[c00per]

Hello,
I've got infected with Nail.exe and deleted it with Nod32. After reboot it appeared again but i kept on deleting it untill it doesn't appeared again. But after that, when I rebooted pc, "welcome" window stucked on screen for about 30 seconds and after that desktop was black untill I clicked on something and windows reported that an error occured because C:\windows\nail.exe could not be found. Also every time I perform scan with Ad-Aware it founds regdata [Foto] which I believe is associated with Nail.exe

I also had inadvertently installed New.net with one of P2P programs. I uninstalled it, removed what has left with Spybot-S&D, but sometimes after startup an error occurs that newdotnet.dll was not found.

Also when I was doing "Required steps before posting your log" CWShredder found CWS.Msconfig and fixed it in safe mode, but when i run the scan again, it found CWS.Msconfig again.

Also my Internet Explorer does not load any page anymore reporting that "The page cannot be displayed".

Also all my desktop items and taskbar have gone, but i guess this it not a place for that problem.

Also though my PC is quite new [P4, 3Ghz, 512Ram] it is running very slow last few months and has all this problems listed above. I hope you can understand my pour english and help to me after looking at my HijackThis log.

Logfile of HijackThis v1.99.1
Scan saved at 14:22:30, on 2006.04.02
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Auto Power-on\AutoPower.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\LDCPlusPlus\LDCPlusPlus.exe
C:\Program Files\Nero\Nero 7\Nero StartSmart\NeroStartSmart.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\DAP\DAP.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\mozilla.org\Mozilla\mozilla.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Alkonas\ALKONAS.exe
C:\Program Files\Alkonas\ALKONAS.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 213.85.4.102:8080
F2 - REG:system.ini: Shell=
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: metaspinner media GmbH - {12FC9A49-CFE0-49AA-BE9E-8F4EEAFC9443} - C:\PROGRA~1\YETISP~1\IEBUTT~1.DLL
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {9228DF91-433E-40DF-BFEC-CDC6F656BD72} - C:\WINDOWS\system32\odmp.dll (file missing)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {E47F6F85-CC61-4376-BC1D-C49F0F7C7414} - C:\WINDOWS\system32\odmp.dll (file missing)
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - C:\Program Files\Save Flash\SaveFlash.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [nod32kui] C:\Program Files\Eset\nod32kui.exe /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [SuNotification] C:\Program Files\ShadowStor\ShadowUser\suatshut.exe
O4 - HKLM\..\Run: [BandwidthMonitor] C:\Program Files\BandwidthMonitor\BWMONITOR.EXE
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SP2 Connection Patcher] "C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" -n=200
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKCU\..\Run: [warez] "C:\Program Files\Warez P2P Client\warez.exe" -h
O4 - HKCU\..\Run: [Bandwidth Monitor Pro] "C:\Program Files\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe" /minimized
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: ST.lnk = C:\Program Files\Spyware Terminator\SpywareTerminator.exe
O4 - Startup: WinAmp.lnk = C:\Program Files\Winamp\winampa.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ShadowUser Pro Edition.lnk = C:\Program Files\ShadowStor\ShadowUser\ShadowUser.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Save Flash In This Page by Flash Saver - C:\PROGRA~1\FLASHS~1\save.htm
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra button: KZod - {10954C80-4F0F-11d3-B17C-00C0DFE39333} - C:\Program Files\KZod\KZod.exe
O9 - Extra 'Tools' menuitem: KZod - {10954C80-4F0F-11d3-B17C-00C0DFE39333} - C:\Program Files\KZod\KZod.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1129151998062
O17 - HKLM\System\CCS\Services\Tcpip\..\{06A287A7-5FD1-42AD-B594-478A8ECF975E}: NameServer = 212.59.0.1,212.59.0.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{4DA50103-E154-4E37-A53C-5F10662D2484}: NameServer = 212.59.0.1 212.59.0.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{06A287A7-5FD1-42AD-B594-478A8ECF975E}: NameServer = 212.59.0.1,212.59.0.2
O17 - HKLM\System\CS2\Services\Tcpip\..\{06A287A7-5FD1-42AD-B594-478A8ECF975E}: NameServer = 212.59.0.1,212.59.0.2
O20 - AppInit_DLLs: vsmvhk.dll
O20 - Winlogon Notify: sunotify - C:\WINDOWS\SYSTEM32\sunotify.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Auto Power-on (AutoPower) - Unknown owner - C:\Program Files\Auto Power-on\AutoPower.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

[Advertisements]

hi and welcome to Geekstogo,

Since we have a good idea about your infected system, we will finish the cleanup process.

Please download ewido security suite it is a free version of the program.

• Install ewido security suite
• When installing, under "Additional Options" uncheck..
  • Install background guard
  • Install scan via context menu
• Launch ewido, there should be an icon on your desktop, double-click it.
• The program will now open to the main screen.
• When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  
• You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update.
  • Then click on Start Update.
• The update will start and a progress bar will show the updates being installed.
  (the status bar at the bottom will display ("Update successful")
• Exit ewido. DO NOT scan yet.

If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only
Don't run it yet!

Please download this file: Nailfix Utility
Save it to your desktop.
DO NOT run it yet.

Download dsrfix.zip
Save it to your desktop.

• Unzip dsrfix.zip and extract it to your desktop.
• This will create a new folder on your desktop named dsrfix.
• Do Not open that folder yet.
  
  
  To reboot into SafeMode with Windows XP, you can follow these steps from Microsoft:
  
  Next, please reboot your computer in SafeMode by doing the following:[list=1]
• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, start tapping press F8 key.
• Instead of Windows loading as normal, a menu should appear
• Select the first option, to run Windows in Safe Mode.

Once in Safe Mode, please double-click on nailfix.exe.
Click "Next" in the setup, then make sure "Run Nailfix" is checked and click "Finish".
Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Double-click ATF-Cleaner.exe to run the program.Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Now open Ewido and do a scan of your system.

• Click on scanner
• Click on Complete System Scan and the scan will begin.
• You will be prompted to clean the first infection.
• Select "Perform action on all infections", then proceed.
• Once the scan has completed, there will be a button located on the bottom of the screen named Save report
• Click Save report.
• Save the report .txt file to your desktop or a location where you can find it easily.

Now scan with HJT and place a checkmark next to each of the following items:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {E47F6F85-CC61-4376-BC1D-C49F0F7C7414} - C:\WINDOWS\system32\odmp.dll (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

Close all open windows except for HJT, then click the Fix Checked button. Close HJT.

Now open the folder dsrfix on your desktop.

• Double-Click on dsrfix.bat
• A window will pop up briefly then close, this is normal.

Enable show hidden files and folders:

* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK


Finally, restart your computer back into Normal Mode and please post a new HJT log, as well as the ewido report log from the Ewido scan by using Add Reply

Edited by Dragon, 03 April 2006 - 08:23 AM.

[Dragon]

hi and welcome to Geekstogo,

Since we have a good idea about your infected system, we will finish the cleanup process.

Please download ewido security suite it is a free version of the program.

• Install ewido security suite
• When installing, under "Additional Options" uncheck..
  • Install background guard
  • Install scan via context menu
• Launch ewido, there should be an icon on your desktop, double-click it.
• The program will now open to the main screen.
• When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  
• You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update.
  • Then click on Start Update.
• The update will start and a progress bar will show the updates being installed.
  (the status bar at the bottom will display ("Update successful")
• Exit ewido. DO NOT scan yet.

If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only
Don't run it yet!

Please download this file: Nailfix Utility
Save it to your desktop.
DO NOT run it yet.

Download dsrfix.zip
Save it to your desktop.

• Unzip dsrfix.zip and extract it to your desktop.
• This will create a new folder on your desktop named dsrfix.
• Do Not open that folder yet.
  
  
  To reboot into SafeMode with Windows XP, you can follow these steps from Microsoft:
  
  Next, please reboot your computer in SafeMode by doing the following:[list=1]
• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, start tapping press F8 key.
• Instead of Windows loading as normal, a menu should appear
• Select the first option, to run Windows in Safe Mode.

Once in Safe Mode, please double-click on nailfix.exe.
Click "Next" in the setup, then make sure "Run Nailfix" is checked and click "Finish".
Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Double-click ATF-Cleaner.exe to run the program.Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Now open Ewido and do a scan of your system.

• Click on scanner
• Click on Complete System Scan and the scan will begin.
• You will be prompted to clean the first infection.
• Select "Perform action on all infections", then proceed.
• Once the scan has completed, there will be a button located on the bottom of the screen named Save report
• Click Save report.
• Save the report .txt file to your desktop or a location where you can find it easily.

Now scan with HJT and place a checkmark next to each of the following items:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {E47F6F85-CC61-4376-BC1D-C49F0F7C7414} - C:\WINDOWS\system32\odmp.dll (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

Close all open windows except for HJT, then click the Fix Checked button. Close HJT.

Now open the folder dsrfix on your desktop.

• Double-Click on dsrfix.bat
• A window will pop up briefly then close, this is normal.

Enable show hidden files and folders:

* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK


Finally, restart your computer back into Normal Mode and please post a new HJT log, as well as the ewido report log from the Ewido scan by using Add Reply

Edited by Dragon, 03 April 2006 - 08:23 AM.

[c00per]

Hello again, sorry for delay and thank you for helping me.

HijackThis
Logfile of HijackThis v1.99.1
Scan saved at 04:05:50, on 2006.04.04
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Alkonas\ALKONAS.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 213.85.4.102:8080
F2 - REG:system.ini: Shell=
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: metaspinner media GmbH - {12FC9A49-CFE0-49AA-BE9E-8F4EEAFC9443} - C:\PROGRA~1\YETISP~1\IEBUTT~1.DLL
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {E47F6F85-CC61-4376-BC1D-C49F0F7C7414} - C:\WINDOWS\system32\odmp.dll (file missing)
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - C:\Program Files\Save Flash\SaveFlash.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [nod32kui] C:\Program Files\Eset\nod32kui.exe /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [SuNotification] C:\Program Files\ShadowStor\ShadowUser\suatshut.exe
O4 - HKLM\..\Run: [BandwidthMonitor] C:\Program Files\BandwidthMonitor\BWMONITOR.EXE
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SP2 Connection Patcher] "C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" -n=200
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKCU\..\Run: [warez] "C:\Program Files\Warez P2P Client\warez.exe" -h
O4 - HKCU\..\Run: [Bandwidth Monitor Pro] "C:\Program Files\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe" /minimized
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: ST.lnk = C:\Program Files\Spyware Terminator\SpywareTerminator.exe
O4 - Startup: WinAmp.lnk = C:\Program Files\Winamp\winampa.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ShadowUser Pro Edition.lnk = C:\Program Files\ShadowStor\ShadowUser\ShadowUser.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Save Flash In This Page by Flash Saver - C:\PROGRA~1\FLASHS~1\save.htm
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra button: KZod - {10954C80-4F0F-11d3-B17C-00C0DFE39333} - C:\Program Files\KZod\KZod.exe
O9 - Extra 'Tools' menuitem: KZod - {10954C80-4F0F-11d3-B17C-00C0DFE39333} - C:\Program Files\KZod\KZod.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1129151998062
O17 - HKLM\System\CCS\Services\Tcpip\..\{06A287A7-5FD1-42AD-B594-478A8ECF975E}: NameServer = 212.59.0.1,212.59.0.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{4DA50103-E154-4E37-A53C-5F10662D2484}: NameServer = 212.59.0.1 212.59.0.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{06A287A7-5FD1-42AD-B594-478A8ECF975E}: NameServer = 212.59.0.1,212.59.0.2
O17 - HKLM\System\CS2\Services\Tcpip\..\{06A287A7-5FD1-42AD-B594-478A8ECF975E}: NameServer = 212.59.0.1,212.59.0.2
O20 - AppInit_DLLs: vsmvhk.dll
O20 - Winlogon Notify: sunotify - C:\WINDOWS\SYSTEM32\sunotify.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Auto Power-on (AutoPower) - Unknown owner - C:\Program Files\Auto Power-on\AutoPower.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe


Ewido
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 03:17:48, 2006.04.04
+ Report-Checksum: 703C13B2

+ Scan result:

HKU\S-1-5-21-1085031214-630328440-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7FD44536-9DF0-4034-939F-5BD4D98E3187} -> Adware.Generic : Cleaned with backup
HKU\S-1-5-21-1085031214-630328440-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F5DE8ADB-4A69-4E56-96AB-823171C8E9D8} -> Adware.Generic : Cleaned with backup
C:\Documents and Settings\Vartotojas\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\7C05C0E2-C23B-4992-82B5-5ADFF7\0C6454C5-8A5F-4E90-A23F-CCF4C4 -> Hijacker.StartPage.uz : Cleaned with backup
C:\Documents and Settings\Vartotojas\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\7C05C0E2-C23B-4992-82B5-5ADFF7\21439FE7-4372-4BC1-B0AD-C9F0E6 -> Hijacker.StartPage.uz : Cleaned with backup
C:\Documents and Settings\Vartotojas\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\7C05C0E2-C23B-4992-82B5-5ADFF7\4B48E7CD-A9AE-4B84-8066-D8889F -> Hijacker.StartPage.uz : Cleaned with backup
C:\Documents and Settings\Vartotojas\My Documents\Software\rapidharvest2.zip/mp3_plugin.exe -> Downloader.IstBar : Error during cleaning
C:\Documents and Settings\Vartotojas\My Documents\Software\Windows Serials AIO\UltimateWindows.rar/UltimateWindows\lovelywaz-UltimateWindowsKeygenPak\RockXP v3\RockXP30.exe/xpkey.exe -> Not-A-Virus.PSWTool.Win32.RAS.a : Error during cleaning
C:\Documents and Settings\Vartotojas\My Documents\Software\Windows Serials AIO\UltimateWindows.rar/UltimateWindows\lovelywaz-UltimateWindowsKeygenPak\RockXP v3\RockXP30.exe/keyms.exe -> Not-A-Virus.PSWTool.Win32.RAS.a : Error during cleaning
C:\Documents and Settings\Vartotojas\My Documents\Software\Windows Serials AIO\UltimateWindows.rar/UltimateWindows\lovelywaz-UltimateWindowsKeygenPak\RockXP v3\RockXP30.exe/RAS.exe -> Not-A-Virus.PSWTool.Win32.RAS.a : Error during cleaning
C:\Documents and Settings\Vartotojas\My Documents\Stuff & Backups\Virus\[Se.dll].rar/[Se.dll]\se.dll -> Hijacker.StartPage.uz : Cleaned with backup
C:\Documents and Settings\Vartotojas\My Documents\Stuff & Backups\Virus\[Se.dll].rar/[Se.dll] 2\se.dll -> Hijacker.StartPage.uz : Cleaned with backup
C:\Program Files\Auto Power-on\AutoPower.exe -> Trojan.Pakes : Cleaned with backup
C:\Program Files\CA\eTrust PestPatrol\core\Quarantine\20060128002849.zip/WINDOWS/NDNuninstall7_14.exe -> Adware.NewDotNet : Cleaned with backup
C:\Program Files\CA\eTrust PestPatrol\core\Quarantine\20060128002849.zip/Program Files/newdot~1/newdotnet7_14.dll -> Adware.NewDotNet : Cleaned with backup
C:\Program Files\CA\eTrust PestPatrol\core\Quarantine\20060128002849.zip/Program Files/newdotnet/newdotnet7_14.to_be_deleted -> Adware.NewDotNet : Cleaned with backup
C:\Program Files\CA\eTrust PestPatrol\core\Quarantine\20060128002849.zip/Program Files/newdotnet/uninstall7_14.exe -> Adware.NewDotNet : Cleaned with backup
C:\Program Files\CA\eTrust PestPatrol\core\Quarantine\20060128002849.zip/Program Files/newdotnet/newdotnet7_14.to_be_deleted_x -> Adware.NewDotNet : Cleaned with backup
C:\Program Files\CA\eTrust PestPatrol\core\Quarantine\20060128002849.zip/Program Files/newdot~1/newdotnet7_14.to_be_deleted -> Adware.NewDotNet : Cleaned with backup
C:\Program Files\CA\eTrust PestPatrol\core\Quarantine\20060128002856.zip/Program Files/newdotnet/newdotnet7_14.to_be_deleted -> Adware.NewDotNet : Cleaned with backup
C:\Program Files\CA\eTrust PestPatrol\core\Quarantine\20060128002856.zip/Program Files/newdotnet/newdotnet7_14.to_be_deleted_x -> Adware.NewDotNet : Cleaned with backup
C:\Program Files\CA\eTrust PestPatrol\core\Quarantine\20060128002856.zip/Program Files/newdot~1/newdotnet7_14.to_be_deleted -> Adware.NewDotNet : Cleaned with backup
C:\Program Files\ESET\infected\5VQPCLCA.NQF -> Trojan.Agent.cp : Cleaned with backup
C:\Program Files\WinRAR\Patch09c.exe -> Downloader.VB.ts : Cleaned with backup
C:\WINDOWS\197296.Vexe -> Worm.Bagle.bq : Cleaned with backup
C:\WINDOWS\22363015.Vexe -> Worm.Bagle.bq : Cleaned with backup
D:\My Documents\Jokes\Jonio prikolai\Miracle.exe -> Not-A-Virus.BadJoke.Win32.Anywork : Cleaned with backup
D:\My Documents\Software\Craagle\Craagle.exe -> Adware.Craagle : Cleaned with backup


::Report End

[Dragon]

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.


F2 - REG:system.ini: Shell=
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

reboot your computer.
Are you still having problems??

[c00per]

F2 - REG:system.ini: Shell=
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

Though I have fixed these, they have reappeared again when I performed another HijackThis scan.
And Yes, I still have the same problems: "welcome" window still jams up at the startup for about 30 seconds, Internet explorer still doesn't load any page, also my desktop items and taskbar haven't came back.
Thanks for the help, but I guess there's nothing you can do and the only way is to reinstall Windows...

[Dragon]

don't give up yet, we still have other steps to do.

Download: StartDreck from:http://www.niksoft.at/download/startdreck.htm] http://www.niksoft.a.../startdreck.htm[/url]

• Extract the file into c:\startdreck.
  
• Navigate to c:\startdreck and double-click on Startdreck.exe
  
• When the program opens click on the Config button.
  
• Then click on the unmark all button.
  
• Put checkmarks in the following checkboxes:
  
• Under Registry put a checkmark in the Run Keys checkbox.
  
• Under System/Drivers put a check in the Running Proccess checkbox.
  
• Press the OK button.
  
• Press the Save button.

Type in the location you want to save the log to, or use the defaults which will save the log into the directory you are running the program from. If you choose the defaults the filename for the log will be StartDreck.log.

[c00per]

Thanks again for support, guess I have to post this log:

StartDreck (build 2.1.7 public stable) - 2006-04-04 @ 17:33:04 (GMT +03:00)
Platform: Windows XP (Win NT 5.1.2600 Service Pack 2)
Internet Explorer: 6.0.2900.2180
Logged in as Vartotojas at 8DE8851A23304CE

»Registry
»Run Keys
»Current User
»Run
*ctfmon.exe=C:\WINDOWS\system32\ctfmon.exe
*MSMSGS="C:\Program Files\Messenger\msmsgs.exe" /background
*SP2 Connection Patcher="C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" -n=200
*Mozilla Quick Launch="C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
*AWMON="C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
*warez="C:\Program Files\Warez P2P Client\warez.exe" -h
*Bandwidth Monitor Pro="C:\Program Files\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe" /minimized
*Spyware Doctor="C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
»RunOnce
»Default User
»Run
*Spyware Doctor="C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
»RunOnce
»Local Machine
»Run
*nod32kui=C:\Program Files\Eset\nod32kui.exe /WAITSERVICE
*SunJavaUpdateSched=C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
*SuNotification=C:\Program Files\ShadowStor\ShadowUser\suatshut.exe
*BandwidthMonitor=C:\Program Files\BandwidthMonitor\BWMONITOR.EXE
*RegistryMechanic=
*SunServer=C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
*SpywareTerminator="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
*QuickTime Task="C:\Program Files\QuickTime\qttask.exe" -atboottime
*MSConfig=C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*Installed=1
*NoChange=1
+MAPI
*Installed=1
*NoChange=1
»RunOnce
»RunServices
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»File Associations (CR)
+.bat
*batfile="%1" %*
+.com
*comfile="%1" %*
+.disabled
*SpybotSD.DisabledFile="C:\Program Files\Spybot - Search & Destroy\blindman.exe" "%1"
+.exe
*exefile="%1" %*
+.hta
*htafile=C:\WINDOWS\system32\mshta.exe "%1" %*
+.htm
*FirefoxHTML=C:\PROGRA~1\MOZILL~1\FIREFOX.EXE -url "%1"
+.html
*FirefoxHTML=C:\PROGRA~1\MOZILL~1\FIREFOX.EXE -url "%1"
+.js
*JSFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.jse
*JSEFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.pif
*piffile="%1" %*
+.reg
*regfile=regedit.exe "%1"
+.scr
*scrfile="%1" /s
+.txt
*txtfile=%SystemRoot%\system32\NOTEPAD.EXE %1
+.vbs
*VBSFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.vbe
*VBEFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.wsh
*WSHFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.wsf
*WSFFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.lnk
`lnkfile= [key or value does not exist]
»Browser Helper Objects (LM)
*BHO.HelperObject.1/{00C6482D-C502-44C8-8409-FCE54AD9C208}
`InprocServer32=C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
*YBIOCtrl.CompanionBHO.4/{02478D38-C3F9-4efb-9B51-7695ECA05670}
`InprocServer32=C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
*AcroIEHelper.AcroIEHlprObj.1/{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
`InprocServer32=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
*metaspinner media GmbH/{12FC9A49-CFE0-49AA-BE9E-8F4EEAFC9443}
`InprocServer32=C:\PROGRA~1\YETISP~1\IEBUTT~1.DLL
*PCTools Site Guard/{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}
`InprocServer32=C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
*SSVHelper Class/{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
`InprocServer32=C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
*PCTools Browser Monitor/{B56A7D7D-6927-48C8-A975-17DF180C71AC}
`InprocServer32=C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
*{E47F6F85-CC61-4376-BC1D-C49F0F7C7414}
`InprocServer32=C:\WINDOWS\system32\odmp.dll
»Files
»Autostart Folders
»Current User
*C:\Documents and Settings\Vartotojas\Start Menu\Programs\Startup\desktop.ini
*C:\Documents and Settings\Vartotojas\Start Menu\Programs\Startup\ST.lnk
*C:\Documents and Settings\Vartotojas\Start Menu\Programs\Startup\WinAmp.lnk
»Default User
*C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini
»Local Machine
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ShadowUser Pro Edition.lnk
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VIA RAID TOOL.lnk
»INI-Files
»WIN.INI\[windows]
*LOAD=
*RUN=
»SYSTEM.INI\[boot]
*SHELL=
»Text Files
*C:\boot.ini
*C:\msdos.sys
*C:\config.sys
*C:\WINDOWS\system32\config.nt
*C:\autoexec.bat
*C:\WINDOWS\system32\autoexec.nt
*C:\WINDOWS\wininit.ini
*C:\WINDOWS\system32\drivers\etc\hosts
»System/Drivers
»Running Processes
+0=<idle>
+4=<system>
+644=\SystemRoot\System32\smss.exe
+712=\??\C:\WINDOWS\system32\csrss.exe
+736=\??\C:\WINDOWS\system32\winlogon.exe
+780=C:\WINDOWS\system32\services.exe
+792=C:\WINDOWS\system32\lsass.exe
+968=C:\WINDOWS\system32\svchost.exe
+1036=C:\WINDOWS\system32\svchost.exe
+1144=C:\WINDOWS\System32\svchost.exe
+1236=C:\WINDOWS\system32\svchost.exe
+1352=C:\WINDOWS\system32\svchost.exe
+1528=C:\WINDOWS\system32\spoolsv.exe
+1816=C:\WINDOWS\Explorer.EXE
+1944=C:\Program Files\ewido anti-malware\ewidoctrl.exe
+1976=C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
+2012=C:\Program Files\Eset\nod32krn.exe
+200=C:\Program Files\Spyware Doctor\sdhelp.exe
+340=C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
+576=C:\WINDOWS\system32\wdfmgr.exe
+1252=C:\WINDOWS\system32\wscntfy.exe
+1268=C:\WINDOWS\System32\alg.exe
+280=C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
+1736=C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
+1556=C:\PROGRA~1\mozilla.org\Mozilla\mozilla.exe
+1808=C:\WINDOWS\system32\ctfmon.exe
+796=C:\Program Files\FileZilla\FileZilla.exe
+1092=C:\Program Files\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe
+2128=C:\Program Files\LDCPlusPlus\LDCPlusPlus.exe
+2216=C:\Program Files\DAP\DAP.exe
+2300=C:\startdreck217\StartDreck.exe
»NT Services
*Alerter Alerter - disabled
*Application Layer Gateway Service ALG running on demand
*Application Management AppMgmt - on demand
*Windows Audio AudioSrv running auto
*Auto Power-on AutoPower - auto
*Background Intelligent Transfer Service BITS - on demand
*Computer Browser Browser - auto
*Indexing Service CiSvc - on demand
*ClipBook ClipSrv - disabled
*COM+ System Application COMSysApp - on demand
*Cryptographic Services CryptSvc running auto
*DCOM Server Process Launcher DcomLaunch running auto
*DHCP Client Dhcp running auto
*Logical Disk Manager Administrative Service dmadmin - on demand
*Logical Disk Manager dmserver running auto
*DNS Client Dnscache running auto
*Error Reporting Service ERSvc running auto
*Event Log Eventlog running auto
*COM+ Event System EventSystem running on demand
*ewido security suite control ewido security suite running auto
*Fast User Switching Compatibility FastUserSwitchingCom running on demand
*Help and Support helpsvc running auto
*Human Interface Device Access HidServ - disabled
*HTTP SSL HTTPFilter - on demand
*InstallDriver Table Manager IDriverT - on demand
*IMAPI CD-Burning COM Service ImapiService - on demand
*Server lanmanserver running auto
*Workstation lanmanworkstation running auto
*TCP/IP NetBIOS Helper LmHosts running auto
*Machine Debug Manager MDM running auto
*Messenger Messenger - disabled
*NetMeeting Remote Desktop Sharing mnmsrvc - on demand
*Distributed Transaction Coordinator MSDTC - on demand
*Windows Installer MSIServer - on demand
*Network DDE NetDDE - disabled
*Network DDE DSDM NetDDEdsdm - disabled
*Net Logon Netlogon - on demand
*Network Connections Netman running on demand
*Network Location Awareness (NLA) Nla running on demand
*NOD32 Kernel Service NOD32krn running auto
*NT LM Security Support Provider NtLmSsp - on demand
*Removable Storage NtmsSvc - on demand
*Office Source Engine ose - on demand
*Plug and Play PlugPlay running auto
*IPSEC Services PolicyAgent running auto
*Protected Storage ProtectedStorage running auto
*Remote Access Auto Connection Manager RasAuto - on demand
*Remote Access Connection Manager RasMan running on demand
*Remote Desktop Help Session Manager RDSessMgr - on demand
*Routing and Remote Access RemoteAccess - disabled
*Remote Registry RemoteRegistry - disabled
*Remote Packet Capture Protocol v.0 (experimenta rpcapd - on demand
`l)
*Remote Procedure Call (RPC) Locator RpcLocator - on demand
*Remote Procedure Call (RPC) RpcSs running auto
*QoS RSVP RSVP - on demand
*Security Accounts Manager SamSs running auto
*Smart Card SCardSvr - on demand
*Task Scheduler Schedule running auto
*PC Tools Spyware Doctor SDhelper running auto
*Secondary Logon seclogon running auto
*System Event Notification SENS running auto
*Windows Firewall/Internet Connection Sharing (I SharedAccess running auto
`CS)
*Shell Hardware Detection ShellHWDetection running auto
*Print Spooler Spooler running auto
*System Restore Service srservice running auto
*SSDP Discovery Service SSDPSRV running on demand
*Windows Image Acquisition (WIA) stisvc - on demand
*Webroot Spy Sweeper Engine svcWRSSSDK running auto
*MS Software Shadow Copy Provider SwPrv - on demand
*Performance Logs and Alerts SysmonLog - on demand
*Telephony TapiSrv running on demand
*Terminal Services TermService running on demand
*Themes Themes running auto
*Telnet TlntSvr - disabled
*Distributed Link Tracking Client TrkWks running auto
*Windows User Mode Driver Framework UMWdf running auto
*Universal Plug and Play Device Host upnphost - on demand
*Uninterruptible Power Supply UPS - on demand
*Volume Shadow Copy VSS - on demand
*Windows Time W32Time running auto
*WebClient WebClient running auto
*Windows Management Instrumentation winmgmt running auto
*Portable Media Serial Number Service WmdmPmSN - on demand
*Windows Management Instrumentation Driver Exten Wmi - on demand
`sions
*WMI Performance Adapter WmiApSrv - on demand
*Security Center wscsvc running auto
*Automatic Updates wuauserv running auto
*Wireless Zero Configuration WZCSVC running auto
*Network Provisioning Service xmlprov - on demand
»Application specific

[Dragon]

Please download Rootkit Revealer (link is at the very bottom of the page)
Unzip it to your desktop.

reboot your computer to safe mode,

click on start>My computer then click on tools>folder options. Under folder options window click on the View tab and find show hidden files and folders and choose that, then uncheck hide system files. close that window. Find the following files and delete them.

C:\PROGRA~1\YETISP~1\IEBUTT~1.DLL
C:\WINDOWS\system32\odmp.dll

It would also be helpful to get rid of warez p2p sharing program This is an open door for trojans, viruses, and other malware to get into your system.

reboot your computer back to normal mode.

• Open the rootkitrevealer folder and double-click rootkitrevealer.exe
• Click the Scan button (bottom right)
• It may take a while to scan (don't do anything while it's running)
• When it's done, go up to File > Save. Choose to save it to your desktop.
• Open rootkitrevealer.txt on your desktop and copy the entire contents and paste them here

Edited by Dragon, 04 April 2006 - 11:57 AM.

[c00per]

First of all sorry for such a long delay. [I had problems with internet connection]

C:\PROGRA~1\YETISP~1\IEBUTT~1.DLL

Deleted [there was two of them]

C:\WINDOWS\system32\odmp.dll

I couldn't find this file.

It would also be helpful to get rid of warez p2p sharing program

I uninstalled it.

Rootkit Revealer
HKLM\SYSTEM\ControlSet001\Services\d347prt\Cfg\0Jf40 2/23/2006 6:46 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Vartotojas\My Documents\CA4PY7QF.:Zone.Identifier 9/4/2005 11:42 AM 26 bytes Hidden from Windows API.

[Dragon]

could you please post a new Hijack This log, since it has been a while.

Are you still having the same issues you had when you started this topic?

Edited by Dragon, 10 April 2006 - 03:31 PM.

[c00per]

HijackThis
Logfile of HijackThis v1.99.1
Scan saved at 07:32:06, on 2006.04.11
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\DAP\DAP.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 213.85.4.102:8080
F2 - REG:system.ini: Shell=
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: metaspinner media GmbH - {12FC9A49-CFE0-49AA-BE9E-8F4EEAFC9443} - C:\PROGRA~1\YETISP~1\IEBUTT~1.DLL (file missing)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {E47F6F85-CC61-4376-BC1D-C49F0F7C7414} - C:\WINDOWS\system32\odmp.dll (file missing)
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - C:\Program Files\Save Flash\SaveFlash.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [nod32kui] C:\Program Files\Eset\nod32kui.exe /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [SuNotification] C:\Program Files\ShadowStor\ShadowUser\suatshut.exe
O4 - HKLM\..\Run: [BandwidthMonitor] C:\Program Files\BandwidthMonitor\BWMONITOR.EXE
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SP2 Connection Patcher] "C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" -n=200
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKCU\..\Run: [Bandwidth Monitor Pro] "C:\Program Files\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe" /minimized
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: ST.lnk = C:\Program Files\Spyware Terminator\SpywareTerminator.exe
O4 - Startup: WinAmp.lnk = C:\Program Files\Winamp\winampa.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ShadowUser Pro Edition.lnk = C:\Program Files\ShadowStor\ShadowUser\ShadowUser.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Save Flash In This Page by Flash Saver - C:\PROGRA~1\FLASHS~1\save.htm
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra button: KZod - {10954C80-4F0F-11d3-B17C-00C0DFE39333} - C:\Program Files\KZod\KZod.exe
O9 - Extra 'Tools' menuitem: KZod - {10954C80-4F0F-11d3-B17C-00C0DFE39333} - C:\Program Files\KZod\KZod.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1129151998062
O17 - HKLM\System\CCS\Services\Tcpip\..\{06A287A7-5FD1-42AD-B594-478A8ECF975E}: NameServer = 212.59.0.1,212.59.0.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{4DA50103-E154-4E37-A53C-5F10662D2484}: NameServer = 212.59.0.1 212.59.0.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{06A287A7-5FD1-42AD-B594-478A8ECF975E}: NameServer = 212.59.0.1,212.59.0.2
O17 - HKLM\System\CS2\Services\Tcpip\..\{06A287A7-5FD1-42AD-B594-478A8ECF975E}: NameServer = 212.59.0.1,212.59.0.2
O20 - AppInit_DLLs: vsmvhk.dll
O20 - Winlogon Notify: sunotify - C:\WINDOWS\SYSTEM32\sunotify.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Auto Power-on (AutoPower) - Unknown owner - C:\Program Files\Auto Power-on\AutoPower.exe (file missing)
O23 - Service: CYWGHNOEAQQUFM - Sysinternals - www.sysinternals.com - C:\DOCUME~1\VARTOT~1\LOCALS~1\Temp\CYWGHNOEAQQUFM.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

And Yes, I still have the same problems: "welcome" window still jams up at the startup for about 30 seconds, Internet explorer still doesn't load any page, also my desktop items and taskbar haven't came back

[Dragon]

ok, I have a couple of entries here that I have a concern about so lets see if we can get them.

first, click on start>Run in the box that opens up please type cmd. This will open a dos window. in that window I need you to type the following:

attrib -s -h C:\windows\System32\odmp.dll

after that, type exit and navigate to C:\Windows\System32 and see if you can find the file odmp.dll and delete it.

could you also please find the following file, right click on it and send it to a compressed(zipped) folder and send it to Submissions
C:\DOCUME~1\VARTOT~1\LOCALS~1\Temp\CYWGHNOEAQQUFM.exe

Edited by Dragon, 11 April 2006 - 06:20 AM.

[c00per]

first, click on start

You don't get it - I don't have neither Start button nor Taskbar. It disappeared somewhere. If you want, look at my desktop [Foto]

navigate to C:\Windows\System32 and see if you can find the file odmp.dll and delete it

I still can't find it [Foto]

C:\DOCUME~1\VARTOT~1\LOCALS~1\Temp\CYWGHNOEAQQUFM.exe

I sent it.

Edited by c00per, 11 April 2006 - 09:08 AM.

[Dragon]

Download smitRem.zip and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.
So you'll get a new folder called smitrem on your desktop.

In your Task Manager, click 'applications' (first tab).
Click the New Task button.
Cick browse.

Now open the smitrem folder you just copied and pasted and click the file: RunThis.bat
Then click open.
In the window where it says 'Create new task', click OK.

Normally, you'll have to drag the different windows you'll see to left or to right, because normally they will open on top of each other and you wont see the command window the tool starts that is under it.
You'll see a blue window now.
Follow the prompts on screen.
Wait for the tool to complete.

When done, in Task Manager, click 'shut down' from the menu on top and click restart. Your computer will reboot now.
Reboot to normal mode and post a hijackthis log in your next reply and let me know if you have your desktop back to normal operation.

[c00per]

Desktop is still without its items and taskbar, the only thing that has changed is that the background became blue [Foto]

HijackThis
Logfile of HijackThis v1.99.1
Scan saved at 17:04:14, on 2006.04.14
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 213.85.4.102:8080
F2 - REG:system.ini: Shell=
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: metaspinner media GmbH - {12FC9A49-CFE0-49AA-BE9E-8F4EEAFC9443} - C:\PROGRA~1\YETISP~1\IEBUTT~1.DLL (file missing)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {E47F6F85-CC61-4376-BC1D-C49F0F7C7414} - C:\WINDOWS\system32\odmp.dll (file missing)
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - C:\Program Files\Save Flash\SaveFlash.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [nod32kui] C:\Program Files\Eset\nod32kui.exe /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [SuNotification] C:\Program Files\ShadowStor\ShadowUser\suatshut.exe
O4 - HKLM\..\Run: [BandwidthMonitor] C:\Program Files\BandwidthMonitor\BWMONITOR.EXE
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [SysMetrix] C:\Program Files\SysMetrix\SysMetrix.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SP2 Connection Patcher] "C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" -n=200
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKCU\..\Run: [Bandwidth Monitor Pro] "C:\Program Files\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe" /minimized
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\sndoctor.exe" /Q
O4 - Startup: Folding@Home 5.03.lnk = ?
O4 - Startup: ST.lnk = C:\Program Files\Spyware Terminator\SpywareTerminator.exe
O4 - Startup: WinAmp.lnk = C:\Program Files\Winamp\winampa.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ShadowUser Pro Edition.lnk = C:\Program Files\ShadowStor\ShadowUser\ShadowUser.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Save Flash In This Page by Flash Saver - C:\PROGRA~1\FLASHS~1\save.htm
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra button: KZod - {10954C80-4F0F-11d3-B17C-00C0DFE39333} - C:\Program Files\KZod\KZod.exe
O9 - Extra 'Tools' menuitem: KZod - {10954C80-4F0F-11d3-B17C-00C0DFE39333} - C:\Program Files\KZod\KZod.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1129151998062
O17 - HKLM\System\CCS\Services\Tcpip\..\{06A287A7-5FD1-42AD-B594-478A8ECF975E}: NameServer = 212.59.0.1,212.59.0.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{4DA50103-E154-4E37-A53C-5F10662D2484}: NameServer = 212.59.0.1 212.59.0.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{06A287A7-5FD1-42AD-B594-478A8ECF975E}: NameServer = 212.59.0.1,212.59.0.2
O17 - HKLM\System\CS2\Services\Tcpip\..\{06A287A7-5FD1-42AD-B594-478A8ECF975E}: NameServer = 212.59.0.1,212.59.0.2
O20 - AppInit_DLLs: vsmvhk.dll
O20 - Winlogon Notify: sunotify - C:\WINDOWS\SYSTEM32\sunotify.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Auto Power-on (AutoPower) - Unknown owner - C:\Program Files\Auto Power-on\AutoPower.exe (file missing)
O23 - Service: CYWGHNOEAQQUFM - Unknown owner - C:\DOCUME~1\VARTOT~1\LOCALS~1\Temp\CYWGHNOEAQQUFM.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe