Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Disabled User Has WinAntivirus PopUps Again & More!

Started by paulinspain , Oct 10 2006 05:08 PM

  • Please log in to reply

#1
paulinspain
Posted 10 October 2006 - 05:08 PM

paulinspain

    Member

  • Member
  • PipPip
  • 77 posts
Among other things I use my PC to keep me in touch with my hospital to Monitor my Condition and now I find I have a Malware/Trojan problem. Which started with “WinAntiVirus PopUps”
I had this problem some months ago & believed I had got rid of it. But on FRIDAY it was BACK with a Vengence.

I have recently install I.E.7. But now using I.E. I cannot get online. Thank goodness for FireFox. Whether I attempt to go online or not I keep getting a small grey box open with the following “Internet Explorer has encountered a problem and needs to close. We are sorry for the inconvenience.

AppName: iexplore.exe AppVer: 7.0.5700.6 ModName: hezymgf.dll
ModVer: 0.0.0.0 Offset: 000018a7”

The ModName is never the same. Such as krwparjd.dll
I have tried to follow your steps through 1-4 but I could not run “TrojanHunter” I let the licence slip a while back & unless I cough up it won’t run I’m afraid. I’m not tight but only on a pension. Have done every thing else though Plus I have AVG7.5.425 which includes I believe “ewido”plus Avast Home 4.7, Ad-Aware SE & Spybot plus I have Ewido 3.5 which I run as somehow it picks up things AVG7.5.425 seems to miss. I have even run “Trend HouseCall” which found 2 viruses & 2 Trojans. Having run all of this, nothing seems to have sorted the problem. I used RegistryFix & like an idiot to sort out the .dlI files but forgot to backup. I currently have System Restore turned OFF & endevor to unplug from the internet while the scans are being carried out only turning the internet back on once I have rebooted. Can you please help.

AVG even pointed out Tojan Horse Generic 2.EMD & ENZ!

Here is a copy of the latest HijackThis log.
Logfile of HijackThis v1.99.1
Scan saved at 16:34:43, on 10/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5700.0006)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
F:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
E:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Adobe\Distillr\Acrotray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
F:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe
E:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe
C:\Program Files\Windows Defender\MSASCui.exe
F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\rundll32.exe
F:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\Program Files\Common Files\{50E7BE92-0872-2057-0724-03030902002c}\Update.exe
C:\WINDOWS\TEMP\iddA.tmp.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\TEMP\win51E.tmp.exe
C:\WINDOWS\TEMP\idd1E.tmp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
F:\Program Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.telefonic.....ma+es,00.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....cid={SUB_CLCID}
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE" /P30 "EPSON Stylus Photo R200 Series" /O6 "USB002" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "E:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [hezymgf.dll] "C:\WINDOWS\system32\rundll32.exe" C:\WINDOWS\system32\hezymgf.dll,gznvoxe
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [avast!] F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [wgosrej.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\wgosrej.dll,oxdzwwb
O4 - HKLM\..\Run: [THGuard] "F:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll/search.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-gb\msntabres.dll/229?b205655d7ba8482699a7fb2f14fdf15a
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-gb\msntabres.dll/230?b205655d7ba8482699a7fb2f14fdf15a
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://E:\PROGRA~1\MICROS~1\Office\1033\phdintl.dll/phdContext.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://www.msn.co.uk
O15 - Trusted Zone: http://www.msn.com
O15 - Trusted Zone: http://www.nero.com
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {0A46CB52-CFA0-4E78-A181-948D5E361BE3} (EpsonObj Class) - http://esupport.epso.../EpsonSetup.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowso...nSSWebAgent.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_2.2.0.84.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.my-etrust...er/pestscan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.l...lscbase5059.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1133442798833
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1133483226562
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall....ivex/hcImpl.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.su...indows-i586.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {E991BDE0-9816-4094-853E-6BDB60F0342D} (Get_ActiveX Control) - http://apps.corel.co...NetOpPlugin.ocx
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - F:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - F:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - F:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - E:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe
O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

Heuristic.Win32.Dialer

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 17:42:02, 10/10/2006
+ Report-Checksum: 4E47A3AA

+ Scan result:

:mozilla.25:C:\Documents and Settings\Paul\Application Data\Mozilla\Firefox\Profiles\ya4vwp5c.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Paul\Application Data\Mozilla\Firefox\Profiles\ya4vwp5c.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Paul\Application Data\Mozilla\Firefox\Profiles\ya4vwp5c.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Paul\Application Data\Mozilla\Firefox\Profiles\ya4vwp5c.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.39:C:\Documents and Settings\Paul\Application Data\Mozilla\Firefox\Profiles\ya4vwp5c.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Paul\Application Data\Mozilla\Firefox\Profiles\ya4vwp5c.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.41:C:\Documents and Settings\Paul\Application Data\Mozilla\Firefox\Profiles\ya4vwp5c.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.48:C:\Documents and Settings\Paul\Application Data\Mozilla\Firefox\Profiles\ya4vwp5c.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.54:C:\Documents and Settings\Paul\Application Data\Mozilla\Firefox\Profiles\ya4vwp5c.default\cookies.txt -> TrackingCookie.Clickbank : Cleaned with backup
:mozilla.55:C:\Documents and Settings\Paul\Application Data\Mozilla\Firefox\Profiles\ya4vwp5c.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.82:C:\Documents and Settings\Paul\Application Data\Mozilla\Firefox\Profiles\ya4vwp5c.default\cookies.txt -> TrackingCookie.Sextracker : Cleaned with backup
:mozilla.83:C:\Documents and Settings\Paul\Application Data\Mozilla\Firefox\Profiles\ya4vwp5c.default\cookies.txt -> TrackingCookie.Sexlist : Cleaned with backup
:mozilla.85:C:\Documents and Settings\Paul\Application Data\Mozilla\Firefox\Profiles\ya4vwp5c.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.89:C:\Documents and Settings\Paul\Application Data\Mozilla\Firefox\Profiles\ya4vwp5c.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.102:C:\Documents and Settings\Paul\Application Data\Mozilla\Firefox\Profiles\ya4vwp5c.default\cookies.txt -> TrackingCookie.Weborama : Cleaned with backup
:mozilla.103:C:\Documents and Settings\Paul\Application Data\Mozilla\Firefox\Profiles\ya4vwp5c.default\cookies.txt -> TrackingCookie.Smartadserver : Cleaned with backup
:mozilla.104:C:\Documents and Settings\Paul\Application Data\Mozilla\Firefox\Profiles\ya4vwp5c.default\cookies.txt -> TrackingCookie.Smartadserver : Cleaned with backup
:mozilla.105:C:\Documents and Settings\Paul\Application Data\Mozilla\Firefox\Profiles\ya4vwp5c.default\cookies.txt -> TrackingCookie.Smartadserver : Cleaned with backup
:mozilla.109:C:\Documents and Settings\Paul\Application Data\Mozilla\Firefox\Profiles\ya4vwp5c.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.110:C:\Documents and Settings\Paul\Application Data\Mozilla\Firefox\Profiles\ya4vwp5c.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.116:C:\Documents and Settings\Paul\Application Data\Mozilla\Firefox\Profiles\ya4vwp5c.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup
:mozilla.117:C:\Documents and Settings\Paul\Application Data\Mozilla\Firefox\Profiles\ya4vwp5c.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup
:mozilla.124:C:\Documents and Settings\Paul\Application Data\Mozilla\Firefox\Profiles\ya4vwp5c.default\cookies.txt -> TrackingCookie.Hitslink : Cleaned with backup
C:\WINDOWS\Temp\idd1.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd10.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd102.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd121.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd14.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd140.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd15.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd16.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd162.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd184.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd1A6.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd1A7.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd1C0.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd1C1.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd1C5.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd1C9.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd1D2.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd1D3.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd1E.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd1E4.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd2.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd20.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd203.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd21.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd22.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd225.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd244.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd266.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd27.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd28.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd288.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd289.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd292.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd293.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd294.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd29D.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd29E.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd2AA.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd2CC.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd2EE.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd2EF.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd2F8.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd2F9.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd2FA.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd303.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd304.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd310.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd332.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd34.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd351.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd352.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd35B.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd35C.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd35D.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd366.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd373.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd395.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd3B7.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd3D9.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd3F8.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd3F9.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd475.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd49C.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd4AD.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd4B.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd4B9.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd4D.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd4D1.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd4D3.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd4D5.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd4D8.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd4DC.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd4E0.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd4E5.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd4E6.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd4E7.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd4F0.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd4F8.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd4FA.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd4FB.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd4FC.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd4FD.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd5.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd514.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd516.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd51A.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd51B.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd51E.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd51F.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd521.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd523.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd524.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd527.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd52C.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd52D.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd536.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd549.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd551.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd557.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd562.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd567.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd574.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd579.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd584.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd585.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd586.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd587.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd589.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd590.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd591.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd592.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd593.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd595.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd596.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd59D.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd5A0.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd5A1.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd5A2.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd5A4.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd5AE.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd5AF.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd5B0.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd5B1.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd5B2.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd5B3.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd5B7.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd5B8.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd5B9.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd5BA.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd5BB.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd5BC.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd5C3.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd5E.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd6.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd603.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd615.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd61A.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd64B.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd64C.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd7.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd74B.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd76C.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd7D.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd8.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd9.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\idd9C.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\iddA.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\iddAF.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\iddB.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\iddB0.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\iddBE.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\iddE.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\iddE0.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Temp\iddF.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup


::Report End

As PER Posting: Several Infections, HELP!! Oct1 2006,07:29PM

I have tried to leave only one AV program running being AVG7.5 with “Windows Defender only coming on when I want. I hope. As per the above Post I have downloaded ATF Cleaner which produced nothing in Internet Explorer. But, it released up a lot of space in the FireFox setting which I have had to use the past few days. There was no list available to copy though.

I downloaded & ran NoLop as per above posting which found nothing!

List of Installed Programs:
I had to manually copy this as there is no way to do a multiple copy that I can find.
HijackThis v1.99.1 11October 00.42
3D Windows XP Screen Saver
Ad-Aware SE Personal
Adobe Acrobat 7.0.8 Professional
Adobe Download Manager 2.0 (Remove Only)
Adobe Reader 7.0.5 Language Support
Adobe Reader 7.0.8
Adobe Stock Photos 1.0
Adobe Stock Photos 1.0
Adobe® Photoshop® Album Starter Edition 3.0
Adobe® Photoshop® Album Starter Edition 3.0.1
Apple Software Update
ArcSoft Panorama Maker 3
a-squared Free 1.6.5
ATI Control Panel
ATI Display Driver
ATI HydraVision
avast! Antivirus
AVG 7.5
BitComet 0.70
BlindWrite5
Browser Mouse Browser Mouse 1.0
Burn4Free 1.0.0.488
CCleaner (remove only)
Cool Timer 2.2
Corel Paint Shop Pro Photo XI
Corel Snapfire
CorelDRAW Design Collection – 1
CorelDRAW Design Collection – 2
CorelDRAW Design Collection – 3
CorelDRAW Graphics Suite X3
coverXP (remove only)
Cucusoft MPEG/MOV/rmvb/DivX/AVI to DVD/VCD/SVCD Converter Pro 7
DE
DiscWizard for Windows
DivxToDVD 0.5.2b
DVD Shrink 3.2
DVDx 2.2
EHusBook 2.34
EN
EPSON Copy Utility
EPSON Photo Print
EPSON PhotoQuicker3.0
EPSON PhotoQuicker3.5
EPSON Print CD
EPSON PRINT Image Framer Tool2.1
EPSON Printer Software
EPSON Scan
EPSON Smart Panel
EPSON TWAIN 5
ESPR200 Reference Guide
ESPR200 Software Guide
ewido anti-malware
FontNav
Google Earth
GSpot Codec Information Appliance
HijackThis 1.99.1
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)

IKEA Home Planner Kitchen
ImgBurn (Remove Only)
InkSaver
InterActual Player
InterVideo Disc Master for Medion
InterVideo DVDCopy 4
InterVideo DVDCopy for Medion
InterVideo WinDVD 4
InterVideo WinDVD 7
InterVideo WinDVD Creator for Medion
InterVideo WinDVD Recorder for Medion
IsoBuster 1.9
iTunes
iTunes
J2SE Runtime Environment 5.0 Update 6
K-Lite Mega Codec Pack 1.52
LimeWire PRO 4.10.5
Logitech Desktop Messenger
Macromedia Flash Player 8
Macromedia Shockwave Player
Magic ISO Maker v5.1 (build 0185)
MAGIX audio cleaning lab 10 e-version
MediaTickets by OIN
Microsoft .NET Framework 2.0
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 SR-1 Premium
Microsoft Office Sounds
Microsoft Office XP Media Content
Microsoft Office XP Professional
Microsoft PhotoDraw 2000 V2
Microsoft Publisher 2002
Microsoft User-Mode Driver Framework Feature Pack 1.0.0 (Pre-Release 5348)
Microsoft Windows XP Video Decoder Checkup Utility
Microsoft XML Parser and SDK
Mozilla Firefox (1.5.0.7)
Mozilla Thunderbird (1.0.7)
MP3 Player Utilities V1.28
Mpeg Layer3 Codec FHG-Radium v1.263
MSN
MSN Screen Saver (Beta)
MSN Search Toolbar
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser and SDK

Musicmatch® Jukebox
Nero 7 Demo
Nero PhotoShow Express 4
Nikon Message Center
Norton Spyware Scan provided by Yahoo!
NVIDIA Drivers

NvMixer
oggcodecs 0.71.0946
PDF2Word v1.6
PictureProject
PIF DESIGNER2.1
PowerISO
QuickTime
RealPlayer
RegistryFix v5.0
Roxio Easy Media Creator 8 Suite
ScanToWeb
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917537)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Serif DrawPlus 5.0
Serif PagePlus SE 1.0
Skype 2.5
SpeedUpMyPC 3.0
SpellForce 2 - Shadow Wars US Demo
Spybot - Search & Destroy 1.4
Super DVD Creator 8.0
Tomb Raider III
TRL_Screensaver01
TrojanHunter 4.6
Update for Windows XP (KB894391)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update Manager
VBA
VCDEasy
VideoLAN VLC media player 0.8.4ª
Vodei Multimedia Processor 2.00
Watchtower Library 2004 - English Edition
Windows Defender
Windows Defender Signaturas
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live Messenger
Windows Live Safety Scanner
Windows Media Connect
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver
XviD 1.1 final uninstall
Yahoo! Messenger
Yahoo! Photos Easy Upload Tool
Yahoo! Toolbar for Internet Explorer

Well that’s as far as I dare go. Please can someone tell me what I should do next.
Thanks
  • 0

Advertisements

#2
Crustyoldbloke
Posted 10 October 2006 - 05:27 PM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello and welcome to Geeks To Go

Some malware has the ability to hide when interrogated by HijackThis; I believe this to be true in your case. Please right click on hijackthis.exe and rename it to crusty.exe

Now please rescan with the newly named file and post the log into this thread by using the ADD REPLY button on the bottom right of this post, and I'll have a fresh look.

From now on, you will have to use crusty.exe to produce a HJT log.
  • 0

#3
paulinspain
Posted 11 October 2006 - 03:34 AM

paulinspain

    Member

  • Topic Starter
  • Member
  • PipPip
  • 77 posts
Hi, I did as you suggested and re-named both the file and program as crusty.exe Both scans look the same to me I must admit. CRUSTY LOG is below.
Have also included the following in case it’s of help.

A copy of AVG 7.5 Recent Virus Log
Trojan horse Generic2.V 04/10/2006 01:59:27
Trojan horse Generic2.EMD 10/10/2006 10:55:43
Trojan horse Generic2.DDI 06/10/2006 00:43:34
Trojan horse Generic2.DDI 06/10/2006 00:44:14
Trojan horse Generic2.DDI 06/10/2006 00:47:13
Trojan horse Downloader.Generic2.JVQ 06/10/2006 01:18:45
Trojan horse Downloader.Generic2.JVP 06/10/2006 01:18:45
Trojan horse Downloader.Generic2.JVP 06/10/2006 08:57:45
Trojan horse Generic2.EMA 10/10/2006 11:58:39
Trojan horse Downloader.Generic2.SYD 11/10/2006 01:36:19

Copy of Windows Defender (Beta 2) Quarantined items
08/10 22:43 Exploit:Win32/Wmfap
C:\Documents and Settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\LS4Z91OD\xpl[1].wmf

09/10 14:39 bho:
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C004DEC2-2623-438e-9CA2-C9043AB28508}

09/10 14:39 file:
iewebbrowser:
HKCU@S-1-5-21-602162358-682003330-839522115-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{C004DEC2-2623-438E-9CA2-C9043AB28508}

09/10 14:39 file:
HKLM\Software\Microsoft\Internet Explorer\Toolbar\\{C004DEC2-2623-438e-9CA2-C9043AB28508}

09/10 14:39 file:
C:\Documents and Settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\LS4Z91OD\xpl[1].wmf

Kind Regards,
PaulinSpain



Logfile of HijackThis v1.99.1
Scan saved at 10:47:51, on 11/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5700.0006)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
F:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
E:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Adobe\Distillr\Acrotray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
F:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe
E:\Program Files\DAEMON Tools\daemon.exe
F:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Windows Defender\MSASCui.exe
F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\{50E7BE92-0872-2057-0724-03030902002c}\Update.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MSNMES~1\msnmsgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\MSN\MSNCoreFiles\MSN6.EXE
C:\WINDOWS\TEMP\win51E.tmp.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
F:\Program Files\Crusty.exe\Crusty.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.telefonic.....ma+es,00.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....cid={SUB_CLCID}
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: MSEvents Object - {0E24427B-DF2A-40EB-980B-A819F5FF3DD0} - C:\WINDOWS\system32\byxwwtu.dll
O2 - BHO: (no name) - {0E699830-AD52-42FB-89B8-A60DB99AE009} - C:\WINDOWS\system32\vtsts.dll
O2 - BHO: (no name) - {26080D13-ECC6-DC2B-A47C-041EB8AF9035} - C:\WINDOWS\system32\nkojbyh.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {849B9523-785F-4014-9CAF-079FB4A74C61} - C:\WINDOWS\system32\krwparjd.dll (file missing)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE" /P30 "EPSON Stylus Photo R200 Series" /O6 "USB002" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "E:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [hezymgf.dll] "C:\WINDOWS\system32\rundll32.exe" C:\WINDOWS\system32\hezymgf.dll,gznvoxe
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [avast!] F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [wgosrej.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\wgosrej.dll,oxdzwwb
O4 - HKLM\..\Run: [THGuard] "F:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll/search.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-gb\msntabres.dll/229?b205655d7ba8482699a7fb2f14fdf15a
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-gb\msntabres.dll/230?b205655d7ba8482699a7fb2f14fdf15a
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://E:\PROGRA~1\MICROS~1\Office\1033\phdintl.dll/phdContext.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://www.msn.co.uk
O15 - Trusted Zone: http://www.msn.com
O15 - Trusted Zone: http://www.nero.com
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {0A46CB52-CFA0-4E78-A181-948D5E361BE3} (EpsonObj Class) - http://esupport.epso.../EpsonSetup.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowso...nSSWebAgent.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_2.2.0.84.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.my-etrust...er/pestscan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.l...lscbase5059.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1133442798833
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1133483226562
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall....ivex/hcImpl.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.su...indows-i586.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {E991BDE0-9816-4094-853E-6BDB60F0342D} (Get_ActiveX Control) - http://apps.corel.co...NetOpPlugin.ocx
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: byxwwtu - C:\WINDOWS\SYSTEM32\byxwwtu.dll
O20 - Winlogon Notify: vtsts - C:\WINDOWS\system32\vtsts.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winhoo32 - C:\WINDOWS\SYSTEM32\winhoo32.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - F:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - F:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - F:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - E:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe
O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
  • 0

#4
Crustyoldbloke
Posted 11 October 2006 - 04:23 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello Paul and welcome to Geeks to Go

As an introduction, please note that I am not Superhuman, I do not know everything, but what I do know has taken me years to learn. I am happy to pass on this information to you, but please bear in mind that I am also fallible.

Please note that you should have Administrator rights to perform the fixes. Also note that multiple identity PC’s (family PC’s) present a different problem; please tell me if your PC has more than one individual’s setting, but continue with the fix.

Before we get underway, you may wish to print these instructions for easy reference during the fix, although please be aware that many of the required URLs are hyperlinks in the red names shown on your screen. Part of the fix may require you to be in Safe Mode, which will not allow you to access the internet, or my instructions! (Click the Options drop down near the upper right of the topic. Select Print this topic.)

Both scans look the same to me I must admit.

The trained eye sees that the 02 and 020 items were missing in the first log, which is where most of the troubles lie.

You have quite a mixture of malware and Trojans including a ConHook infection. Let’s see what we can do.

If you can, please temper your enthusiasm and do just the fixes I ask you to and provide just the logs I ask for until you are declared clean.

You appear to have two antivirus (AV) programmes running; Avast and AVG. This is bad practice as they will cause slowness and also conflicts. Please uninstall one of them.

May I just correct your syntax here: F:\Program Files\Crusty.exe\Crusty.exe That should be: F:\Program Files\HJT\Crusty.exe

Firstly could you please disable Windows Defender. Open Windows Defender. Click Tools, and then click General Settings. Under Protection options, clear the Use Windows Defender to help protect my computer check box. Then click Save

Also please uninstall Ewido since it is now out of date and has been superseded by AVGas. We can download a fresh version with yet another free 30-day trial period – can’t be bad. If my memory serves me well, you have to use Windows Explorer to get to: C:\Program Files\Grisoft\Ewido\uninstall

Please download VundoFix.exe to your desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log, from normal mode, in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

If Vundofix does not find and delete the files, please try running it bit differently:
  • Double-click VundoFix.exe to run it.
  • You will receive a message saying Vundofix will close and re-open in a minute or less. Click OK.
  • When VundoFix re-opens, click Scan for Vundo button.
  • Once the scan is complete, right-click inside the listbox (white box) and click Add more files?
  • Copy & paste the 2 entries below into the top 2 boxes:
    • C:\WINDOWS\system32\vtsts.dll
    • C:\WINDOWS\system32\ststv.*
  • Click Add Files and click Close Window.
  • Click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES.
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt

Please download the following programmes, we will run them later. Please save them to a place that you will remember, I suggest the Desktop:

Killbox by Option^Explicit
CCleaner
AVG AntiSpyware

Right click on this link Del 015 Domains.inf and choose Save (link) As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards

Please install, and update Ewido/ AVG Anti Spyware
  • Load AVGas and then click the Update tab at the top. Under Manual Update click Start update.
  • After the update finishes (the status bar at the bottom will display "Update successful")
  • Please select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
  • Select "Automatically generate report after every scan"
  • Deselect "Only if threats were found"
  • Close AVGas. Do not run it yet.
Next, please reboot your computer in Safe Mode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
For additional help in booting into Safe Mode, see the following site:

Safe Mode
  • In Safe Mode, load AVGas and click on the Scanner tab at the top and then click on Complete System Scan. This scan can take quite a while to run, so be patient.
  • AVGas will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. AVGas will display "All actions have been applied" on the right hand side.
  • Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (I suggest the Desktop).
  • Please ensure you post that log in your reply.
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: MSEvents Object - {0E24427B-DF2A-40EB-980B-A819F5FF3DD0} - C:\WINDOWS\system32\byxwwtu.dll
O2 - BHO: (no name) - {0E699830-AD52-42FB-89B8-A60DB99AE009} - C:\WINDOWS\system32\vtsts.dll
O2 - BHO: (no name) - {26080D13-ECC6-DC2B-A47C-041EB8AF9035} - C:\WINDOWS\system32\nkojbyh.dll
O2 - BHO: (no name) - {849B9523-785F-4014-9CAF-079FB4A74C61} - C:\WINDOWS\system32\krwparjd.dll (file missing)
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [hezymgf.dll] "C:\WINDOWS\system32\rundll32.exe" C:\WINDOWS\system32\hezymgf.dll,gznvoxe
O4 - HKLM\..\Run: [wgosrej.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\wgosrej.dll,oxdzwwb
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O20 - Winlogon Notify: byxwwtu - C:\WINDOWS\SYSTEM32\byxwwtu.dll
O20 - Winlogon Notify: vtsts - C:\WINDOWS\system32\vtsts.dll
O20 - Winlogon Notify: winhoo32 - C:\WINDOWS\SYSTEM32\winhoo32.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

Now close all windows other than HiJackThis, then click Fix Checked. Please now reboot into normal mode.

Please install Killbox by Option^Explicit.
  • Please double-click Killbox.exe to run it.
  • Select Delete on Reboot
  • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\Program Files\Common Files\{50E7BE92-0872-2057-0724-03030902002c}\Update.exe
C:\WINDOWS\TEMP\win51E.tmp.exe
C:\WINDOWS\system32\byxwwtu.dll
C:\WINDOWS\system32\vtsts.dll
C:\WINDOWS\system32\nkojbyh.dll
C:\WINDOWS\system32\wgosrej.dll
C:\WINDOWS\SYSTEM32\winhoo32.dll
  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

There is almost certainly bound to be some junk (leftover bits and pieces) on your system that is doing nothing but taking up space. I would recommend that you run CCleaner. Install it, check the default setting in the left-hand pane, ensure you uncheck old prefetch data found under the system tab, and under the heading of Applications uncheck AVGas Anti-malware log then click Analyze> Run Cleaner. You may be fairly surprised by how much it finds. Also click Issues then Scan for issues – fix selected issues

Post back a fresh HijackThis log (from normal mode) and I will take another look. (I make it 3 logs in total please)
  • 0

#5
paulinspain
Posted 11 October 2006 - 05:28 PM

paulinspain

    Member

  • Topic Starter
  • Member
  • PipPip
  • 77 posts
Hi Phil,
Oh Boy!
I have followed your instructions to the letter down to including VundoFix.exe to & including “Once you click yes, your desktop will go blank as it starts removing Vundo.”

It popped up twice that there were two files it could not remove and would do so on reboot. After the second popup disappeared the pc froze! I cannot move the curser & the keyboard is locked up too. Nothing appears to be happening. No audio sign to be heard from the hard drives working if you know what I mean. No I’m not panicking. Should I switch off the power from the back and wait 40 seconds, . At the end of your instructions it says the following:
"If your computer does not restart automatically, please restart it manually. "
Does that count anywhere the PC may lock up during this process?

By the way the PC has four user accounts set up and is also connected via a wireless network to my sons PC which I am now using for this correspondence.

I will await your response,
Kind Regards
Paul
  • 0

#6
Crustyoldbloke
Posted 11 October 2006 - 05:41 PM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
When faced with those limited choices Paul, the answer is do whatever you can. Good luck.
  • 0

#7
paulinspain
Posted 12 October 2006 - 08:10 AM

paulinspain

    Member

  • Topic Starter
  • Member
  • PipPip
  • 77 posts
Thanks for being so efficient & speedy. Re your enquiry: This PC is a family PC though I am the main user it has three other user settings.
When I turned my PC on to start running your suggested action I had the following two small grey windows open, so I have included them for you to see.

This was on Reboot after the PC locked me out.
Generic Host Process for Win32 Services
Generic Host Process for Win32 has encountered a problem & needs to close. We are sorry…..
szAppName : svchost.exe szAppVer : 5.1.2600.2180 szModName : unknown
szModVer : 0.0.0.0 offset : 00000000
The following files will be included in this error report:
C:\DOCUME~1\Paul\LOCALS~1\Temp\WER2911.dir00\svchost.exe.mdmp
C:\DOCUME~1\Paul\LOCALS~1\Temp\WER2911.dir00\appcompat.txt

Internet Explorer has encountered a problem and needs to close. We are sorry for the inconvenience.
AppName: iexplore.exe AppVer: 7.0.5700.6 ModName: wgosrej.dll
ModVer: 0.0.0.0 Offset: 00010601
C:\DOCUME~1\Paul\LOCALS~1\Temp\9649_appcompat.txt

Inistial VundoFix V6.2.1 Log:
C:\ WINDOWS\system32\nkojbyh.dll
C:\ WINDOWS\system32\wgosrej.dll
C:\ WINDOWS\system32\winhoo32.dll

C:\ WINDOWS\system32\mpipsgep.dll
C:\ WINDOWS\system32\vtsts.dll
C:\ WINDOWS\system32\ststv.ini
C:\ WINDOWS\system32\ststv.bak2

After VundoFix Logfile of HijackThis v1.99.1
Scan saved at 10:47:51, on 11/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5700.0006)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
F:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
E:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Adobe\Distillr\Acrotray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
F:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe
E:\Program Files\DAEMON Tools\daemon.exe
F:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Windows Defender\MSASCui.exe
F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\{50E7BE92-0872-2057-0724-03030902002c}\Update.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MSNMES~1\msnmsgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\MSN\MSNCoreFiles\MSN6.EXE
C:\WINDOWS\TEMP\win51E.tmp.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
F:\Program Files\Crusty.exe\Crusty.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.telefonic.....ma+es,00.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....cid={SUB_CLCID}
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: MSEvents Object - {0E24427B-DF2A-40EB-980B-A819F5FF3DD0} - C:\WINDOWS\system32\byxwwtu.dll
O2 - BHO: (no name) - {0E699830-AD52-42FB-89B8-A60DB99AE009} - C:\WINDOWS\system32\vtsts.dll
O2 - BHO: (no name) - {26080D13-ECC6-DC2B-A47C-041EB8AF9035} - C:\WINDOWS\system32\nkojbyh.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {849B9523-785F-4014-9CAF-079FB4A74C61} - C:\WINDOWS\system32\krwparjd.dll (file missing)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE" /P30 "EPSON Stylus Photo R200 Series" /O6 "USB002" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "E:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [hezymgf.dll] "C:\WINDOWS\system32\rundll32.exe" C:\WINDOWS\system32\hezymgf.dll,gznvoxe
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [avast!] F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [wgosrej.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\wgosrej.dll,oxdzwwb
O4 - HKLM\..\Run: [THGuard] "F:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll/search.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-gb\msntabres.dll/229?b205655d7ba8482699a7fb2f14fdf15a
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-gb\msntabres.dll/230?b205655d7ba8482699a7fb2f14fdf15a
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://E:\PROGRA~1\MICROS~1\Office\1033\phdintl.dll/phdContext.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://www.msn.co.uk
O15 - Trusted Zone: http://www.msn.com
O15 - Trusted Zone: http://www.nero.com
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {0A46CB52-CFA0-4E78-A181-948D5E361BE3} (EpsonObj Class) - http://esupport.epso.../EpsonSetup.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowso...nSSWebAgent.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_2.2.0.84.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.my-etrust...er/pestscan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.l...lscbase5059.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1133442798833
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1133483226562
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall....ivex/hcImpl.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.su...indows-i586.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {E991BDE0-9816-4094-853E-6BDB60F0342D} (Get_ActiveX Control) - http://apps.corel.co...NetOpPlugin.ocx
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: byxwwtu - C:\WINDOWS\SYSTEM32\byxwwtu.dll
O20 - Winlogon Notify: vtsts - C:\WINDOWS\system32\vtsts.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winhoo32 - C:\WINDOWS\SYSTEM32\winhoo32.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - F:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - F:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - F:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - E:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe
O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe



Restarted after HijackThis Scan & this popped up @ 14.12pm
Generic Host Process for Win32 Services
Generic Host Process for Win32 Services has encountered a problem and needs to close. We are sorry for the inconvenience.
szAppName : svchost.exe szAppVer : 5.1.2600.2180 szModName : unknown
szModVer : 0.0.0.0 offset : 00000000
C:\DOCUME~1\Paul\LOCALS~1\Temp\WER6caa.dir00\svchost.exe.mdmp
C:\DOCUME~1\Paul\LOCALS~1\Temp\WER6caa.dir00\appcompat.txt

AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 13:43:20 12/10/2006
+ Scan result:
C:\Program Files\Common Files\{30E7BE92-0872-2057-0724-03030902002c}\MyToolBar.dll -> Adware.Softomate : Cleaned.
C:\Program Files\Common Files\{50E7BE92-0872-2057-0724-03030902002c}\Update.exe -> Adware.Softomate : Cleaned.
C:\Program Files\Common Files\{50E7BE92-0872-2057-0724-03030902002c}\services.dll -> Adware.Softomate : Cleaned.
C:\WINDOWS\Temp\idd18.tmp.exe -> Dialer.Small : Cleaned.
C:\WINDOWS\Temp\idd29.tmp.exe -> Dialer.Small : Cleaned.
C:\WINDOWS\Temp\idd520.tmp.exe -> Dialer.Small : Cleaned.
C:\WINDOWS\Temp\idd522.tmp.exe -> Dialer.Small : Cleaned.
C:\WINDOWS\Temp\idd524.tmp.exe -> Dialer.Small : Cleaned.
C:\WINDOWS\Temp\idd525.tmp.exe -> Dialer.Small : Cleaned.
C:\WINDOWS\Temp\idd526.tmp.exe -> Dialer.Small : Cleaned.
C:\WINDOWS\Temp\idd527.tmp.exe -> Dialer.Small : Cleaned.
C:\WINDOWS\Temp\idd550.tmp.exe -> Dialer.Small : Cleaned.
C:\WINDOWS\Temp\idd551.tmp.exe -> Dialer.Small : Cleaned.
C:\WINDOWS\Temp\idd552.tmp.exe -> Dialer.Small : Cleaned.
C:\WINDOWS\Temp\idd555.tmp.exe -> Dialer.Small : Cleaned.
C:\WINDOWS\Temp\idd558.tmp.exe -> Dialer.Small : Cleaned.
C:\WINDOWS\Temp\idd559.tmp.exe -> Dialer.Small : Cleaned.
C:\WINDOWS\Temp\idd55C.tmp.exe -> Dialer.Small : Cleaned.
C:\WINDOWS\Temp\idd55D.tmp.exe -> Dialer.Small : Cleaned.
C:\WINDOWS\Temp\idd55E.tmp.exe -> Dialer.Small : Cleaned.
C:\WINDOWS\Temp\idd560.tmp.exe -> Dialer.Small : Cleaned.
C:\WINDOWS\Temp\idd564.tmp.exe -> Dialer.Small : Cleaned.
C:\WINDOWS\Temp\idd573.tmp.exe -> Dialer.Small : Cleaned.
C:\WINDOWS\Temp\idd575.tmp.exe -> Dialer.Small : Cleaned.
C:\WINDOWS\Temp\idd576.tmp.exe -> Dialer.Small : Cleaned.
C:\WINDOWS\Temp\idd583.tmp.exe -> Dialer.Small : Cleaned.
C:\WINDOWS\Temp\idd584.tmp.exe -> Dialer.Small : Cleaned.
C:\WINDOWS\Temp\idd5D8.tmp.exe -> Dialer.Small : Cleaned.
C:\WINDOWS\Temp\idd5EE.tmp.exe -> Dialer.Small : Cleaned.
C:\WINDOWS\Temp\idd5EF.tmp.exe -> Dialer.Small : Cleaned.
C:\WINDOWS\Temp\idd5F0.tmp.exe -> Dialer.Small : Cleaned.
C:\WINDOWS\Temp\idd5F9.tmp.exe -> Dialer.Small : Cleaned.
C:\WINDOWS\Temp\idd5FB.tmp.exe -> Dialer.Small : Cleaned.
C:\WINDOWS\Temp\idd5FD.tmp.exe -> Dialer.Small : Cleaned.
C:\WINDOWS\Temp\idd610.tmp.exe -> Dialer.Small : Cleaned.
C:\WINDOWS\Temp\idd632.tmp.exe -> Dialer.Small : Cleaned.
C:\WINDOWS\Temp\idd654.tmp.exe -> Dialer.Small : Cleaned.
C:\WINDOWS\Temp\idd67B.tmp.exe -> Dialer.Small : Cleaned.
C:\WINDOWS\Temp\idd67C.tmp.exe -> Dialer.Small : Cleaned.
C:\WINDOWS\Temp\idd688.tmp.exe -> Dialer.Small : Cleaned.
C:\WINDOWS\Temp\idd68F.tmp.exe -> Dialer.Small : Cleaned.
C:\WINDOWS\Temp\idd69A.tmp.exe -> Dialer.Small : Cleaned.
C:\WINDOWS\Temp\idd6C0.tmp.exe -> Dialer.Small : Cleaned.
C:\WINDOWS\Temp\idd8.tmp.exe -> Dialer.Small : Cleaned.
C:\Program Files\Common Files\Real\GToolbar\GoogleToolbarInstaller98.exe -> Dropper.Inflator.a : Cleaned.
:mozilla.13:C:\Documents and Settings\Paul\Application Data\Mozilla\Firefox\Profiles\ya4vwp5c.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.14:C:\Documents and Settings\Paul\Application Data\Mozilla\Firefox\Profiles\ya4vwp5c.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Paul\Cookies\paul@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.17:C:\Documents and Settings\Paul\Application Data\Mozilla\Firefox\Profiles\ya4vwp5c.default\cookies.txt -> TrackingCookie.Paycounter : Cleaned.
:mozilla.21:C:\Documents and Settings\Paul\Application Data\Mozilla\Firefox\Profiles\ya4vwp5c.default\cookies.txt -> TrackingCookie.Sexlist : Cleaned.
:mozilla.22:C:\Documents and Settings\Paul\Application Data\Mozilla\Firefox\Profiles\ya4vwp5c.default\cookies.txt -> TrackingCookie.Sextracker : Cleaned.
C:\Documents and Settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\HRW7Z0G6\antzom[1].exe -> Trojan.Agent.vg : Cleaned.
C:\VundoFix Backups\winhoo32.dll.bad -> Trojan.Agent.vg : Cleaned.

::Report end

Last requested HJT Logfile of HijackThis v1.99.1
Scan saved at 14:48:38, on 12/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5700.0006)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ishost.exe
C:\WINDOWS\system32\ismini.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Adobe\Distillr\Acrotray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe
E:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe
C:\WINDOWS\System32\svchost.exe
F:\Program Files\HJT\Crusty.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.telefonic.....ma+es,00.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....cid={SUB_CLCID}
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {14FC7E11-C3AC-45E0-B68A-01DE86E61CE4} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll
O2 - BHO: ToolBar888 - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{30E7BE92-0872-2057-0724-03030902002c}\MyToolBar.dll (file missing)
O2 - BHO: (no name) - {F844661A-C8E6-42B1-88DD-5304CB958E80} - C:\WINDOWS\system32\jkkjj.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: ToolBar888 - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{30E7BE92-0872-2057-0724-03030902002c}\MyToolBar.dll (file missing)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE" /P30 "EPSON Stylus Photo R200 Series" /O6 "USB002" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "E:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll/search.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-gb\msntabres.dll/229?b205655d7ba8482699a7fb2f14fdf15a
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-gb\msntabres.dll/230?b205655d7ba8482699a7fb2f14fdf15a
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://E:\PROGRA~1\MICROS~1\Office\1033\phdintl.dll/phdContext.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {0A46CB52-CFA0-4E78-A181-948D5E361BE3} (EpsonObj Class) - http://esupport.epso.../EpsonSetup.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowso...nSSWebAgent.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_2.2.0.84.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.my-etrust...er/pestscan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.l...lscbase5059.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1133442798833
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1133483226562
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall....ivex/hcImpl.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.su...indows-i586.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {E991BDE0-9816-4094-853E-6BDB60F0342D} (Get_ActiveX Control) - http://apps.corel.co...NetOpPlugin.ocx
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: jkkjj - C:\WINDOWS\system32\jkkjj.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe
O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

Please note I could not find the following files in HJT to check & delete:
O2 - BHO: MSEvents Object - {0E24427B-DF2A-40EB-980B-A819F5FF3DD0} - C:\WINDOWS\system32\byxwwtu.dll
O2 - BHO: (no name) - {0E699830-AD52-42FB-89B8-A60DB99AE009} - C:\WINDOWS\system32\vtsts.dll
O20 - Winlogon Notify: byxwwtu - C:\WINDOWS\SYSTEM32\byxwwtu.dll
O20 - Winlogon Notify: vtsts - C:\WINDOWS\system32\vtsts.dll
O20 - Winlogon Notify: winhoo32 - C:\WINDOWS\SYSTEM32\winhoo32.dll

After Vundo I received the following:
RUNDLL
Error loading C:\WINDOWS\system32\wgosrej.dll
The specified module could not be found.
However I do note that vundo deleted this file

I hope that this now means my machine is clean. But probably not.
I look forward to your reply with keen interest & thanks for persevering with me.

By the way I was sorry to see that you are a Menieres Disease sufferer, as my father has suffered from it for many years now and it has caused him and naturally my mother a lot of frustration over the years. He is totally deaf in one ear & the other ear? Well you know what it must be like. The poor chap has really gone through it though with constantly battling against heart disease & now to top it of at this late stage of his life with Motor Neuron disease.

In case you’re interested I suffer from a server form of asthma called “Brittle Asthma” and in order to help make things easier (as until recently I was wheelchair bound) on my family we moved to Spain 5 years ago. I use the PC daily to keep in touch with The Royal Brompton Hospital who constantly monitors my health via a specially designed Blue Tooth monitor that can adjust the amount of drugs I need to be literally pumped in to my system. It’s incredible what they can do today, isn’t it.

Well Phill I look forward to your reply when you can.
Kind Regards Paul
  • 0

#8
paulinspain
Posted 12 October 2006 - 08:52 AM

paulinspain

    Member

  • Topic Starter
  • Member
  • PipPip
  • 77 posts
HI Phil,
I have obviously made a Faux pas.
I went on line with IE & as soon as it opened I started to enter the geekstogo address when I got the following. Man these things drive me mad.

Windows Internet Explorer
! There is a security vulnerability from the TrojanSPM/LX. We recommend you DOWNLOAD one of the security software programs to prevent malware infections.

Then a window from the following opened. What is so crazy is in the address it shows that it’s a worm.

http://www.amaena.co...d1bd84e640e2532

A sort of antivirus logo came up with a window showing a graph of how long it will take for my whole system to become infected.

When I closed this window another antivirus warning came up. I closed then got another!

What I don’t understand is that I have the latest AVG7 updated today up & running with AVG Anti-Spyware that was updated today. How is it able to get through.
SORRY!
Paul
  • 0

#9
Crustyoldbloke
Posted 12 October 2006 - 09:28 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello again Paul

You certainly know how to have fun with a PC in Spain. :whistling:

You are quite right to be annoyed with the security programmes because you have the Blaster virus on your PC. I am going to give you a link to a Symantec page devoted to this little beauty, please read it and disable your System Restore before using the tool; you can ignore the bit about Live Update. Please download the tool and run it as prescribed by them: http://securityrespo...moval.tool.html

I think that will stop the fun and games you are having. Please delete from your PC, the copy of VundoFix you have.

I see two infections on your PC right now. One is called ConHook and the other is Puper. I will need two fixes for them. This one is for Puper only, but before we do that, a good clean out is in order.

Please delete your temporary files.

Click on START > RUN > type in cleanmgr and hit ENTER

You will see a window asking you to choose your harddrive (most likely C: Drive)

Click it and Windows will now scan the drive and show you the results

Make sure the following are checked:Downloaded Program Files
Temporary Internet Files and
Recycle Bin
Compress Old Files (if you want more disk space)
Click OK and Disk Cleanup will delete those files for you.

Next, go to Start>Run>type in %temp% hit Enter and delete the content of all the temp folders shown (only the content, not the folder). A couple of files may be in memory and will not therefore delete, this is normal.

With that done, time for the fix. Please include the AVGas scan even though you have just run one.

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

A. Please open AVG Anti Spyware
  • Please install, and update AVG Anti-Spyware/Ewido
  • Load AVGas/Ewido and then click the Update tab at the top. Under Manual Update click Start update.
  • After the update finishes (the status bar at the bottom will display "Update successful")
  • Please select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
  • Select "Automatically generate report after every scan"
  • Un-Select "Only if threats were found"
  • Close AVGas/Ewido. Do not run it yet.
B. Next, please reboot your computer in Safe Mode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
For additional help in booting into Safe Mode, see the following site:

Safe Mode

C. Open the SmitfraudFix Folder, (right click and choose Extract All) then double-click smitfraudfix.cmd file to start the tool. Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
______________________________

D. Clean out your Temporary Internet files. Proceed like this:
  • Quit Internet Explorer and quit any instances of Windows Explorer.
  • Click Start, click Control Panel, and then double-click Internet Options.
  • On the General tab, click Delete Files under Temporary Internet Files.
  • In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
  • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
  • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
  • Click OK.
Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.
______________________________

E. Close ALL open Windows / Programmes / Folders.
  • In Safe Mode, load AVGas/Ewido and click on the Scanner tab at the top and then click on Complete System Scan. This scan can take quite a while to run, so be patient.
  • AVGas/Ewido will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. Ewido will display "All actions have been applied" on the right hand side.
  • Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (I suggest the Desktop).
Close AVGas/Ewido and Reboot in Normal Mode.
______________________________

F. Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #3 - Delete Trusted zone by typing 3 and press Enter

Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the Programme and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.
______________________________

G. Please post:
  • c:\rapport.txt
  • AVGas/Ewido log
  • A new HijackThis log (from normal mode).
You may need more than one reply to post the requested logs, otherwise they might get cut off.
  • 0

#10
paulinspain
Posted 12 October 2006 - 05:44 PM

paulinspain

    Member

  • Topic Starter
  • Member
  • PipPip
  • 77 posts
Hello again,

Well I haven’t followed your instructions all the way through because of the following:
I disconnected my pc from the router & turned off any programs that were running, ie AVG plus turned off System Restore on All Drivers etc. Then I ran FixBlast.exe as per instructions from Symantic the results were “W32.Blaster.Worm has not been found on your computer.” So I rebooted into safe mode with the same result! :whistling: I imagine that could be good news, but probably not as it possibly means it’s either hidden somewhere else or it’s a different worm/virus. :blink:
Here’s the other interesting thing, after the FixBlast scan I turned the machine off fully and then restarted only to find the following “AVG Anti-Spyware found Downloader.Zlob.apc location C:\\WINDOWS\system32\ishost.exe Action: Cleaned & moved to quarantine.

Again I shut the machine down & restarted later to find the following Window “Generic Host Process for Win32 Services has encountered a problem and needs to close. We are sorry for the inconvenience.”
szAppName : svchost.exe szAppVer : 5.1.2600.2180 szModName : unknown
szModVer : 0.0.0.0 offset : 00000000
C:\DOCUME~1\Paul\LOCALS~1\Temp\WERfc9d.dir00\svchost.exe.mdmp
C:\DOCUME~1\Paul\LOCALS~1\Temp\WERfc9d.dir00\appcompat.txt

Once I closed this window only the wall paper was left showing on the desktop? So I rebooted to normal mode, again only wall paper on the desktop. Mouse & Keyboard were not locked up so I used Windows Task Manager.

Switched of power & waited 40 sec’s switched on & restarted to see the above Generic Host Process for Win32 Services window again but this time with the full desktop on display. Closed the above window & every thing appears AOK.

So should I proceed as per your earlier instructions? Or where do we go from here? Here is the latest copy of HJT:
Logfile of HijackThis v1.99.1
Scan saved at 01:33:57, on 13/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5700.0006)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Adobe\Distillr\Acrotray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe
E:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\System32\svchost.exe
F:\Program Files\HJT\Crusty.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.telefonic.....ma+es,00.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....cid={SUB_CLCID}
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0CE928AF-029C-4E8D-A94C-C1F5ED78893F} - C:\WINDOWS\system32\jkkjj.dll
O2 - BHO: (no name) - {14FC7E11-C3AC-45E0-B68A-01DE86E61CE4} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll
O2 - BHO: ToolBar888 - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{30E7BE92-0872-2057-0724-03030902002c}\MyToolBar.dll (file missing)
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: ToolBar888 - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{30E7BE92-0872-2057-0724-03030902002c}\MyToolBar.dll (file missing)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE" /P30 "EPSON Stylus Photo R200 Series" /O6 "USB002" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "E:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll/search.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-gb\msntabres.dll/229?b205655d7ba8482699a7fb2f14fdf15a
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-gb\msntabres.dll/230?b205655d7ba8482699a7fb2f14fdf15a
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://E:\PROGRA~1\MICROS~1\Office\1033\phdintl.dll/phdContext.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {0A46CB52-CFA0-4E78-A181-948D5E361BE3} (EpsonObj Class) - http://esupport.epso.../EpsonSetup.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowso...nSSWebAgent.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_2.2.0.84.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.my-etrust...er/pestscan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.l...lscbase5059.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1133442798833
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1133483226562
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall....ivex/hcImpl.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.su...indows-i586.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {E991BDE0-9816-4094-853E-6BDB60F0342D} (Get_ActiveX Control) - http://apps.corel.co...NetOpPlugin.ocx
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: jkkjj - C:\WINDOWS\system32\jkkjj.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe
O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

Good night for now,
Paul

Edited by Crustyoldbloke, 12 October 2006 - 06:03 PM.

  • 0

Advertisements

#11
paulinspain
Posted 12 October 2006 - 05:47 PM

paulinspain

    Member

  • Topic Starter
  • Member
  • PipPip
  • 77 posts
Phil!
Sorry the reply was in such a large font size a total accident on my part. Again sorry. :whistling:
Paul
  • 0

#12
Crustyoldbloke
Posted 12 October 2006 - 06:06 PM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
I have corrected your post in giant letters.

Please proceed fully with the Smitfraud fix since it is focused on Zlob, and post the logs as requested.
  • 0

#13
paulinspain
Posted 13 October 2006 - 01:55 PM

paulinspain

    Member

  • Topic Starter
  • Member
  • PipPip
  • 77 posts
Hi Phil, :)
Talk about a Nightmare in Spain!
Do you want a computer going cheap? :blink:

The Computer seems to be running a little unstable as you will see. :help:
Have tried to run Smitfraudfix.cmd this is what has happened so far:
1. During reboot into SafeMode When I selected Yes it came up “New programs installed” (What new programs?) then proceeded to reboot into normal mode until I intervened with F8.
2/a. On reboot to SafeMode I only got a blank Black screen with SafeMode in white in the corners. I waited 15 minutes to see what would happen. Nothing
2/b. Action: Task Manager>Reboot
2/c. As per 2/a
2./d. Action: Turn power off for 40 Secs>restart>safe mode
2/e/1. “Windows in SafeMode” option flicked on/off to quick to accept
2/e/2. Windows Taskmanager>file>new task>create new task>browse>desktop>SmitfraudFix NOT THERE!?
2/f. Reboot>normal mode
2/g. Wallpaper only on desktop, NO icons
2/h. Task manager (“Generic Processor for Win32 Services ….” window back again!) >file>new task>dsktop>SmitfraudFix> Active Open Only. Will not alow to send to or move.
2/i. Power off> reboot normal mode>move SmitfraudFix to My Docs
2/j. Reboot to SafeMode as per 2/e/1.
2/k. Windows Task Manage>File>New Task>Create New Task>Browse> My Docs- It’s not there! Browse>Pauls Docs>SmitfraudeFix>open folder
3. Cannot find “smitfraudfix.cmd” This is what there is:
“SmitfraudFix”
“dumphive”
“GenericRenosFix”
“Process”
“Restart”
“SmithfraudFix”
“SmiUpdate”
“SrchSTS”
“swreg”
“swsc”
“unzip”
So which if any of these do I select? I have run the curser over each one to see any other information & checked their properties but still none the wiser I’m afraid.
Should I try downloading “SmitfraudFix” to a memory stick and try to access it through Safe Mode that way? Not sure it will let me though.
Paul

PS I noticed that AVG/ewido Antispyware has “Zlob” in quarantine. :whistling:
  • 0

#14
Crustyoldbloke
Posted 13 October 2006 - 02:03 PM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Smitfraud is a zip file, so after it has downloaded, right click and choose EXTRACT - you should now see smitfraudfix.cmd

If you have to run in normal mode, so be it.

These are the two options for safe mode: During a boot, keep tapping the F8 key and choose Safe mode from the advanced menu or go to Start>Run>type in Msconfig>hit ENTER>Boot.ini and check SafeBoot>Apply, reboot.

If you boot to safe mode and get a black screen, press ctrl, alt and delete at the same time. Click on file then new task(run...) In the Open box type msconfig and press enter. If msconfig opens click the boot.ini tab at the top then uncheck /SAFEBOOT Then click on the general tab at the top and make sure Normal startup is checked. Click Apply then OK. The computer should now prompt you to reboot. Hopefully you will be able to get into normal windows now.
  • 0

#15
paulinspain
Posted 14 October 2006 - 11:22 AM

paulinspain

    Member

  • Topic Starter
  • Member
  • PipPip
  • 77 posts
Hi Phil,
Sorry for the delay in getting back to you, :whistling: with the weather having changed it’s been a bit of a struggle today, but here we go.

Safe Mode
C. Finally opened smitfraudfix.cmd Selected option #2-Clean this what I got at first in the CMOS Window:
Killing Process
Generic Remos Fix
Delete Infected Files
C Script Error:loading your settings failed(Access is denied).
..........................................................................................
"The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.” Didn’t Happen.
.........................................
SmitFraudFix v2.109

Scan done at 23:08:56.98, 13/10/2006(IN SAFE MODE)
Run from C:\Documents and Settings\Paul\My Documents\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End
………………………………………………………………………..
SmitFraudFix v2.109 (In Normal Mode)

Scan done at 23:08:56.98, 13/10/2006
Run from C:\Documents and Settings\Paul\My Documents\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End
............................................................................................

“D. Clean out your Temporary Internet files. Proceed like this: In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.”
In Internet Exploer 7 different options being: General>Browsing>History>Settings.

“Under Web Pages you should see a checked entry called Security info or something similar.”
Not on Internet Exploer 7


---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:21:19 14/10/2006

+ Scan result:

C:\!KillBox\byxwwtu.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\WINDOWS\system32\cbxvwwt.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
:mozilla.56:C:\Documents and Settings\Paul\Application Data\Mozilla\Firefox\Profiles\ya4vwp5c.default\cookies.txt -> TrackingCookie.247realmedia : Cleaned.
:mozilla.48:C:\Documents and Settings\Paul\Application Data\Mozilla\Firefox\Profiles\ya4vwp5c.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.69:C:\Documents and Settings\Paul\Application Data\Mozilla\Firefox\Profiles\ya4vwp5c.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.59:C:\Documents and Settings\Paul\Application Data\Mozilla\Firefox\Profiles\ya4vwp5c.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned.
:mozilla.60:C:\Documents and Settings\Paul\Application Data\Mozilla\Firefox\Profiles\ya4vwp5c.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned.
:mozilla.51:C:\Documents and Settings\Paul\Application Data\Mozilla\Firefox\Profiles\ya4vwp5c.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.

::Report end

Here is the latest copy of HJT
Logfile of HijackThis v1.99.1
Scan saved at 17:59:59, on 14/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5700.0006)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\MSN Toolbar Suite\SL\02.05.0001.1119\en-gb\msn_sl.exe
F:\Program Files\HJT\Crusty.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {14FC7E11-C3AC-45E0-B68A-01DE86E61CE4} - (no file)
O2 - BHO: (no name) - {1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA} - C:\WINDOWS\system32\jptargrl.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6AD1577E-6F83-4299-BE5F-F597E3D7DFD7} - C:\WINDOWS\system32\jkkjj.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll
O2 - BHO: ToolBar888 - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{30E7BE92-0872-2057-0724-03030902002c}\MyToolBar.dll (file missing)
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: ToolBar888 - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{30E7BE92-0872-2057-0724-03030902002c}\MyToolBar.dll (file missing)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB002" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "E:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [SCDEmuApp.exe] e:\Program Files\PowerISO\SCDEmuApp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [mm_server] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_server.exe"
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [InkSaver] E:\Program Files\InkSaver.exe hide
O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HydraVision\HydraDM.exe
O4 - HKLM\..\Run: [FastTVSync] "C:\Program Files\Common Files\InterVideo\FastTVSync\FastTVSync.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue SpeedUpMyPC] F:\SpeedUpMyPC3\SpeedUpMyPC.exe
O4 - HKCU\..\Run: [Nero PhotoShow Media Manager] C:\PROGRA~1\Nero\NEROPH~1\data\xtras\mssysmgr.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: InkSaverCheck.lnk = ?
O4 - Global Startup: InterVideo Scheduler server.lnk = E:\Program Files\InterVideo\WinDVD4PR\SchSvr.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = E:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = E:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-gb\bin\WindowsSearch.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll/search.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-gb\msntabres.dll/229?b205655d7ba8482699a7fb2f14fdf15a
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-gb\msntabres.dll/230?b205655d7ba8482699a7fb2f14fdf15a
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://E:\PROGRA~1\MICROS~1\Office\1033\phdintl.dll/phdContext.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {0A46CB52-CFA0-4E78-A181-948D5E361BE3} (EpsonObj Class) - http://esupport.epso.../EpsonSetup.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowso...nSSWebAgent.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_2.2.0.84.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.my-etrust...er/pestscan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.l...lscbase5059.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1133442798833
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1133483226562
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall....ivex/hcImpl.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.su...indows-i586.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {E991BDE0-9816-4094-853E-6BDB60F0342D} (Get_ActiveX Control) - http://apps.corel.co...NetOpPlugin.ocx
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: jkkjj - C:\WINDOWS\system32\jkkjj.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe
O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

Well that’s the end of that.
Still unable to get safe mode to open correctly ie icons on the Desktop. I had to go through Taskmanager>file> Create New Disk etc.

Normal mode? Well that will only open to a blue screen with no icons either! Not a B.S.D. thank goodness as I was still able to access the Task Manager etc. After the third attempt of leaving it alone for fifteen minutes then rebooting or switching off, the Icons came on roughly after 20 minuets of me using that Task Manager. :blink:
So where do we go fromhere Maestro?
Thanks for persevering with me. Paul[size=4][color=#000099]
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP