Here are the 3 logs
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 4:40:15 AM, 8/8/2005
+ Report-Checksum: A85937E2
+ Scan result:
HKLM\SOFTWARE\SearchRelevancy -> Spyware.SearchRelevancy : Cleaned with backup
C:\Downloads\backup-20050728-042956-925.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\ms32.tmp -> TrojanDownloader.Small.azk : Cleaned with backup
C:\WINDOWS\dinst.exe -> TrojanDownloader.Intexp.d : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\ActiveX.ocx -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\dsr.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\WINDOWS\egames.ico:cbrwqq -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\invitessk.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\WINDOWS\javaat.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\kbggbhl.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\NOTEPAD.EXE:lamed -> TrojanDownloader.Agent.an : Cleaned with backup
C:\WINDOWS\nvoclk64.sys:dbxrx -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\SchedLgU.Txt:pthas -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\sec.exe -> TrojanDropper.Small.wv : Cleaned with backup
C:\WINDOWS\SOUNDMAN.EXE:fzsdl -> TrojanDownloader.Agent.cd : Cleaned with backup
C:\WINDOWS\SSK3_B5.exe -> TrojanDropper.Small.qn : Cleaned with backup
C:\WINDOWS\sysbs.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system\UpdInst.exe -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32:qdaa.dll -> TrojanDownloader.Small.azk : Cleaned with backup
C:\WINDOWS\system32\syslt.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\winnt.bmp:pndfe -> TrojanDownloader.Agent.an : Cleaned with backup
C:\WINDOWS\_default.pif:jpjpoz -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:rozctp -> Trojan.Agent.bi : Cleaned with backup
::Report End
_________________________________________________
Logfile of HijackThis v1.99.1
Scan saved at 4:46:54 AM, on 8/8/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Maxthon\Maxthon.exe
C:\Program Files\Hijackthis\HijackThis.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: Download using LeechGet - file://C:\Program Files\LeechGet 2005\\AddUrl.html
O8 - Extra context menu item: Download using LeechGet Wizard - file://C:\Program Files\LeechGet 2005\\Wizard.html
O8 - Extra context menu item: Parse with LeechGet - file://C:\Program Files\LeechGet 2005\\Parser.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: ppctlcab -
http://www.pestscan....er/ppctlcab.cabO16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) -
http://housecall60.t...all/xscan60.cabO16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) -
http://www.creative....119/CTSUEng.cabO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
http://go.microsoft....k/?linkid=39204O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) -
http://www.fileplane...DC_1_0_0_44.cabO16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) -
https://www.e-games....GamesPlugin.cabO16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -
http://software-dl.r...ip/RdxIE601.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://update.micros...b?1123007580998O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) -
http://www.parallelg...in/cortvrml.cabO16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) -
http://messenger.msn...pDownloader.cabO16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) -
http://kr.pristontal...protect/npx.cabO16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) -
http://www.creative....12119/CTPID.cabO23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
_________________________________________________________
L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
**********************************************************************************
useragent:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"Maxthon"="??"
**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{A70C977A-BF00-412C-90B7-034C51DA2439}"="NvCpl DesktopContext Class"
"{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}"="nView Desktop Context Menu"
"{1E2CDF40-419B-11D2-A5A1-002018648BA7}"="AVG Shell Extension"
"{6EE51AA0-77A0-11D7-B4E1-000347126E46}"="Window Washer Shell Shredding Utility"
"{32020A01-506E-484D-A2A8-BE3CF17601C3}"="AlcoholShellEx"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}"="iTunes"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{FA010552-4A27-4cb1-A1BB-3E2D697F1639}"="SpySubtract Shell Extension"
"{FED7043D-346A-414D-ACD7-550D052499A7}"="dBpowerAMP Music Converter 1"
"{2C49B5D0-ACE7-4D17-9DF0-A254A6C5A0C5}"="dBpowerAMP Music Converter"
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}"="Play on my TV helper"
"CLSID\\{EBDF1F20-C829-14D1-8234-1420AF3E97A9}"="LeechGet \"Copy Here\" Shell Extension"
"{48F45200-91E6-11CE-8A4F-0080C81A28D4}"="TMD Shell Extension"
"{771A9DA0-731A-11CE-993C-00AA004ADB6C}"="VBPropSheet"
**********************************************************************************
HKEY ROOT CLASSIDS:
**********************************************************************************
Files Found are not all bad files:
C:\WINDOWS\SYSTEM32\
apiko.dll Sat Jul 30 2005 11:06:12p A.... 0 0.00 K
cdm.dll Thu May 26 2005 4:16:24a A.... 75,544 73.77 K
d3dx9_26.dll Thu May 26 2005 3:34:52p A.... 2,297,552 2.19 M
gwfspi~1.dll Wed Aug 3 2005 10:33:38a A.... 23,304 22.76 K
iuengine.dll Thu May 26 2005 4:16:24a A.... 198,424 193.77 K
legitc~1.dll Wed Aug 3 2005 10:33:42a A.... 520,456 508.26 K
nv4_disp.dll Wed Jun 15 2005 5:20:00p A.... 3,896,320 3.71 M
nvcod.dll Wed Jun 15 2005 5:20:00p A.... 32,768 32.00 K
nvcodins.dll Wed Jun 15 2005 5:20:00p A.... 32,768 32.00 K
nvcpl.dll Wed Jun 15 2005 5:20:00p A.... 6,803,456 6.49 M
nvhwvid.dll Wed Jun 15 2005 5:20:00p A.... 540,672 528.00 K
nview.dll Wed Jun 15 2005 5:20:00p A.... 1,462,272 1.39 M
nvmctray.dll Wed Jun 15 2005 5:20:00p A.... 86,016 84.00 K
nvnt4cpl.dll Wed Jun 15 2005 5:20:00p A.... 286,720 280.00 K
nvoglnt.dll Wed Jun 15 2005 5:20:00p A.... 5,136,384 4.90 M
nvshell.dll Wed Jun 15 2005 5:20:00p A.... 466,944 456.00 K
nvwddi.dll Wed Jun 15 2005 5:20:00p A.... 81,920 80.00 K
nvwdmcpl.dll Wed Jun 15 2005 5:20:00p A.... 1,662,976 1.59 M
nvwimg.dll Wed Jun 15 2005 5:20:00p A.... 1,019,904 996.00 K
pncrt.dll Tue May 17 2005 10:57:34p A.... 278,528 272.00 K
pndx5016.dll Tue May 17 2005 10:57:34p A.... 6,656 6.50 K
pndx5032.dll Tue May 17 2005 10:57:34p A.... 5,632 5.50 K
rmoc3260.dll Tue May 17 2005 10:57:38p A.... 176,167 172.04 K
wuapi.dll Thu May 26 2005 4:16:30a A.... 465,176 454.27 K
wuaueng.dll Thu May 26 2005 4:16:30a A.... 1,343,768 1.28 M
wuaueng1.dll Thu May 26 2005 4:16:30a A.... 194,328 189.77 K
wucltui.dll Thu May 26 2005 4:16:30a A.... 127,256 124.27 K
wups.dll Thu May 26 2005 4:16:30a A.... 41,240 40.27 K
wups2.dll Thu May 26 2005 4:16:30a A.... 18,200 17.77 K
wuweb.dll Thu May 26 2005 4:19:32a A.... 173,536 169.47 K
30 items found: 30 files, 0 directories.
Total of file sizes: 27,454,887 bytes 26.18 M
Locate .tmp files:
No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 4467-E75B
Directory of C:\WINDOWS\System32
08/06/2005 11:42 PM <DIR> dllcache
10/16/2004 06:07 PM 0 mcc.exe
10/16/2004 06:07 PM 0 d2kpax.exe
10/16/2004 06:07 PM 0 d2kpax.dll
10/16/2004 06:07 PM 0 a.exe
10/16/2004 06:07 PM 0 jac.dll
10/16/2004 06:07 PM 0 bridge.dll
10/16/2004 06:07 PM 0 msxslab.dll
09/24/2004 10:35 AM 15,360 shdocpe.dll
09/24/2004 10:35 AM 7,681 MS03i048s824145xPrivacyAPI32.html
08/26/2003 06:49 PM <DIR> Microsoft
09/30/1999 07:21 PM 166,672 mstext35.dll
09/28/1999 09:42 PM 1,050,896 msjet35.dll
09/09/1999 10:06 PM 252,688 msexcl35.dll
09/09/1999 10:06 PM 168,720 msltus35.dll
08/25/1999 02:57 PM 415,504 msrepl35.dll
06/07/1999 06:59 PM 250,128 mspdox35.dll
04/25/1999 05:00 PM 287,504 Msxbse35.dll
16 File(s) 2,615,153 bytes
2 Dir(s) 76,676,452,352 bytes free