



## Cookiegal (Aug 27, 2003)

It could have. How many user accounts are there on this machine?


----------



## theriddler (Jul 23, 2007)

2, me and my brother. should I boot in safemode then run it again as the administsrator, Im guessing that will cover the whole computer ?


----------



## Cookiegal (Aug 27, 2003)

No but I'd like to see a HijackThis log from your brother's account please.


----------



## theriddler (Jul 23, 2007)

urg I cant, he wont let me, he told me about an hour ago to log onto my own, I dont know his password and I doubt he'd want me fooling on his, he wont have windows live messenger on his because it " pop" up at the beggining.

I think their is a more sinister reason why he doesnt want me on his user, sorry


----------



## Cookiegal (Aug 27, 2003)

I need you to run WinpFind3u from your account and upload that log please.


----------



## theriddler (Jul 23, 2007)

I have a major problem,my desktop wont load up, it comes on then disappeares, the last time this happend it would stay but now it just keeps going off

I have tried running it through the task manager by making the task " explorer.exe" no luck it comes and goes, I had some tools downloaded so it would load msconfig, I have put it in safemode, the same still happens, I have even tried using the system restore, it still happens even after, I have ran a few scans in safemode and there is still no difference, I have ran the checkdisk, again no difference, I seriosly do not have a clue what to do next

before this happend panda blocked some " unknown " virus, it came up as a command promt and odne something, is disappeared too quick for me to read it, panda is telling me that its in the following route, C://WINDOWS/temp.win165.exe

im am lucky the task manager can run programs, I have tried going onto separate accounts, the same still applies the desktop vanishes.

Please help


----------



## Cookiegal (Aug 27, 2003)

Can you boot to Last Known Good Configuration?


----------



## theriddler (Jul 23, 2007)

thats where my second problem lies, my keyboard just doesnt work on that screen, when I tap F5 ( my keys are jumbled ) it gets me to the screen but then the keyboard just doesnt do anything

I have seen other articles with the same problem, and it has been fixed by using a p2p ( along the lines of that ) keyboard

well I have no idea what one of those are, im guessing its a keyboard with the little circle end, well just as luck would have it mines a damn USB, I have this little converted in which you plug the it in the p2p keyboard slot and then usb goes in the back of it, I have tried this and once again.. no luck.

I am running kapersky online scanner now, for once I am actually hoping it finds a virus, also panda found that crazy unknown virus again, its under a new name now, C://WINDOWS/temp/win165.exe.bat

should I click the edit button and see what this one contains, I seriosuly do not want to mess my computer up anymore than it is now.


does this mean anything to you

:Retry
del "C:\WINDOWS\TEMP\win165.tmp.exe"
if exist "C:\WINDOWS\TEMP\win165.tmp.exe" goto Retry
del "C:\WINDOWS\TEMP\win165.tmp.bat"
exit


----------



## Cookiegal (Aug 27, 2003)

We are fighting a losing battle here and your computer has too much infection and corruption to recover from it.

The best thing I can recommend at this time is to back up your important data, wipe the drive and reformat.


----------



## theriddler (Jul 23, 2007)

thats starting to look like the better option, thanks for your help


----------



## Cookiegal (Aug 27, 2003)

You're welcome.


----------

