Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

hclean32.exe


  • This topic is locked This topic is locked

#1
kmantis

kmantis

    Member

  • Member
  • PipPip
  • 23 posts
hey - got a couple of problems I hope u can assist with
1 -I have virus hclean32.exe. 2 - I can't update to microsoft sp1a, it tells me: c:\xp\syster32\drivers\atapi.sys is open or in use by another application. i thought i had a "version" of sp1 running but it doesn't show. I do have microsoft VM. adaware and spybot s&d are not running correctly. spysweeper is keeping the virus in check but not removing it. Here is my silentrunners log

"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\XP\System32\ctfmon.exe" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"RedLine Taskbar" = "C:\Program Files\RedLine\Taskbar.exe" ["Byron Montgomerie"]
"BigPondCable" = ""C:\Program Files\Telstra\Cable Login\bpcable.exe" /r" ["Telstra"]
"NeroFilterCheck" = "C:\XP\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"iamapp" = "C:\Program Files\Norton Personal Firewall\IAMAPP.EXE" ["Symantec Corporation"]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"ccRegVfy" = ""C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"" ["Symantec Corporation"]
"Advanced Tools Check" = "C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE" ["Symantec Corporation"]
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer" ["Symantec Corporation"]
"SpySweeper" = ""C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray" ["Webroot Software, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\XP\System32\hticons.dll" ["Hilgraeve, Inc."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{FED7043D-346A-414D-ACD7-550D052499A7}" = "dBpowerAMP Music Converter 1"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Illustrate\dBpowerAMP\dBShell.dll" [empty string]
"{2C49B5D0-ACE7-4D17-9DF0-A254A6C5A0C5}" = "dBpowerAMP Music Converter"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Illustrate\dBpowerAMP\dMCShell.dll" [empty string]
"{8FF88D21-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.5 Context Menu Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
"{8FF88D25-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.5 DragDrop Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
"{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.5 Context Menu Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
"{8FF88D23-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.5 Property Sheet Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
"{40E69241-5D1A-11D1-81CB-727272727FFF}" = "Quick Register Context Menu Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\CHANGE~1\cfishell.dll" [null data]
"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\XP\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\XP\System32\Audiodev.dll" [MS]
"{C14F7681-33D8-11D3-A09B-00500402F30B}" = "ImageToPDF"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\AdultPDF\Image To PDF\Menu.dll" [empty string]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}" = "Webroot Spy Sweeper Context Menu Integration"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]

HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
"load" = (value not set)

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "csnsf.exe" [null data]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
ImageToPDF\(Default) = "{C14F7681-33D8-11D3-A09B-00500402F30B}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\AdultPDF\Image To PDF\Menu.dll" [empty string]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
ZFAdd\(Default) = "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
CFI\(Default) = "{40E69241-5D1A-11D1-81CB-727272727FFF}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\CHANGE~1\cfishell.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
ZFAdd\(Default) = "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
SpySweeper\(Default) = "{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\XP\web\wallpaper\Bliss.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\XP\System32\logon.scr" [MS]


Startup items in "K Hutton" & "All Users" startup folders:
----------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"gameutil.exe" -> shortcut to: "C:\Program Files\redline\gameutil.exe" ["Byron Montgomerie"]
"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"Canon LASER SHOT LBP-1120 Status Window" -> shortcut to: "C:\XP\system32\spool\drivers\w32x86\3\CAP3LAK.EXE !N" ["CANON INC."]


Enabled Scheduled Tasks:
------------------------

"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 18
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{85D1F590-48F4-11D9-9669-0800200C9A66}\
"MenuText" = "Uninstall BitDefender Online Scanner v8"
"Exec" = "%windir%\bdoscandel.exe" [null data]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\XP\System32\Ati2evxx.exe" ["ATI Technologies Inc."]
Norton AntiVirus Auto Protect Service, navapsvc, "C:\Program Files\Norton AntiVirus\navapsvc.exe" ["Symantec Corporation"]
Norton Personal Firewall Accounts Manager, NISUM, "C:\Program Files\Norton Personal Firewall\NISUM.EXE" ["Symantec Corporation"]
Norton Personal Firewall Proxy Service, SymProxySvc, "C:\Program Files\Norton Personal Firewall\SymProxySvc.exe" ["Symantec Corporation"]
Norton Personal Firewall Service, NISSERV, "C:\Program Files\Norton Personal Firewall\NISSERV.EXE" ["Symantec Corporation"]
Norton Unerase Protection, NProtectService, "C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE" ["Symantec Corporation"]
Panda Process Protection Service, PavPrSrv, ""C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe"" ["Panda Software"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Webroot Spy Sweeper Engine, svcWRSSSDK, "C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe" ["Webroot Software, Inc."]
Windows User Mode Driver Framework, UMWdf, "C:\XP\System32\wdfmgr.exe" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 63 seconds, including 6 seconds for message boxes)
  • 0

Advertisements


#2
John_L

John_L

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,398 posts
Hi Kmantis and welcome to Geeks To Go :tazz:

Sorry for the late reply things get a little crazy around here sometimes.

Ok that silent runners log is something we may use later, but right now i need to see a hijack log.

Hijack This

*Important* : HijackThis! needs to be installed in its own folder, as it creates backups that you may need later (create a folder in "My Documents", for example...). This tool can be dangerous when handled improperly, so, PLEASE DON'T FIX ANYTHING WITH IT YET !! and wait for instructions. Run HijackThis!, then click on "Do a system scan and save a logfile". Save the log, then copy/paste it here so we can have a look.

Edited by John_L, 14 September 2005 - 08:12 PM.

  • 0

#3
kmantis

kmantis

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
ah sorry dude here tis.

Logfile of HijackThis v1.99.1
Scan saved at 4:55:01 PM, on 15/09/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\XP\System32\smss.exe
C:\XP\system32\csrss.exe
C:\XP\system32\winlogon.exe
C:\XP\system32\services.exe
C:\XP\system32\lsass.exe
C:\XP\System32\Ati2evxx.exe
C:\XP\system32\svchost.exe
C:\XP\System32\svchost.exe
C:\XP\System32\svchost.exe
C:\XP\System32\svchost.exe
C:\XP\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\XP\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
C:\XP\System32\wdfmgr.exe
C:\Program Files\Norton Personal Firewall\NISSERV.EXE
C:\XP\system32\Ati2evxx.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\RedLine\Taskbar.exe
C:\Program Files\Telstra\Cable Login\bpcable.exe
C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\redline\gameutil.exe
C:\XP\System32\devldr32.exe
C:\XP\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\K Hutton\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\XP\System32\userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FBCD010F-4B89-4C97-2875-CA4884A932F9} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RedLine Taskbar] C:\Program Files\RedLine\Taskbar.exe
O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r
O4 - HKLM\..\Run: [NeroFilterCheck] C:\XP\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [CTFMON.EXE] C:\XP\System32\ctfmon.exe
O4 - Global Startup: gameutil.exe.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Canon LASER SHOT LBP-1120 Status Window.LNK = C:\XP\system32\spool\drivers\w32x86\3\CAP3LAK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123553773483
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1125135366594
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab32651.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/z...s/heartbeat.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\XP\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\XP\system32\ati2sgag.exe
O23 - Service: BigPond Broadband Cable Login (bpcService) - Unknown owner - C:\Program Files\Telstra\Cable Login\bpcService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISSERV.EXE
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartFinder Uninstall (SmartFinder_Uninstall) - Unknown owner - C:\Documents and Settings\K Hutton\Desktop\SFUninstaller.exe" service (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Norton Personal Firewall Proxy Service (SymProxySvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
  • 0

#4
John_L

John_L

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,398 posts
Hi Kmantis :tazz:

I don't see a heck of a lot wrong in here, lets take care of what i do.

Fire up hijack this, press scan only and place a check next to these.

O2 - BHO: (no name) - {FBCD010F-4B89-4C97-2875-CA4884A932F9} - (no file)
O4 - Global Startup: gameutil.exe.lnk = ?
O23 - Service: SmartFinder Uninstall (SmartFinder_Uninstall) - Unknown owner - C:\Documents and Settings\K Hutton\Desktop\SFUninstaller.exe" service (file missing)


Close all browsers and open windows and click fix on hijack this.

Reboot and show me a new log please. :)
  • 0

#5
kmantis

kmantis

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
ok will do as soon as i am home (we've got a timezone difference thing happening here) fyi - everytime I open my browser- Norton tells me i have hclean32.exe and i have to click the warning about 10x. also my prob with sp1a - any ideas there>? Is it really required? thx dude.
  • 0

#6
John_L

John_L

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,398 posts
Yes sp1 is, without it were getting nowhere. I see it is in your hijack log.

Please do me a favour and go here.

Please go HERE (Microsoft website) using Internet Explorer (not Firefox or any other browser as they won't work)
  • Click on Windows Validation Assistant
  • Click on the Validate Now button.
  • Be patient while the ActiveX loads, do not click on any links.
  • Read the instructions on this page while it's loading. You will be prompted to install - click YES.
  • Enter your product key then click continue
  • When it says "Validation Complete" please click Continue to return to your previous activity
  • Copy what it says and paste it here.

  • 0

#7
kmantis

kmantis

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
ok did as advised and when fixing got

" - Unexpected error occurred!
Error #52 (Bad file name or number) in Sub GetLongPath(?.exe).

Please send a report to [email protected], mentioning what you were doing, and what version of Windows you have.

This message has been copied to your clipboard."

Rebooted machine. upon startup - norton picked up Backdoor.Graybird and deleted it. here is my log

Logfile of HijackThis v1.99.1
Scan saved at 4:20:34 PM, on 16/09/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\XP\System32\smss.exe
C:\XP\system32\csrss.exe
C:\XP\system32\winlogon.exe
C:\XP\system32\services.exe
C:\XP\system32\lsass.exe
C:\XP\System32\Ati2evxx.exe
C:\XP\system32\svchost.exe
C:\XP\System32\svchost.exe
C:\XP\System32\svchost.exe
C:\XP\System32\svchost.exe
C:\XP\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\XP\system32\Ati2evxx.exe
C:\XP\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\RedLine\Taskbar.exe
C:\Program Files\Telstra\Cable Login\bpcable.exe
C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\XP\System32\ctfmon.exe
C:\XP\System32\devldr32.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\XP\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
C:\XP\System32\wdfmgr.exe
C:\Program Files\Norton Personal Firewall\NISSERV.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\K Hutton\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\XP\System32\userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RedLine Taskbar] C:\Program Files\RedLine\Taskbar.exe
O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r
O4 - HKLM\..\Run: [NeroFilterCheck] C:\XP\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\RunOnce: [NAVNTSeq] C:\DOCUME~1\KHUTTO~1\LOCALS~1\Temp\LUProdRg.exe /f:C:\DOCUME~1\KHUTTO~1\LOCALS~1\Temp\NAVNTL~1.INI /s:SPW_Set_Sequence
O4 - HKCU\..\Run: [CTFMON.EXE] C:\XP\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Canon LASER SHOT LBP-1120 Status Window.LNK = C:\XP\system32\spool\drivers\w32x86\3\CAP3LAK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123553773483
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1125135366594
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab32651.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/z...s/heartbeat.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\XP\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\XP\system32\ati2sgag.exe
O23 - Service: BigPond Broadband Cable Login (bpcService) - Unknown owner - C:\Program Files\Telstra\Cable Login\bpcService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISSERV.EXE
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartFinder Uninstall (SmartFinder_Uninstall) - Unknown owner - C:\Documents and Settings\K Hutton\Desktop\SFUninstaller.exe" service (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Norton Personal Firewall Proxy Service (SymProxySvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
  • 0

#8
kmantis

kmantis

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
spysweeper picked up a new entry in my startups here is my log again.

Logfile of HijackThis v1.99.1
Scan saved at 4:26:54 PM, on 16/09/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\XP\System32\smss.exe
C:\XP\system32\csrss.exe
C:\XP\system32\winlogon.exe
C:\XP\system32\services.exe
C:\XP\system32\lsass.exe
C:\XP\System32\Ati2evxx.exe
C:\XP\system32\svchost.exe
C:\XP\System32\svchost.exe
C:\XP\System32\svchost.exe
C:\XP\System32\svchost.exe
C:\XP\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\XP\system32\Ati2evxx.exe
C:\XP\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\RedLine\Taskbar.exe
C:\Program Files\Telstra\Cable Login\bpcable.exe
C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\XP\System32\ctfmon.exe
C:\XP\System32\devldr32.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\XP\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
C:\XP\System32\wdfmgr.exe
C:\Program Files\Norton Personal Firewall\NISSERV.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\XP\System32\wuauclt.exe
C:\Documents and Settings\K Hutton\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\XP\System32\userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RedLine Taskbar] C:\Program Files\RedLine\Taskbar.exe
O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r
O4 - HKLM\..\Run: [NeroFilterCheck] C:\XP\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\RunOnce: [NAVNTSeq] C:\DOCUME~1\KHUTTO~1\LOCALS~1\Temp\LUProdRg.exe /f:C:\DOCUME~1\KHUTTO~1\LOCALS~1\Temp\NAVNTL~1.INI /s:SPW_Set_Sequence
O4 - HKCU\..\Run: [CTFMON.EXE] C:\XP\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Canon LASER SHOT LBP-1120 Status Window.LNK = C:\XP\system32\spool\drivers\w32x86\3\CAP3LAK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123553773483
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1125135366594
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab32651.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/z...s/heartbeat.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\XP\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\XP\system32\ati2sgag.exe
O23 - Service: BigPond Broadband Cable Login (bpcService) - Unknown owner - C:\Program Files\Telstra\Cable Login\bpcService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISSERV.EXE
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartFinder Uninstall (SmartFinder_Uninstall) - Unknown owner - C:\Documents and Settings\K Hutton\Desktop\SFUninstaller.exe" service (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Norton Personal Firewall Proxy Service (SymProxySvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
  • 0

#9
John_L

John_L

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,398 posts
Hello again :tazz:

Lets bring out a couple of big guns and see what they can do for us.

Please make sure to read the entire response through before applying the fixes.

Also if you have anything disabled in msconfig to restart them.

Please download ewido security suite it is a free version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Launch ewido, there should be an icon on your desktop, double-click it.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful")
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Once the updates are installed do the following:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
Close ewido security suite.

And this as well please.

Step 1:
Download the eScan Antivirus Toolkit Here. Save it to the Desktop, it is roughly 10MB in size.
Before running the program we need to update the signature files first in Step 2.

Step 2:
Updating the eScan Antivirus Toolkit with the latest files:

1.) Double-click on the mwav.exe file saved to the Desktop; it will extract the program files to a new folder called Kaspersky at the root of the C:\drive. (C:\Kaspersky.)

2.) Double-click on My Computer, double-click on the Hard Drive (usually the C:\drive), find and double-click on the Kaspersky folder; inside the Kaspersky folder, find and double-click on the kavupd.exe file. Double-clicking on the kavupd.exe file opens the Windows command prompt (DOS screen) and updates the program with all the latest signature files.

3.) After the update is complete, the bottom of the command prompt will read "Press any key to continue", click any key to close the screen.

Please do not run a scan with the eScan Antivirus Toolkit utility yet.

Step 3:
Please reboot into Safe Mode. Detailed instructions on how to boot into Safe Mode Here.

Step 4:
From Safe Mode, run the eScan Antivirus Toolkit. Please follow these instructions:

1.) To run the eScan Antivirus Toolkit program, look for a file called mwavscan.com inside the C:\Kaspersky folder.

2.) Double-click on the mwavscan.com file; this will open the eScan program.

3.) With the eScan interface on your Desktop, make sure that these boxes under Scan Option are checked : Memory, Registry, Startup Folders, System Folders, Services.

4.) Check the Drive box, this will give you access to the other Drive box (radio button) below it, check this second Drive box as well, now a large window across from the second Drive box appears. In this window use the drop-down arrow and choose the drive letter of your hard drive, usually C:\.

5.) Below these boxes, make sure the box Scan All Files is checked, not Program Files.

6.) Click the Scan Clean button and let the utility run until it completes a thorough scan of your hard drive. When the scan has finished it will read Scan Completed. Do not Exit the tool just yet.

7.) Open a new NotePad file (click on "Start" >> "All Programs" >>"Accessories" >> "NotePad"), then Copy/Paste the content of the Virus Log Information window into that file, and save it. eScan also creates a full log inside the C:\Kaspersky folder (named mwav.log), but it is huge and cannot be posted on a forum. Please post the content of the log you have saved (into NotePad) in your next reply, once all steps are completed.

Reboot your computer into normal Windows.

When these are all done please show me the results form the ewido log, the escan log and a new hijack log please. :)
  • 0

#10
kmantis

kmantis

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
done -

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:56:06 PM, 17/09/2005
+ Report-Checksum: D1572AAD

+ Scan result:

C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP1\A0000006.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP2\A0000090.exe -> Dialer.Generic : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP2\A0000095.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP3\A0000122.exe -> Trojan.Qhost.qr : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP3\A0000127.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP4\A0000135.exe -> Dialer.Generic : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP4\A0000140.EXE -> Trojan.Qhost.qr : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000178.ocx -> TrojanDownloader.Dyfuca.w : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000180.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000181.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000182.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000183.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000184.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000185.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000186.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000187.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000188.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000189.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000190.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000191.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000192.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000193.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000194.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000195.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000196.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000197.dll -> Spyware.SBSoft : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000199.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000200.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000201.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000202.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000203.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000204.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000205.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000206.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000207.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000208.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000209.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000210.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000211.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000212.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000213.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000214.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000215.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000216.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000217.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000218.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000219.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000220.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000221.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000224.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000225.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000265.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000266.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000304.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000305.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000449.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000450.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000454.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000455.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000457.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000458.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000481.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000482.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000484.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000485.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000503.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000504.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000537.exe -> Trojan.Qhost.qr : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000538.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000539.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000548.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000560.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000569.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0001569.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0001578.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0001579.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0001617.exe -> Trojan.Qhost.qr : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0001618.EXE -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0001619.EXE -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP6\A0001629.exe -> Trojan.Qhost.qr : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP6\A0001630.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP6\A0001631.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP6\A0001637.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP6\A0001644.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP6\A0001645.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP6\A0001647.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP6\A0001648.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP6\A0001725.exe -> Trojan.Qhost.qr : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP7\A0001735.exe -> Trojan.Qhost.qr : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP7\A0001736.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP7\A0001737.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP8\A0001742.exe -> Trojan.Qhost.qr : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP8\A0001743.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP8\A0001744.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP8\A0001778.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP8\A0001794.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP8\A0001795.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP8\A0001796.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP8\A0001797.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP9\A0001825.exe -> Trojan.Qhost.qr : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP9\A0001826.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP9\A0001827.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP9\A0001832.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP9\A0001849.exe -> Trojan.Qhost.qr : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP10\A0001851.exe -> Trojan.Qhost.qr : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP10\A0001854.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP10\A0001855.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP10\A0002013.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP10\A0002014.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP10\A0002016.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP10\A0002017.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP11\A0002040.exe -> Trojan.Qhost.qr : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP11\A0002041.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP11\A0002044.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP11\A0002077.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP11\A0002084.EXE -> Trojan.Qhost.qr : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP11\A0002085.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP11\A0002086.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP12\A0002094.exe -> Trojan.Qhost.qr : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP12\A0002095.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP12\A0002096.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP15\A0002124.exe -> Trojan.Qhost.qr : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP15\A0002125.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP15\A0002126.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP15\A0002150.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP15\A0002151.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP15\A0002158.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP15\A0002159.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP15\A0002160.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP15\A0002161.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP15\A0002240.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP15\A0002241.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP15\A0002242.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP15\A0002243.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP15\A0002264.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP15\A0002265.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP15\A0002310.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP15\A0002320.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP15\A0002321.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP15\A0002407.exe -> Trojan.Qhost.qr : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP16\A0002438.exe -> Trojan.Qhost.qr : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP16\A0002440.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP16\A0002441.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP16\A0002459.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP16\A0002460.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP17\A0002479.exe -> Trojan.Qhost.qr : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP17\A0002480.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP17\A0002481.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP17\A0002482.dll -> TrojanDownloader.Small.azk : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP18\A0002483.exe -> Trojan.Qhost.qr : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP18\A0002501.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP18\A0002502.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP18\A0002517.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP18\A0002518.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP18\A0002519.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP18\A0002520.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP18\A0002521.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP18\A0002522.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP19\A0002529.exe -> Trojan.Qhost.qr : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP19\A0002530.EXE -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP19\A0002531.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP19\A0002540.dll -> TrojanDownloader.Small.azk : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP20\A0002548.exe -> Trojan.Qhost.qr : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP20\A0002556.dll -> TrojanDownloader.Small.azk : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP21\A0002565.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP21\A0002588.exe -> Trojan.Qhost.qr : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP21\A0002589.dll -> TrojanDownloader.Small.azk : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP21\A0002594.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\XP\system32\lwaa.dll -> TrojanDownloader.Small.azk : Error during cleaning
C:\XP\system32\cray.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\XP\system32\addmg32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\XP\system32\winvb.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\XP\system32\iemb32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\XP\system32\apirr32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\XP\system32\msuj32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\XP\system32\atlsh32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\XP\system32\wintb.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\XP\system32\appch32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\XP\netvf.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\XP\wmhluv.dat -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\XP\addyl.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\XP\xudklh.dat -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\XP\wtbqjs.dat -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\XP\addgt32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\XP\vsmynj.dat -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\XP\sysvq32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\XP\ntwe.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\XP\sysum.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\XP\cabvmy.dat -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\XP\crpn32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\XP\winfi32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\XP\mssj32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\XP\msdb32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\XP\sdkmw32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\XP\apphk.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\XP\d3rl32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\XP\winon.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\Documents and Settings\K Hutton\Cookies\k hutton@statcounter[2].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\Documents and Settings\K Hutton\Cookies\k [email protected][2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
D:\Documents and Settings\K\Cookies\[email protected][1].txt -> Spyware.Cookie.Com : Cleaned with backup
D:\Documents and Settings\K\Cookies\k@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup


::Report End

my bad - i did the first escan without updating and only saved the mwav.log this is the results after update:

Sat Sep 17 17:11:32 2005 => Checking for Pagabot Virus...
Sat Sep 17 17:11:32 2005 => Checking for Parite.b Virus...
Sat Sep 17 17:11:32 2005 => Checking for Parite.a Virus...

Sat Sep 17 17:11:32 2005 => ***** Scanning complete. *****
Sat Sep 17 17:11:32 2005 => Total Number of Files Scanned: 132208
Sat Sep 17 17:11:32 2005 => Total Number of Virus(es) Found: 25
Sat Sep 17 17:11:32 2005 => Total Number of Disinfected Files: 0
Sat Sep 17 17:11:33 2005 => Total Number of Files Renamed: 0
Sat Sep 17 17:11:33 2005 => Total Number of Deleted Files: 4
Sat Sep 17 17:11:33 2005 => Total Number of Errors: 3
Sat Sep 17 17:11:33 2005 => Time Elapsed: 02:20:42
Sat Sep 17 17:11:33 2005 => Virus Database Date: 2005/09/10
Sat Sep 17 17:11:33 2005 => Virus Database Count: 148646

Sat Sep 17 17:11:33 2005 => Scan Completed.


this popped up after a reboot:

[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21787

Logfile of HijackThis v1.99.1
Scan saved at 6:32:27 PM, on 17/09/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\XP\System32\smss.exe
C:\XP\system32\csrss.exe
C:\XP\system32\winlogon.exe
C:\XP\system32\services.exe
C:\XP\system32\lsass.exe
C:\XP\System32\Ati2evxx.exe
C:\XP\system32\svchost.exe
C:\XP\System32\svchost.exe
C:\XP\System32\svchost.exe
C:\XP\System32\svchost.exe
C:\XP\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\XP\system32\Ati2evxx.exe
C:\XP\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\RedLine\Taskbar.exe
C:\Program Files\Telstra\Cable Login\bpcable.exe
C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\XP\System32\ctfmon.exe
C:\XP\System32\devldr32.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\XP\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
C:\XP\System32\wdfmgr.exe
C:\Program Files\Norton Personal Firewall\NISSERV.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\XP\system32\NOTEPAD.EXE
C:\XP\system32\NOTEPAD.EXE
C:\Documents and Settings\K Hutton\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\XP\System32\userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RedLine Taskbar] C:\Program Files\RedLine\Taskbar.exe
O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r
O4 - HKLM\..\Run: [NeroFilterCheck] C:\XP\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [CTFMON.EXE] C:\XP\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Canon LASER SHOT LBP-1120 Status Window.LNK = C:\XP\system32\spool\drivers\w32x86\3\CAP3LAK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123553773483
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1125135366594
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab32651.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/z...s/heartbeat.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\XP\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\XP\system32\ati2sgag.exe
O23 - Service: BigPond Broadband Cable Login (bpcService) - Unknown owner - C:\Program Files\Telstra\Cable Login\bpcService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISSERV.EXE
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartFinder Uninstall (SmartFinder_Uninstall) - Unknown owner - C:\Documents and Settings\K Hutton\Desktop\SFUninstaller.exe" service (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Norton Personal Firewall Proxy Service (SymProxySvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

cheers
  • 0

Advertisements


#11
kmantis

kmantis

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
done -

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:56:06 PM, 17/09/2005
+ Report-Checksum: D1572AAD

+ Scan result:

C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP1\A0000006.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP2\A0000090.exe -> Dialer.Generic : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP2\A0000095.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP3\A0000122.exe -> Trojan.Qhost.qr : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP3\A0000127.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP4\A0000135.exe -> Dialer.Generic : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP4\A0000140.EXE -> Trojan.Qhost.qr : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000178.ocx -> TrojanDownloader.Dyfuca.w : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000180.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000181.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000182.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000183.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000184.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000185.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000186.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000187.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000188.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000189.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000190.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000191.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000192.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000193.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000194.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000195.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000196.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000197.dll -> Spyware.SBSoft : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000199.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000200.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000201.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000202.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000203.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000204.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000205.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000206.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000207.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000208.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000209.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000210.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000211.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000212.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000213.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000214.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000215.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000216.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000217.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000218.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000219.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000220.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000221.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000224.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000225.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000265.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000266.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000304.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000305.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000449.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000450.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000454.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000455.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000457.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000458.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000481.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000482.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000484.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000485.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000503.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000504.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000537.exe -> Trojan.Qhost.qr : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000538.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000539.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000548.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000560.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0000569.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0001569.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0001578.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0001579.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0001617.exe -> Trojan.Qhost.qr : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0001618.EXE -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP5\A0001619.EXE -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP6\A0001629.exe -> Trojan.Qhost.qr : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP6\A0001630.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP6\A0001631.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP6\A0001637.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP6\A0001644.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP6\A0001645.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP6\A0001647.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP6\A0001648.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP6\A0001725.exe -> Trojan.Qhost.qr : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP7\A0001735.exe -> Trojan.Qhost.qr : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP7\A0001736.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP7\A0001737.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP8\A0001742.exe -> Trojan.Qhost.qr : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP8\A0001743.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP8\A0001744.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP8\A0001778.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP8\A0001794.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP8\A0001795.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP8\A0001796.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP8\A0001797.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP9\A0001825.exe -> Trojan.Qhost.qr : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP9\A0001826.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP9\A0001827.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP9\A0001832.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP9\A0001849.exe -> Trojan.Qhost.qr : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP10\A0001851.exe -> Trojan.Qhost.qr : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP10\A0001854.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP10\A0001855.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP10\A0002013.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP10\A0002014.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP10\A0002016.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP10\A0002017.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP11\A0002040.exe -> Trojan.Qhost.qr : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP11\A0002041.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP11\A0002044.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP11\A0002077.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP11\A0002084.EXE -> Trojan.Qhost.qr : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP11\A0002085.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP11\A0002086.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP12\A0002094.exe -> Trojan.Qhost.qr : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP12\A0002095.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP12\A0002096.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP15\A0002124.exe -> Trojan.Qhost.qr : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP15\A0002125.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP15\A0002126.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP15\A0002150.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP15\A0002151.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP15\A0002158.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP15\A0002159.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP15\A0002160.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP15\A0002161.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP15\A0002240.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP15\A0002241.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP15\A0002242.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP15\A0002243.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP15\A0002264.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP15\A0002265.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP15\A0002310.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP15\A0002320.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP15\A0002321.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP15\A0002407.exe -> Trojan.Qhost.qr : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP16\A0002438.exe -> Trojan.Qhost.qr : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP16\A0002440.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP16\A0002441.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP16\A0002459.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP16\A0002460.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP17\A0002479.exe -> Trojan.Qhost.qr : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP17\A0002480.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP17\A0002481.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP17\A0002482.dll -> TrojanDownloader.Small.azk : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP18\A0002483.exe -> Trojan.Qhost.qr : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP18\A0002501.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP18\A0002502.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP18\A0002517.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP18\A0002518.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP18\A0002519.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP18\A0002520.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP18\A0002521.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP18\A0002522.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP19\A0002529.exe -> Trojan.Qhost.qr : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP19\A0002530.EXE -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP19\A0002531.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP19\A0002540.dll -> TrojanDownloader.Small.azk : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP20\A0002548.exe -> Trojan.Qhost.qr : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP20\A0002556.dll -> TrojanDownloader.Small.azk : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP21\A0002565.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP21\A0002588.exe -> Trojan.Qhost.qr : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP21\A0002589.dll -> TrojanDownloader.Small.azk : Cleaned with backup
C:\System Volume Information\_restore{7C900EDF-21F2-419A-95E8-906B9B49101A}\RP21\A0002594.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\XP\system32\lwaa.dll -> TrojanDownloader.Small.azk : Error during cleaning
C:\XP\system32\cray.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\XP\system32\addmg32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\XP\system32\winvb.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\XP\system32\iemb32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\XP\system32\apirr32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\XP\system32\msuj32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\XP\system32\atlsh32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\XP\system32\wintb.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\XP\system32\appch32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\XP\netvf.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\XP\wmhluv.dat -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\XP\addyl.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\XP\xudklh.dat -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\XP\wtbqjs.dat -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\XP\addgt32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\XP\vsmynj.dat -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\XP\sysvq32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\XP\ntwe.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\XP\sysum.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\XP\cabvmy.dat -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\XP\crpn32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\XP\winfi32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\XP\mssj32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\XP\msdb32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\XP\sdkmw32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\XP\apphk.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\XP\d3rl32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\XP\winon.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\Documents and Settings\K Hutton\Cookies\k hutton@statcounter[2].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\Documents and Settings\K Hutton\Cookies\k [email protected][2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
D:\Documents and Settings\K\Cookies\[email protected][1].txt -> Spyware.Cookie.Com : Cleaned with backup
D:\Documents and Settings\K\Cookies\k@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup


::Report End

my bad - i did the first escan without updating and only saved the mwav.log this is the results after update:

Sat Sep 17 17:11:32 2005 => Checking for Pagabot Virus...
Sat Sep 17 17:11:32 2005 => Checking for Parite.b Virus...
Sat Sep 17 17:11:32 2005 => Checking for Parite.a Virus...

Sat Sep 17 17:11:32 2005 => ***** Scanning complete. *****
Sat Sep 17 17:11:32 2005 => Total Number of Files Scanned: 132208
Sat Sep 17 17:11:32 2005 => Total Number of Virus(es) Found: 25
Sat Sep 17 17:11:32 2005 => Total Number of Disinfected Files: 0
Sat Sep 17 17:11:33 2005 => Total Number of Files Renamed: 0
Sat Sep 17 17:11:33 2005 => Total Number of Deleted Files: 4
Sat Sep 17 17:11:33 2005 => Total Number of Errors: 3
Sat Sep 17 17:11:33 2005 => Time Elapsed: 02:20:42
Sat Sep 17 17:11:33 2005 => Virus Database Date: 2005/09/10
Sat Sep 17 17:11:33 2005 => Virus Database Count: 148646

Sat Sep 17 17:11:33 2005 => Scan Completed.


this popped up after a reboot:

[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21787

Logfile of HijackThis v1.99.1
Scan saved at 6:32:27 PM, on 17/09/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\XP\System32\smss.exe
C:\XP\system32\csrss.exe
C:\XP\system32\winlogon.exe
C:\XP\system32\services.exe
C:\XP\system32\lsass.exe
C:\XP\System32\Ati2evxx.exe
C:\XP\system32\svchost.exe
C:\XP\System32\svchost.exe
C:\XP\System32\svchost.exe
C:\XP\System32\svchost.exe
C:\XP\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\XP\system32\Ati2evxx.exe
C:\XP\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\RedLine\Taskbar.exe
C:\Program Files\Telstra\Cable Login\bpcable.exe
C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\XP\System32\ctfmon.exe
C:\XP\System32\devldr32.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\XP\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
C:\XP\System32\wdfmgr.exe
C:\Program Files\Norton Personal Firewall\NISSERV.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\XP\system32\NOTEPAD.EXE
C:\XP\system32\NOTEPAD.EXE
C:\Documents and Settings\K Hutton\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\XP\System32\userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RedLine Taskbar] C:\Program Files\RedLine\Taskbar.exe
O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r
O4 - HKLM\..\Run: [NeroFilterCheck] C:\XP\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [CTFMON.EXE] C:\XP\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Canon LASER SHOT LBP-1120 Status Window.LNK = C:\XP\system32\spool\drivers\w32x86\3\CAP3LAK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123553773483
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1125135366594
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab32651.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/z...s/heartbeat.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\XP\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\XP\system32\ati2sgag.exe
O23 - Service: BigPond Broadband Cable Login (bpcService) - Unknown owner - C:\Program Files\Telstra\Cable Login\bpcService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISSERV.EXE
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartFinder Uninstall (SmartFinder_Uninstall) - Unknown owner - C:\Documents and Settings\K Hutton\Desktop\SFUninstaller.exe" service (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Norton Personal Firewall Proxy Service (SymProxySvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

cheers
  • 0

#12
John_L

John_L

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,398 posts
This looks pretty good to me, any more problems?
  • 0

#13
kmantis

kmantis

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
yeah norton still pops up virus hclean32.exe is still there.


Logfile of HijackThis v1.99.1
Scan saved at 12:08:51 PM, on 18/09/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\XP\System32\smss.exe
C:\XP\system32\csrss.exe
C:\XP\system32\winlogon.exe
C:\XP\system32\services.exe
C:\XP\system32\lsass.exe
C:\XP\System32\Ati2evxx.exe
C:\XP\system32\svchost.exe
C:\XP\System32\svchost.exe
C:\XP\System32\svchost.exe
C:\XP\System32\svchost.exe
C:\XP\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\XP\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
C:\XP\System32\wdfmgr.exe
C:\Program Files\Norton Personal Firewall\NISSERV.EXE
C:\XP\system32\Ati2evxx.exe
C:\XP\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\RedLine\Taskbar.exe
C:\Program Files\Telstra\Cable Login\bpcable.exe
C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\XP\System32\ctfmon.exe
C:\XP\System32\devldr32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\K Hutton\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\XP\System32\userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RedLine Taskbar] C:\Program Files\RedLine\Taskbar.exe
O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r
O4 - HKLM\..\Run: [NeroFilterCheck] C:\XP\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [CTFMON.EXE] C:\XP\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Canon LASER SHOT LBP-1120 Status Window.LNK = C:\XP\system32\spool\drivers\w32x86\3\CAP3LAK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123553773483
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1125135366594
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab32651.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/z...s/heartbeat.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\XP\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\XP\system32\ati2sgag.exe
O23 - Service: BigPond Broadband Cable Login (bpcService) - Unknown owner - C:\Program Files\Telstra\Cable Login\bpcService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISSERV.EXE
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartFinder Uninstall (SmartFinder_Uninstall) - Unknown owner - C:\Documents and Settings\K Hutton\Desktop\SFUninstaller.exe" service (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Norton Personal Firewall Proxy Service (SymProxySvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#14
John_L

John_L

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,398 posts
Ok then please show me a new silent runners log.

And

Download WindPFind

Extract WinPFind.zip to your c:\ folder.

Reboot your computer into Safe Mode

Then open c:\WinPFind and double-click on WinPFind.exe.
When the program is open, click on the Start Scan button to start scanning your computer. Be patient as this scan may take a while.
When it is done, it will show a log and tell you the scan is completed. Reboot your computer back to normal mode and and post the contents of c:\WinPFind\WinPFind.txt as a reply to this topic.

When these are done please show me both logs and a new hijack log please. :tazz:
  • 0

#15
kmantis

kmantis

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
ok..

"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\XP\System32\ctfmon.exe" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"RedLine Taskbar" = "C:\Program Files\RedLine\Taskbar.exe" ["Byron Montgomerie"]
"BigPondCable" = ""C:\Program Files\Telstra\Cable Login\bpcable.exe" /r" ["Telstra"]
"NeroFilterCheck" = "C:\XP\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"iamapp" = "C:\Program Files\Norton Personal Firewall\IAMAPP.EXE" ["Symantec Corporation"]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"ccRegVfy" = ""C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"" ["Symantec Corporation"]
"Advanced Tools Check" = "C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE" ["Symantec Corporation"]
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer" ["Symantec Corporation"]
"SpySweeper" = ""C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray" ["Webroot Software, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\XP\System32\hticons.dll" ["Hilgraeve, Inc."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{FED7043D-346A-414D-ACD7-550D052499A7}" = "dBpowerAMP Music Converter 1"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Illustrate\dBpowerAMP\dBShell.dll" [empty string]
"{2C49B5D0-ACE7-4D17-9DF0-A254A6C5A0C5}" = "dBpowerAMP Music Converter"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Illustrate\dBpowerAMP\dMCShell.dll" [empty string]
"{8FF88D21-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.5 Context Menu Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
"{8FF88D25-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.5 DragDrop Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
"{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.5 Context Menu Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
"{8FF88D23-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.5 Property Sheet Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
"{40E69241-5D1A-11D1-81CB-727272727FFF}" = "Quick Register Context Menu Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\CHANGE~1\cfishell.dll" [null data]
"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\XP\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\XP\System32\Audiodev.dll" [MS]
"{C14F7681-33D8-11D3-A09B-00500402F30B}" = "ImageToPDF"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\AdultPDF\Image To PDF\Menu.dll" [empty string]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}" = "Webroot Spy Sweeper Context Menu Integration"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" [file not found]

HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
"load" = (value not set)

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "csbaf.exe" [null data]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
ImageToPDF\(Default) = "{C14F7681-33D8-11D3-A09B-00500402F30B}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\AdultPDF\Image To PDF\Menu.dll" [empty string]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
ZFAdd\(Default) = "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
CFI\(Default) = "{40E69241-5D1A-11D1-81CB-727272727FFF}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\CHANGE~1\cfishell.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
ZFAdd\(Default) = "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
SpySweeper\(Default) = "{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\XP\web\wallpaper\Bliss.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\XP\System32\logon.scr" [MS]


Startup items in "K Hutton" & "All Users" startup folders:
----------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"Canon LASER SHOT LBP-1120 Status Window" -> shortcut to: "C:\XP\system32\spool\drivers\w32x86\3\CAP3LAK.EXE !N" ["CANON INC."]


Enabled Scheduled Tasks:
------------------------

"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 18
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\XP\System32\Ati2evxx.exe" ["ATI Technologies Inc."]
ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
Norton AntiVirus Auto Protect Service, navapsvc, "C:\Program Files\Norton AntiVirus\navapsvc.exe" ["Symantec Corporation"]
Norton Personal Firewall Accounts Manager, NISUM, "C:\Program Files\Norton Personal Firewall\NISUM.EXE" ["Symantec Corporation"]
Norton Personal Firewall Proxy Service, SymProxySvc, "C:\Program Files\Norton Personal Firewall\SymProxySvc.exe" ["Symantec Corporation"]
Norton Personal Firewall Service, NISSERV, "C:\Program Files\Norton Personal Firewall\NISSERV.EXE" ["Symantec Corporation"]
Norton Unerase Protection, NProtectService, "C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE" ["Symantec Corporation"]
Panda Process Protection Service, PavPrSrv, ""C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe"" ["Panda Software"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Webroot Spy Sweeper Engine, svcWRSSSDK, "C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe" ["Webroot Software, Inc."]
Windows User Mode Driver Framework, UMWdf, "C:\XP\System32\wdfmgr.exe" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 59 seconds, including 9 seconds for message boxes)

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
FSG! 18/11/2002 10:28:58 AM RH 134392638 C:\W98UNDO.DAT
PEC2 18/11/2002 10:28:58 AM RH 134392638 C:\W98UNDO.DAT

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
PECompact2 28/08/2005 11:43:22 AM 15677649 C:\XP\VPTNFILE.803
qoologic 28/08/2005 11:43:22 AM 15677649 C:\XP\VPTNFILE.803
SAHAgent 28/08/2005 11:43:22 AM 15677649 C:\XP\VPTNFILE.803
PECompact2 28/08/2005 11:43:22 AM 15677649 C:\XP\LPT$VPN.803
qoologic 28/08/2005 11:43:22 AM 15677649 C:\XP\LPT$VPN.803
SAHAgent 28/08/2005 11:43:22 AM 15677649 C:\XP\LPT$VPN.803
UPX! 5/04/2005 8:06:00 PM 65536 C:\XP\IFinst27.exe
UPX! 28/08/2005 11:43:22 AM 1044560 C:\XP\vsapi32.dll
aspack 28/08/2005 11:43:22 AM 1044560 C:\XP\vsapi32.dll
UPX! 28/08/2005 11:43:24 AM 170053 C:\XP\tsc.exe

Checking %System% folder...
Umonitor 12/02/2002 6:14:12 PM 630784 C:\XP\SYSTEM32\rasdlg.dll
PEC2 23/08/2001 3:00:00 PM 41397 C:\XP\SYSTEM32\dfrg.msc
winsync 23/08/2001 3:00:00 PM 1309184 C:\XP\SYSTEM32\wbdbase.deu
UPX! 8/11/2003 8:34:00 PM 36864 C:\XP\SYSTEM32\RLMPCDec.ax
SAHAgent 27/08/2005 2:54:48 PM 172032 C:\XP\SYSTEM32\~global.dll
buddy.exe 27/08/2005 2:54:48 PM 172032 C:\XP\SYSTEM32\~global.dll
KavSvc 27/08/2005 2:54:48 PM 172032 C:\XP\SYSTEM32\~global.dll
winsync 27/08/2005 2:54:48 PM 172032 C:\XP\SYSTEM32\~global.dll
qoologic 15/04/2005 11:31:06 AM 10347891 C:\XP\SYSTEM32\pav.sig
aspack 15/04/2005 11:31:06 AM 10347891 C:\XP\SYSTEM32\pav.sig
SAHAgent 15/04/2005 11:31:06 AM 10347891 C:\XP\SYSTEM32\pav.sig
winsync 15/04/2005 11:31:06 AM 10347891 C:\XP\SYSTEM32\pav.sig
UPX! 1/06/2004 11:56:00 AM 35869 C:\XP\SYSTEM32\RadLightMPCUninstall.exe
aspack 13/09/2003 3:08:40 PM 472576 C:\XP\SYSTEM32\Incinerator.dll
_rtneg3 27/08/2005 2:54:52 PM 421888 C:\XP\SYSTEM32\~AdAway.dll
SAHAgent 27/08/2005 2:54:52 PM 421888 C:\XP\SYSTEM32\~AdAway.dll
KavSvc 27/08/2005 2:54:52 PM 421888 C:\XP\SYSTEM32\~AdAway.dll
PTech 29/08/2005 1:27:12 PM 520968 C:\XP\SYSTEM32\LegitCheckControl.DLL

Checking %System%\Drivers folder and sub-folders...

Items found in C:\XP\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
11/09/2005 11:15:08 PM H 54156 C:\XP\QTFont.qfn
18/09/2005 1:07:52 PM S 2048 C:\XP\bootstat.dat
27/08/2005 3:53:46 PM HS 32 C:\XP\{6AC9C6EB-312F-47AA-A961-8918EEC345A3}.dat
27/08/2005 3:53:46 PM HS 32 C:\XP\system32\{5AF06A6C-5B4F-4683-82AD-7A0D40EF763C}.dat
16/09/2005 4:33:16 PM HS 184 C:\XP\system32\config\systemprofile\My Documents\My Pictures\Desktop.ini
9/08/2005 12:16:44 PM H 0 C:\XP\inf\oem21.inf
18/09/2005 1:07:28 PM H 6 C:\XP\Tasks\SA.DAT

Checking for CPL files...
Caere Corp. 4/11/2000 8:18:52 AM 303104 C:\XP\SYSTEM32\scmgrcpl50.cpl
Microsoft Corporation 23/08/2001 3:00:00 PM 130048 C:\XP\SYSTEM32\desk.cpl
Microsoft Corporation 23/08/2001 3:00:00 PM 119808 C:\XP\SYSTEM32\intl.cpl
Microsoft Corporation 23/08/2001 3:00:00 PM 270848 C:\XP\SYSTEM32\sysdm.cpl
Microsoft Corporation 23/08/2001 3:00:00 PM 150016 C:\XP\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 29/08/2002 7:14:40 AM 292352 C:\XP\SYSTEM32\inetcpl.cpl
Microsoft Corporation 23/08/2001 3:00:00 PM 558592 C:\XP\SYSTEM32\appwiz.cpl
Microsoft Corporation 29/08/2002 3:41:00 AM 208896 C:\XP\SYSTEM32\joy.cpl
Microsoft Corporation 23/08/2001 3:00:00 PM 187904 C:\XP\SYSTEM32\main.cpl
Microsoft Corporation 23/08/2001 3:00:00 PM 559616 C:\XP\SYSTEM32\mmsys.cpl
Microsoft Corporation 23/08/2001 3:00:00 PM 35840 C:\XP\SYSTEM32\ncpa.cpl
Microsoft Corporation 23/08/2001 3:00:00 PM 256000 C:\XP\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 23/08/2001 3:00:00 PM 36864 C:\XP\SYSTEM32\nwc.cpl
Microsoft Corporation 23/08/2001 3:00:00 PM 36864 C:\XP\SYSTEM32\odbccp32.cpl
Microsoft Corporation 23/08/2001 3:00:00 PM 109056 C:\XP\SYSTEM32\powercfg.cpl
Microsoft Corporation 26/05/2005 4:16:30 AM 174360 C:\XP\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 23/08/2001 3:00:00 PM 28160 C:\XP\SYSTEM32\telephon.cpl
Microsoft Corporation 23/08/2001 3:00:00 PM 90112 C:\XP\SYSTEM32\timedate.cpl
Sun Microsystems, Inc. 4/03/2005 3:36:44 AM 49265 C:\XP\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 24/08/2001 1:00:00 AM 66048 C:\XP\SYSTEM32\access.cpl
Ahead Software AG 29/07/2003 5:09:40 PM 57344 C:\XP\SYSTEM32\ImageDrive.cpl
Apple Computer, Inc. 14/12/2003 9:20:50 AM 323072 C:\XP\SYSTEM32\QuickTime.cpl
Microsoft Corporation 23/08/2001 3:00:00 PM 130048 C:\XP\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 23/08/2001 3:00:00 PM 36864 C:\XP\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 23/08/2001 3:00:00 PM 270848 C:\XP\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 23/08/2001 3:00:00 PM 558592 C:\XP\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 23/08/2001 3:00:00 PM 150016 C:\XP\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 23/08/2001 3:00:00 PM 36864 C:\XP\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 29/08/2002 7:14:40 AM 292352 C:\XP\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 23/08/2001 3:00:00 PM 119808 C:\XP\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 24/08/2001 1:00:00 AM 66048 C:\XP\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 29/08/2002 3:41:00 AM 208896 C:\XP\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 23/08/2001 3:00:00 PM 35840 C:\XP\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 23/08/2001 3:00:00 PM 256000 C:\XP\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 23/08/2001 3:00:00 PM 109056 C:\XP\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 23/08/2001 3:00:00 PM 187904 C:\XP\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 23/08/2001 3:00:00 PM 559616 C:\XP\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 23/08/2001 3:00:00 PM 147456 C:\XP\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 23/08/2001 3:00:00 PM 28160 C:\XP\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 23/08/2001 3:00:00 PM 90112 C:\XP\SYSTEM32\dllcache\timedate.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
3/12/2003 9:21:16 PM 1822 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
8/08/2004 12:36:50 PM 923 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Canon LASER SHOT LBP-1120 Status Window.LNK
27/02/2004 3:23:46 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini

Checking files in %ALLUSERSPROFILE%\Application Data folder...
27/02/2004 12:54:10 PM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
27/02/2004 3:23:46 PM 84 C:\Documents and Settings\K Hutton\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
27/02/2004 12:54:10 PM HS 62 C:\Documents and Settings\K Hutton\Application Data\desktop.ini
23/12/2004 12:43:14 PM 4713 C:\Documents and Settings\K Hutton\Application Data\wo.tmp

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ImageToPDF
{C14F7681-33D8-11D3-A09B-00500402F30B} = C:\Program Files\AdultPDF\Image To PDF\Menu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ZFAdd
{8FF88D27-7BD0-11D1-BFB7-00AA00262A11} = D:\Program Files\WinAce\arcext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\SpySweeper
{7C9D5882-CB4A-4090-96C8-430BFE8B795B} = C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\CFI
{40E69241-5D1A-11D1-81CB-727272727FFF} = C:\PROGRA~1\CHANGE~1\cfishell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ZFAdd
{8FF88D27-7BD0-11D1-BFB7-00AA00262A11} = D:\Program Files\WinAce\arcext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\PROGRA~1\SPYBOT~1\SDHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}
CNavExtBho Class = C:\Program Files\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}
Search Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{47833539-D0C5-4125-9FA8-0819E2EAAC93} = :
{08BEC6AA-49FC-4379-3587-4B21E286C19E} = :
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{47833539-D0C5-4125-9FA8-0819E2EAAC93} = :
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ATIPTA C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
RedLine Taskbar C:\Program Files\RedLine\Taskbar.exe
BigPondCable "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r
NeroFilterCheck C:\XP\system32\NeroCheck.exe
iamapp C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
ccRegVfy "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
Advanced Tools Check C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
Symantec NetDriver Monitor C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
SpySweeper "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
MSConfig C:\XP\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
CTFMON.EXE C:\XP\System32\ctfmon.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145
NoBandCustomize 0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
DisableTaskMgr 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\XP\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\XP\System32\userinit.exe
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent
= Ati2evxx.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.0 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 18/09/2005 1:16:08 PM

Logfile of HijackThis v1.99.1
Scan saved at 1:26:00 PM, on 18/09/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\XP\System32\smss.exe
C:\XP\system32\csrss.exe
C:\XP\system32\winlogon.exe
C:\XP\system32\services.exe
C:\XP\system32\lsass.exe
C:\XP\System32\Ati2evxx.exe
C:\XP\system32\svchost.exe
C:\XP\System32\svchost.exe
C:\XP\System32\svchost.exe
C:\XP\System32\svchost.exe
C:\XP\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\XP\system32\Ati2evxx.exe
C:\XP\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\RedLine\Taskbar.exe
C:\Program Files\Telstra\Cable Login\bpcable.exe
C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\XP\System32\ctfmon.exe
C:\XP\System32\devldr32.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\XP\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
C:\XP\System32\wdfmgr.exe
C:\Program Files\Norton Personal Firewall\NISSERV.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\XP\System32\wuauclt.exe
C:\XP\system32\NOTEPAD.EXE
C:\XP\system32\NOTEPAD.EXE
C:\Documents and Settings\K Hutton\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\XP\System32\userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RedLine Taskbar] C:\Program Files\RedLine\Taskbar.exe
O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r
O4 - HKLM\..\Run: [NeroFilterCheck] C:\XP\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [CTFMON.EXE] C:\XP\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Canon LASER SHOT LBP-1120 Status Window.LNK = C:\XP\system32\spool\drivers\w32x86\3\CAP3LAK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123553773483
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1125135366594
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab32651.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/z...s/heartbeat.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\XP\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\XP\system32\ati2sgag.exe
O23 - Service: BigPond Broadband Cable Login (bpcService) - Unknown owner - C:\Program Files\Telstra\Cable Login\bpcService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISSERV.EXE
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartFinder Uninstall (SmartFinder_Uninstall) - Unknown owner - C:\Documents and Settings\K Hutton\Desktop\SFUninstaller.exe" service (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Norton Personal Firewall Proxy Service (SymProxySvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


im also still getting that desktop.ini popping up after rebooting from safemode.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP