1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Trojan Nebula Removal

Discussion in 'Malware and Virus Removal Archive' started by Oddie, 2006/09/09.

  1. 2006/09/09
    Oddie

    Oddie Inactive Thread Starter

    Joined:
    2006/09/09
    Messages:
    12
    Likes Received:
    0
    I have joined this site as I am now desperate!

    I have a Trojan Nebula infecting my PC and as much as I have tried I can't shift the swine. I have tried all the usual antivirus software and adware and it is still hanging on in there. Is there anyone out there who can help me with this?

    Thanx for the time.

    Od
     
    Oddie,
    #1
  2. 2006/09/09
    TeMerc

    TeMerc Inactive Alumni

    Joined:
    2006/05/13
    Messages:
    3,226
    Likes Received:
    4
    Hello and welcome to WindowsBBS Forums.

    Here is how we like to begin our analysis of your pc:

    For starters, if you do not have them yet, please DL and run AdAware & Spybot Search & Destroy. AdAware and Spybot Search & Destroy are 2 of the most trusted apps in the security area. They are both free, compliment each other nicely, and do not use a lot of resources. (If they have already run those, then skip directly to HiJackThis!)They can be found here:

    Spybot Search & Destroy v.1.4
    AdAware SE Free v1.06r

    With AdAware and Spybot: DL, follow the install instructions, check for updates, then scan, repair/remove/quarantine anything found. Reboot before next scan with whichever app is next. The reason for running these apps, is to clean up some of the other 'crapware' on your pc, which, in turn, will make deciphering your HJT log, easier.

    Then we use HiJackThis v:1.99.1zip.
    DL the zip file to your desktop, then create a new folder on your C drive, called 'HJT' or 'HijackThis'. Then unzip the files to the new folder. When you run HijackThis.exe from C:\HJT folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary which is easily accessible.

    Run the program, and press Scan. You will notice the Scan button will turn into a "Save Log" button. Save the log and Post that log onto this topic. DO NOT DELETE or modify anything yet, as some of it is needed to keep your system in proper working order.
     
    TeMerc,
    #2


  3. to hide this advert.

  4. 2006/09/10
    Oddie

    Oddie Inactive Thread Starter

    Joined:
    2006/09/09
    Messages:
    12
    Likes Received:
    0
    My log file

    thanks for the quick response! Here is the log file as you have asked.

    Because it is long, it will come to you in two parts - it exceeds 20000 characters.

    Od.

    PART ONE


    Logfile of HijackThis v1.99.1
    Scan saved at 19:44:37, on 10/09/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\WINDOWS\ehome\ehSched.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Spyware Doctor\sdhelp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\system32\wdfmgr.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\WINDOWS\System32\ezSP_Px.exe
    C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
    C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Spyware Doctor\swdoctor.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
    C:\WINDOWS\ehome\ehmsas.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\default\Desktop\HJT\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.blueyonder.co.uk/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
    O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe
    O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
    O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
    O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {00000000-0000-0000-0000-000020030000} - http://www.accessoveloce.com/webline/x/wla3mp6x.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
    O16 - DPF: {A8570C26-6548-4860-B60E-1501E38A1023} (CompInfo.Server) - http://www.pcservicecall.co.uk/RemoteSupport/CompInfo.CAB
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
    O18 - Protocol: bw+0 - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw+0s - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw-0 - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw-0s - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw00 - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw00s - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw10 - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw10s - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw20 - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw20s - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw30 - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw30s - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw40 - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw40s - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw50 - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw50s - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw60 - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw60s - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw70 - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw70s - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw80 - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw80s - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw90 - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw90s - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwa0 - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwa0s - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwb0 - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwb0s - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwc0 - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwc0s - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwd0 - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwd0s - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwe0 - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwe0s - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwf0 - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwf0s - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
    O18 - Protocol: bwg0 - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwg0s - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwh0 - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwh0s - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwi0 - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwi0s - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwj0 - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwj0s - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwk0 - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwk0s - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwl0 - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwl0s - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwm0 - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwm0s - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwn0 - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwn0s - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwo0 - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwo0s - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwp0 - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwp0s - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwq0 - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwq0s - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwr0 - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwr0s - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bws0 - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bws0s - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwt0 - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwt0s - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480
     
    Oddie,
    #3
  5. 2006/09/10
    Oddie

    Oddie Inactive Thread Starter

    Joined:
    2006/09/09
    Messages:
    12
    Likes Received:
    0
    Part Two

    PART TWO


    \Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwu0 - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwu0s - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwv0 - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwv0s - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bww0 - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bww0s - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwx0 - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwx0s - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwy0 - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwy0s - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwz0 - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwz0s - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: offline-8876480 - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Sony SCSI Helper Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\Fsk\SonySCSIHelperService.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
     
    Oddie,
    #4
  6. 2006/09/11
    TeMerc

    TeMerc Inactive Alumni

    Joined:
    2006/05/13
    Messages:
    3,226
    Likes Received:
    4
    Great job.

    Was there alot of malwares removed by the two scans by Ad-Aware and Spybot? There isn't much in your log at all. Let me know.

    Below you will find my results and recommendations. Please read ALL instructions carefully BEFORE proceeding.

    Please follow these instructions, exactly, for proper HJT installation. Please place HJT into ITS OWN PERMANANT FOLDER. It must not be on the desktop.

    You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT. (C:\HJT\HijackThis.exe)Move HijackThis.exe into this folder. When you run HijackThis.exe from C:\HJT folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary which is easily accessible.
    Run Hijackthis and look over the following entries I have listed, check the boxes next to them and press the "Fix Checked" button with HijackThis. When you are doing this, make sure you have No IE windows, or other browsers open, including this one. Reboot if I have specified below, and post a fresh HijackThis log.

    O16 - DPF: {00000000-0000-0000-0000-000020030000} - http://www.accessoveloce.com/webline/x/wla3mp6x.exe

    ALL THE 018 LINES

    Reboot, run HJT, if the above are gone, no need to repost with new log.

    But do please let me know what the other apps removed and if you're having any other problems at this point.
     
    TeMerc,
    #5
  7. 2006/09/12
    Oddie

    Oddie Inactive Thread Starter

    Joined:
    2006/09/09
    Messages:
    12
    Likes Received:
    0
    ..thanks for your time so far, how ever...

    ...my norton is still reporting a nebula dropper on my system that it cant shake. In addition to this..or it may be because of this, there is an intermitant ticking, or clicking coming from my base unit. What should I do next?

    Od
     
    Oddie,
    #6
  8. 2006/09/12
    TeMerc

    TeMerc Inactive Alumni

    Joined:
    2006/05/13
    Messages:
    3,226
    Likes Received:
    4
    What is the file path described by Norton?

    Clicking coming from where, your tower, router, I don't know what you mean by 'base unit'

    I need to know what was removed still.
     
    TeMerc,
    #7
  9. 2006/09/12
    Oddie

    Oddie Inactive Thread Starter

    Joined:
    2006/09/09
    Messages:
    12
    Likes Received:
    0
    ..sorry..

    ..the clicking is coming from my tower.

    ..And it is my 2005 Norton antivirus that has reported the virus, a trojan nebula. It is the file 'winepi32.dll' that is infected, and for whatever reason, it cannot be repaired or deleted.

    I'm sorry, I can't list the items that have been removed as the logs have been deleted from my system. I do use AdwareSE Personal and Spy-bot. Apologies for not being more helpful..
     
    Oddie,
    #8
  10. 2006/09/13
    TeMerc

    TeMerc Inactive Alumni

    Joined:
    2006/05/13
    Messages:
    3,226
    Likes Received:
    4
    Ok, lets run a scan and get a couple of logs.

    Download Ewido Anti-Spyware from HERE and save that file to your desktop.
    This is a 30 day trial of the program
    • Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
    • Once the setup is complete you will need run ewido and update the definition files.
    • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
    • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
    • Once in the Settings screen click on "Recommended actions" and then select "Quarantine ".
    • Under "Reports "
    • Select "Automatically generate report after every scan "
    • Un-Select "Only if threats were found "
    Close ewido anti-spyware, Do Not run a scan just yet, we will shortly.
    Reboot, into safe mode, this way:
    Turn on the computer
    Immediately begin tapping the <F8> key.
    Use the arrow keys to highlight Safe Mode and press the <Enter> key.
    1. Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
      IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:
      • Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
      • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan ".
      • ewido will now begin the scanning process, be patient this may take a little time.
        Once the scan is complete do the following:
      • If you have any infections you will prompted, then select "Apply all actions "
      • Next select the "Reports" icon at the top.
      • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
      • Close ewido and reboot your system back into Normal Mode

      Once in normal mode:
      Download combofix.exe
      • Double click combofix.exe & follow the prompts.
      • When finished, it shall produce a log for you. Post that log in your next reply

      Note:
      Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

      Then run me a new HJT log file.

      Post the results of the ewido report scan along with the ComboFix log as well as the new HJT log.(Please edit out any cookie references from the Ewido log)
     
    TeMerc,
    #9
  11. 2006/09/13
    Oddie

    Oddie Inactive Thread Starter

    Joined:
    2006/09/09
    Messages:
    12
    Likes Received:
    0
    ..all done...

    ..as requested, the ewido log..

    ---------------------------------------------------------
    ewido anti-spyware - Scan Report
    ---------------------------------------------------------

    + Created at: 19:50:15 13/09/2006

    + Scan result:



    C:\WINDOWS\Temp\win7A3.tmp.exe -> Dialer.InstantAccess.k : Cleaned with backup (quarantined).
    C:\data -> Downloader.IstBar.nh : Cleaned with backup (quarantined).
    C:\WINDOWS\system32\winepi32.dll -> Trojan.Klone.g : Cleaned with backup (quarantined).


    ::Report end

    ..the Combofix log...

    default - 06-09-13 20:02:55.93
    ComboFix 06.09.11B - Running from: C:\Documents and Settings\default\Desktop

    Microsoft Windows XP [Version 5.1.2600]

    (((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    C:\Program Files\winupdate
    C:\Program Files\winupdates


    ((((((((((((((((((((((((((((((( Files Created from 2006-08-13 to 2006-09-13 ))))))))))))))))))))))))))))))))))


    2006-09-12 17:59 18,944 --a------ C:\WINDOWS\system32\cool.exe
    2006-09-09 14:19 53,248 --a------ C:\WINDOWS\system32\Process.exe
    2006-09-09 14:19 40,960 --a------ C:\WINDOWS\system32\swsc.exe
    2006-09-09 14:19 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
    2006-09-09 14:19 135,168 --a------ C:\WINDOWS\system32\swreg.exe
    2006-09-05 18:35 91,904 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
    2006-09-05 17:23 638,560 ---hs---- C:\WINDOWS\system32\qttss.bak2
    2006-09-03 20:42 453,425 ---hs---- C:\WINDOWS\system32\qttss.ini2
    2006-09-01 18:19 452,039 ---hs---- C:\WINDOWS\system32\qttss.bak1
    2006-09-01 18:18 692,276 ---hs---- C:\WINDOWS\system32\ssttq.dll
    2006-08-17 13:15 132 --a------ C:\WINDOWS\system32\jjhjjh.sys
    2006-08-17 12:53 1,150,976 --a------ C:\WINDOWS\system32\nzdd.dll


    (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


    2006-09-13 19:55 -------- d-------- C:\Program Files\Common Files
    2006-09-13 18:47 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
    2006-09-09 23:26 -------- d-------- C:\Program Files\Registry Mechanic
    2006-09-09 14:40 -------- d-------- C:\Program Files\Windows Defender
    2006-09-09 14:40 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
    2006-09-09 08:46 -------- d-------- C:\Program Files\Common Files\Symantec Shared
    2006-09-05 21:56 -------- d-------- C:\Program Files\Spyware Doctor
    2006-09-05 21:53 -------- d-------- C:\Documents and Settings\default\Application Data\PC Tools
    2006-09-05 21:11 -------- d--h----- C:\Program Files\InstallShield Installation Information
    2006-09-05 21:11 -------- d-------- C:\Program Files\Samsung
    2006-09-05 18:51 -------- d-------- C:\Program Files\Norton AntiVirus
    2006-09-05 18:49 -------- d-------- C:\Program Files\SymNetDrv
    2006-09-05 18:49 -------- d-------- C:\Program Files\Symantec
    2006-09-05 18:35 4608 --a------ C:\WINDOWS\system32\drivers\symlcbrd.sys
    2006-09-05 17:52 -------- d-------- C:\Documents and Settings\default\Application Data\Symantec
    2006-09-05 17:41 -------- d-------- C:\Program Files\Swarm
    2006-09-03 19:25 -------- d-------- C:\Program Files\Ricochet Xtreme
    2006-09-03 19:05 -------- d-------- C:\Program Files\Cosmic Bugs
    2006-09-01 18:12 -------- d-------- C:\Program Files\Luxor Amun Rising
    2006-08-28 10:35 -------- d-------- C:\Documents and Settings\default\Application Data\Adobe
    2006-08-27 18:51 -------- d-------- C:\Documents and Settings\default\Application Data\wsInspector
    2006-08-21 13:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
    2006-08-21 10:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
    2006-08-21 10:14 128896 --------- C:\WINDOWS\system32\drivers\fltmgr.sys
    2006-08-17 14:52 1991 --a------ C:\Program Files\channels.xml
    2006-08-17 14:52 114 --a------ C:\Program Files\chdata.xml
    2006-08-17 13:15 -------- d-------- C:\Program Files\Msg
    2006-08-17 12:54 -------- d-------- C:\Program Files\Setup
    2006-08-17 12:53 8552 --a------ C:\WINDOWS\system32\drivers\asctrm.sys
    2006-08-17 12:53 71168 --a------ C:\Program Files\rprp3260.dll
    2006-08-17 12:53 50176 --a------ C:\Program Files\rppu3260.dll
    2006-08-17 12:53 3895 --a------ C:\Program Files\realplay.CNT
    2006-08-17 12:53 275425 --a------ C:\Program Files\realplay.HLP
    2006-08-17 12:53 25289 --a------ C:\Program Files\playrlic.txt
    2006-08-17 12:53 24983 --a------ C:\Program Files\playrlic.html
    2006-08-17 12:53 -------- d-------- C:\Program Files\Common Files\xing shared
    2006-08-17 12:53 -------- d-------- C:\Program Files\Common Files\Real
    2006-08-17 12:52 84403 --a------ C:\Program Files\firstrun.rm
    2006-08-17 12:52 835 --a------ C:\Program Files\tuner.xml
    2006-08-17 12:52 625 --a------ C:\Program Files\firstrun.smi
    2006-08-17 12:52 57458 --a------ C:\Program Files\firstrun.swf
    2006-08-17 12:52 5492 --a------ C:\Program Files\def.gd
    2006-08-17 12:52 395264 --a------ C:\Program Files\rpap3260.dll
    2006-08-17 12:52 389120 --a------ C:\Program Files\rpbasic.dll
    2006-08-17 12:52 3800 --a------ C:\Program Files\120.chl
    2006-08-17 12:52 3032 --a------ C:\Program Files\33.chl
    2006-08-17 12:52 26112 --a------ C:\Program Files\realplay.exe
    2006-08-17 12:52 25026 --a------ C:\Program Files\Readme.html
    2006-08-17 12:52 2456 --a------ C:\Program Files\72.chl
    2006-08-17 12:52 242176 --a------ C:\Program Files\rpde3260.dll
    2006-08-17 12:52 2366 --a------ C:\Program Files\52.chl
    2006-08-17 12:52 18944 --a------ C:\Program Files\twebbrowse.dll
    2006-08-17 12:52 17766 --a------ C:\Program Files\videotest.rm
    2006-08-17 12:52 149504 --a------ C:\Program Files\pset3260.dll
    2006-08-17 12:52 146432 --a------ C:\Program Files\rnms3260.dll
    2006-08-17 12:52 14336 --a------ C:\Program Files\rpun3260.dll
    2006-08-17 12:52 12800 --a------ C:\Program Files\rpshellsearch.dll
    2006-08-17 12:52 10752 --a------ C:\Program Files\pnmi3260.dll
    2006-08-17 12:52 105 --a------ C:\Program Files\subs.url
    2006-08-17 11:16 127992 --a------ C:\Documents and Settings\default\Application Data\GDIPFONTCACHEV1.DAT
    2006-08-13 14:13 -------- d-------- C:\Program Files\Internet Explorer
    2006-08-10 11:18 -------- d-------- C:\Documents and Settings\default\Application Data\AdobeUM
    2006-08-09 10:41 -------- d-------- C:\Program Files\Google
    2006-08-08 10:30 26112 --a------ C:\WINDOWS\npigl.dll
    2006-08-08 10:30 26112 --a------ C:\npigl.dll
    2006-08-08 08:09 7680 --a------ C:\WINDOWS\system32\igApi32.dll
    2006-08-08 08:09 6144 --a------ C:\WINDOWS\system32\igApi329x.dll
    2006-08-08 08:04 4608 --a------ C:\WINDOWS\system32\igApiOps.dll
    2006-08-07 09:23 -------- d-------- C:\Program Files\LexmarkX83
    2006-08-04 12:59 131072 --a------ C:\WINDOWS\system32\pluginhostctrl.dll
    2006-07-28 15:04 24576 --a------ C:\WINDOWS\igBrowse.exe
    2006-07-28 15:04 24576 --a------ C:\igBrowse.exe
    2006-07-27 14:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
    2006-07-21 09:24 72704 --a------ C:\WINDOWS\system32\hlink.dll
    2006-07-13 09:48 202240 --a------ C:\WINDOWS\system32\drivers\rmcast.sys
    2006-06-22 06:06 69120 --a------ C:\WINDOWS\system32\ciodm.dll
    2006-06-22 06:06 1435648 --a------ C:\WINDOWS\system32\query.dll


    (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

    *Note* empty entries are not shown

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NVIEW "= "rundll32.exe nview.dll,nViewLoadHook "
    "Spyware Doctor "= "\ "C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q "

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray "= "C:\\WINDOWS\\ehome\\ehtray.exe "
    "NvCplDaemon "= "RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup "
    "nwiz "= "nwiz.exe /install "
    "ezShieldProtector for Px "= "C:\\WINDOWS\\System32\\ezSP_Px.exe "
    "PinnacleDriverCheck "= "C:\\WINDOWS\\system32\\PSDrvCheck.exe "
    "Lexmark X83 Button Monitor "= "C:\\PROGRA~1\\LEXMAR~1\\ACMonitor_X83.exe "
    "Lexmark X83 Button Manager "= "C:\\PROGRA~1\\LEXMAR~1\\AcBtnMgr_X83.exe "
    "PrinTray "= "C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\printray.exe "
    "SunJavaUpdateSched "= "C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe "
    "LogitechVideoRepair "= "C:\\Program Files\\Logitech\\Video\\ISStart.exe "
    "QuickTime Task "= "\ "C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime "
    "ccApp "= "\ "C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\" "
    "Symantec NetDriver Monitor "= "C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer "
    "RFX_auto_upgrade "=" "
    "Windows Defender "= "\ "C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide "
    "!ewido "= "\ "C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized "

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
    "Installed "= "1 "

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
    "NoChange "= "1 "
    "Installed "= "1 "

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
    "Installed "= "1 "

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
    "DeskHtmlVersion "=dword:00000110
    "DeskHtmlMinorVersion "=dword:00000005
    "Settings "=dword:00000001
    "GeneralFlags "=dword:00000005

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
    "Source "= "About:Home "
    "SubscribedURL "= "About:Home "
    "FriendlyName "= "My Current Home Page "
    "Flags "=dword:00000002
    "Position "=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
    00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
    "CurrentState "=hex:04,00,00,40
    "OriginalStateInfo "=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
    ff,ff,04,00,00,00
    "RestoredStateInfo "=hex:18,00,00,00,12,01,00,00,23,00,00,00,dc,00,00,00,d2,00,\
    00,00,01,00,00,00

    [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE "= "C:\\WINDOWS\\System32\\CTFMON.EXE "
    "NvMediaCenter "= "RUNDLL32.EXE C:\\WINDOWS\\System32\\NVMCTRAY.DLL,NvTaskbarInit "
    "Spyware Doctor "= "\ "C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q "

    [HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE "= "C:\\WINDOWS\\System32\\CTFMON.EXE "
    "NvMediaCenter "= "RUNDLL32.EXE C:\\WINDOWS\\System32\\NVMCTRAY.DLL,NvTaskbarInit "
    "Spyware Doctor "= "\ "C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q "

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
    "{AEB6717E-7E19-11d0-97EE-00C04FD91972} "=" "
    "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} "= "Microsoft AntiMalware ShellExecuteHook "
    "{57B86673-276A-48B2-BAE7-C6DBB3020EB8} "= "ewido anti-spyware 4.0 "

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
    "NoDriveTypeAutoRun "=dword:00000091

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
    "dontdisplaylastusername "=dword:00000000
    "legalnoticecaption "=" "
    "legalnoticetext "=" "
    "shutdownwithoutlogon "=dword:00000001
    "undockwithoutlogon "=dword:00000001

    [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
    "NoDriveTypeAutoRun "=dword:00000091

    [HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
    "NoDriveTypeAutoRun "=dword:00000091

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    "PostBootReminder "= "{7849596a-48ea-486e-8937-a2a3009f31a9} "
    "CDBurn "= "{fbeb8a05-beee-4442-804e-409d6c4515e9} "
    "WebCheck "= "{E6FB5E20-DE35-11CF-9C87-00AA005127ED} "
    "SysTray "= "{35CEC8A3-2BE6-11D2-8773-92E220524153} "

    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssttq
    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winepi32

    HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
    securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll
     
    Oddie,
    #10
  12. 2006/09/13
    Oddie

    Oddie Inactive Thread Starter

    Joined:
    2006/09/09
    Messages:
    12
    Likes Received:
    0
    ...part two of the Combofix log...

    ~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

    backup-20060912-224629-934
    O16 - DPF: {A8570C26-6548-4860-B60E-1501E38A1023} (CompInfo.Server) - http://www.pcservicecall.co.uk/RemoteSupport/CompInfo.CAB
    backup-20060912-180906-461
    O18 - Protocol: bwz0s - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    backup-20060912-180906-236
    O18 - Protocol: bwx0s - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    backup-20060912-180906-806
    O18 - Protocol: bwx0 - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    backup-20060912-180906-753
    O18 - Protocol: bwy0 - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    backup-20060912-180906-732
    O18 - Protocol: bwz0 - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    backup-20060912-180906-539
    O18 - Protocol: offline-8876480 - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    backup-20060912-180906-396
    O18 - Protocol: bwy0s - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    backup-20060912-180906-608
    O18 - Protocol: bww0 - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    backup-20060912-180906-595
    O18 - Protocol: bwv0 - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    backup-20060912-180906-726
    O18 - Protocol: bwt0s - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    backup-20060912-180906-854
    O18 - Protocol: bwv0s - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    backup-20060912-180906-993
    O18 - Protocol: bwu0 - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    backup-20060912-180906-192
    O18 - Protocol: bwu0s - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    backup-20060912-180906-700
    O18 - Protocol: bwt0 - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    backup-20060912-180906-345
    O18 - Protocol: bww0s - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    backup-20060912-180906-215
    O18 - Protocol: bwq0 - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    backup-20060912-180906-797
    O18 - Protocol: bwp0s - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    backup-20060912-180906-711
    O18 - Protocol: bwr0s - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    backup-20060912-180906-151
    O18 - Protocol: bws0s - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    backup-20060912-180906-756
    O18 - Protocol: bws0 - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    backup-20060912-180906-365
    O18 - Protocol: bwr0 - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    backup-20060912-180906-508
    O18 - Protocol: bwq0s - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    backup-20060912-180906-957
    O18 - Protocol: bwp0 - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    backup-20060912-180906-351
    O18 - Protocol: bwm0s - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    backup-20060912-180906-833
    O18 - Protocol: bwo0 - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    backup-20060912-180906-904
    O18 - Protocol: bwo0s - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    backup-20060912-180906-523
    O18 - Protocol: bwn0s - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    backup-20060912-180906-538
    O18 - Protocol: bwn0 - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    backup-20060912-180906-767
    O18 - Protocol: bwm0 - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    backup-20060912-180906-977
    O18 - Protocol: bwj0s - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    backup-20060912-180906-987
    O18 - Protocol: bwk0 - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    backup-20060912-180906-955
    O18 - Protocol: bwk0s - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    backup-20060912-180906-628
    O18 - Protocol: bwl0s - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    backup-20060912-180906-866
    O18 - Protocol: bwj0 - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    backup-20060912-180906-763
    O18 - Protocol: bwl0 - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    backup-20060912-180906-452
    O18 - Protocol: bwg0 - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    backup-20060912-180906-569
    O18 - Protocol: bwh0s - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    backup-20060912-180906-812
    O18 - Protocol: bwg0s - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    backup-20060912-180906-257
    O18 - Protocol: bwi0s - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    backup-20060912-180906-212
    O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
    backup-20060912-180906-199
    O18 - Protocol: bwh0 - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    backup-20060912-180906-460
    O18 - Protocol: bwi0 - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    backup-20060912-180906-709
    O18 - Protocol: bwf0s - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    backup-20060912-180906-809
    O18 - Protocol: bwf0 - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    backup-20060912-180906-472
    O18 - Protocol: bwd0s - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    backup-20060912-180906-500
    O18 - Protocol: bwe0 - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    backup-20060912-180906-681
    O18 - Protocol: bwe0s - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    backup-20060912-180906-122
    O18 - Protocol: bwd0 - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    backup-20060912-180906-682
    O18 - Protocol: bw90s - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    backup-20060912-180906-102
    O18 - Protocol: bwa0 - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    backup-20060912-180906-838
    O18 - Protocol: bwc0 - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    backup-20060912-180906-899
    O18 - Protocol: bwc0s - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    backup-20060912-180906-614
    O18 - Protocol: bwb0s - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    backup-20060912-180906-688
    O18 - Protocol: bwb0 - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    backup-20060912-180906-575
    O18 - Protocol: bwa0s - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    backup-20060912-180906-406
    O18 - Protocol: bw70 - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    backup-20060912-180906-364
    O18 - Protocol: bw80s - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    backup-20060912-180906-178
    O18 - Protocol: bw70s - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    backup-20060912-180906-306
    O18 - Protocol: bw90 - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    backup-20060912-180906-225
    O18 - Protocol: bw50s - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    backup-20060912-180906-908
    O18 - Protocol: bw60s - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    backup-20060912-180906-129
    O18 - Protocol: bw80 - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    backup-20060912-180906-830
    O18 - Protocol: bw60 - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    backup-20060912-180906-247
    O18 - Protocol: bw40s - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    backup-20060912-180906-730
    O18 - Protocol: bw30s - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    backup-20060912-180906-890
    O18 - Protocol: bw50 - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    backup-20060912-180906-972
    O18 - Protocol: bw40 - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    backup-20060912-180906-851
    O18 - Protocol: bw20s - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    backup-20060912-180906-498
    O18 - Protocol: bw00 - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    backup-20060912-180906-359
    O18 - Protocol: bw10s - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    backup-20060912-180906-366
    O18 - Protocol: bw10 - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    backup-20060912-180906-697
    O18 - Protocol: bw00s - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    backup-20060912-180906-114
    O18 - Protocol: bw20 - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    backup-20060912-180906-374
    O18 - Protocol: bw30 - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    backup-20060912-180906-781
    O18 - Protocol: bw+0s - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    backup-20060912-180906-471
    O18 - Protocol: bw-0 - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    backup-20060912-180906-294
    O18 - Protocol: bw-0s - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    backup-20060912-180905-963
    O16 - DPF: {00000000-0000-0000-0000-000020030000} - http://www.accessoveloce.com/webline/x/wla3mp6x.exe
    backup-20060912-180906-386
    O18 - Protocol: bw+0 - {CE7B921E-F14C-4060-9C60-B8968046DAB2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

    Contents of the 'Scheduled Tasks' folder
    C:\WINDOWS\tasks\MP Scheduled Scan.job
    C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - default.job

    Completion time: 13/09/2006 20:06:23.92
    ComboFix.txt
     
    Oddie,
    #11
  13. 2006/09/13
    Oddie

    Oddie Inactive Thread Starter

    Joined:
    2006/09/09
    Messages:
    12
    Likes Received:
    0
    ...and the HJT log...

    Logfile of HijackThis v1.99.1
    Scan saved at 20:12:35, on 13/09/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\WINDOWS\ehome\ehSched.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Spyware Doctor\sdhelp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\system32\wdfmgr.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\WINDOWS\System32\ezSP_Px.exe
    C:\WINDOWS\system32\cscript.exe
    C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
    C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
    C:\WINDOWS\ehome\ehmsas.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\ewido anti-spyware 4.0\ewido.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Spyware Doctor\swdoctor.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\cscript.exe
    C:\PROGRA~1\Logitech\Video\FxSvr2.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\HJT\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.blueyonder.co.uk/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
    O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe
    O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
    O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
    O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Sony SCSI Helper Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\Fsk\SonySCSIHelperService.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
     
    Oddie,
    #12
  14. 2006/09/13
    TeMerc

    TeMerc Inactive Alumni

    Joined:
    2006/05/13
    Messages:
    3,226
    Likes Received:
    4
    Ok, rather than try to fix things with ComboFix, specificly, the Vundo Infection you ahve, lets just use the special tool designed to rid all components of it.

    Please download VundoFix.exe to your desktop.
    • Double-click *VundoFix.exe* to run it.
    • Click the *Scan for Vundo* button.
    • Once it's done scanning, click the *Remove Vundo* button.
    • You will receive a prompt asking if you want to remove the files, click *YES*
    • Once you click yes, your desktop will go blank as it starts removing Vundo.
    • When completed, it will prompt that it will reboot your computer, click *OK*.
    • The contents of the log produced will be located here:
      C:\*vundofix.txt*

    Note: It is possible that VundoFix encountered a file it could not remove.
    In this case, VundoFix will run on reboot, simply follow the above
    instructions starting from "Click the *Scan for Vundo* button." when
    VundoFix appears at reboot

    Once that has been run and the log produced please run ComboFix first, then HJT and post both logs back into this thread along with the Vundo log.
     
    TeMerc,
    #13
  15. 2006/09/14
    Oddie

    Oddie Inactive Thread Starter

    Joined:
    2006/09/09
    Messages:
    12
    Likes Received:
    0
    ..again, thanks..

    ...for your time, and here are the 3 new logs...

    VundoFix V6.1.5

    Checking Java version...

    Java version is 1.5.0.2

    Java version is 1.5.0.4

    Java version is 1.5.0.6

    Scan started at 19:13:39 14/09/2006

    Listing files found while scanning....

    C:\WINDOWS\system32\ssttq.dll
    C:\WINDOWS\system32\qttss.ini
    C:\WINDOWS\system32\qttss.bak1
    C:\WINDOWS\system32\qttss.bak2
    C:\WINDOWS\system32\qttss.ini2
    C:\WINDOWS\system32\qttss.tmp

    Beginning removal...

    Attempting to delete C:\WINDOWS\system32\ssttq.dll
    C:\WINDOWS\system32\ssttq.dll Could not be deleted.

    Attempting to delete C:\WINDOWS\system32\qttss.ini
    C:\WINDOWS\system32\qttss.ini Has been deleted!

    Attempting to delete C:\WINDOWS\system32\qttss.bak1
    C:\WINDOWS\system32\qttss.bak1 Has been deleted!

    Attempting to delete C:\WINDOWS\system32\qttss.bak2
    C:\WINDOWS\system32\qttss.bak2 Has been deleted!

    Attempting to delete C:\WINDOWS\system32\qttss.ini2
    C:\WINDOWS\system32\qttss.ini2 Has been deleted!

    Attempting to delete C:\WINDOWS\system32\qttss.tmp
    C:\WINDOWS\system32\qttss.tmp Has been deleted!

    Performing Repairs to the registry.
    Done!

    VundoFix V6.1.5

    Checking Java version...

    Java version is 1.5.0.2

    Java version is 1.5.0.4

    Java version is 1.5.0.6

    Scan started at 19:32:26 14/09/2006

    Listing files found while scanning....

    C:\WINDOWS\system32\ssttq.dll

    Beginning removal...

    Attempting to delete C:\WINDOWS\system32\ssttq.dll
    C:\WINDOWS\system32\ssttq.dll Has been deleted!

    Performing Repairs to the registry.
    Done!





    default - 06-09-14 20:01:52.50
    ComboFix 06.09.11B - Running from: C:\Documents and Settings\default\Desktop

    Microsoft Windows XP [Version 5.1.2600]

    ((((((((((((((((((((((((((((((( Files Created from 2006-08-14 to 2006-09-14 ))))))))))))))))))))))))))))))))))


    2006-09-12 17:59 18,944 --a------ C:\WINDOWS\system32\cool.exe
    2006-09-09 14:19 53,248 --a------ C:\WINDOWS\system32\Process.exe
    2006-09-09 14:19 40,960 --a------ C:\WINDOWS\system32\swsc.exe
    2006-09-09 14:19 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
    2006-09-09 14:19 135,168 --a------ C:\WINDOWS\system32\swreg.exe
    2006-09-05 18:35 91,904 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
    2006-08-17 13:15 132 --a------ C:\WINDOWS\system32\jjhjjh.sys


    (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


    2006-09-14 19:47 -------- d-------- C:\Program Files\Common Files
    2006-09-14 18:55 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
    2006-09-13 20:46 -------- d-------- C:\Program Files\Ricochet Xtreme
    2006-09-13 20:45 -------- d-------- C:\Program Files\Cosmic Bugs
    2006-09-09 23:26 -------- d-------- C:\Program Files\Registry Mechanic
    2006-09-09 14:40 -------- d-------- C:\Program Files\Windows Defender
    2006-09-09 14:40 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
    2006-09-09 08:46 -------- d-------- C:\Program Files\Common Files\Symantec Shared
    2006-09-05 21:56 -------- d-------- C:\Program Files\Spyware Doctor
    2006-09-05 21:53 -------- d-------- C:\Documents and Settings\default\Application Data\PC Tools
    2006-09-05 21:11 -------- d--h----- C:\Program Files\InstallShield Installation Information
    2006-09-05 21:11 -------- d-------- C:\Program Files\Samsung
    2006-09-05 18:51 -------- d-------- C:\Program Files\Norton AntiVirus
    2006-09-05 18:49 -------- d-------- C:\Program Files\SymNetDrv
    2006-09-05 18:49 -------- d-------- C:\Program Files\Symantec
    2006-09-05 18:35 4608 --a------ C:\WINDOWS\system32\drivers\symlcbrd.sys
    2006-09-05 17:52 -------- d-------- C:\Documents and Settings\default\Application Data\Symantec
    2006-09-05 17:41 -------- d-------- C:\Program Files\Swarm
    2006-09-01 18:12 -------- d-------- C:\Program Files\Luxor Amun Rising
    2006-08-28 10:35 -------- d-------- C:\Documents and Settings\default\Application Data\Adobe
    2006-08-27 18:51 -------- d-------- C:\Documents and Settings\default\Application Data\wsInspector
    2006-08-21 13:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
    2006-08-21 10:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
    2006-08-21 10:14 128896 --------- C:\WINDOWS\system32\drivers\fltmgr.sys
    2006-08-17 14:52 1991 --a------ C:\Program Files\channels.xml
    2006-08-17 14:52 114 --a------ C:\Program Files\chdata.xml
    2006-08-17 13:15 -------- d-------- C:\Program Files\Msg
    2006-08-17 12:54 -------- d-------- C:\Program Files\Setup
    2006-08-17 12:53 8552 --a------ C:\WINDOWS\system32\drivers\asctrm.sys
    2006-08-17 12:53 71168 --a------ C:\Program Files\rprp3260.dll
    2006-08-17 12:53 50176 --a------ C:\Program Files\rppu3260.dll
    2006-08-17 12:53 3895 --a------ C:\Program Files\realplay.CNT
    2006-08-17 12:53 275425 --a------ C:\Program Files\realplay.HLP
    2006-08-17 12:53 25289 --a------ C:\Program Files\playrlic.txt
    2006-08-17 12:53 24983 --a------ C:\Program Files\playrlic.html
    2006-08-17 12:53 -------- d-------- C:\Program Files\Common Files\Real
    2006-08-17 12:52 84403 --a------ C:\Program Files\firstrun.rm
    2006-08-17 12:52 835 --a------ C:\Program Files\tuner.xml
    2006-08-17 12:52 625 --a------ C:\Program Files\firstrun.smi
    2006-08-17 12:52 57458 --a------ C:\Program Files\firstrun.swf
    2006-08-17 12:52 5492 --a------ C:\Program Files\def.gd
    2006-08-17 12:52 395264 --a------ C:\Program Files\rpap3260.dll
    2006-08-17 12:52 389120 --a------ C:\Program Files\rpbasic.dll
    2006-08-17 12:52 3800 --a------ C:\Program Files\120.chl
    2006-08-17 12:52 3032 --a------ C:\Program Files\33.chl
    2006-08-17 12:52 26112 --a------ C:\Program Files\realplay.exe
    2006-08-17 12:52 25026 --a------ C:\Program Files\Readme.html
    2006-08-17 12:52 2456 --a------ C:\Program Files\72.chl
    2006-08-17 12:52 242176 --a------ C:\Program Files\rpde3260.dll
    2006-08-17 12:52 2366 --a------ C:\Program Files\52.chl
    2006-08-17 12:52 18944 --a------ C:\Program Files\twebbrowse.dll
    2006-08-17 12:52 17766 --a------ C:\Program Files\videotest.rm
    2006-08-17 12:52 149504 --a------ C:\Program Files\pset3260.dll
    2006-08-17 12:52 146432 --a------ C:\Program Files\rnms3260.dll
    2006-08-17 12:52 14336 --a------ C:\Program Files\rpun3260.dll
    2006-08-17 12:52 12800 --a------ C:\Program Files\rpshellsearch.dll
    2006-08-17 12:52 10752 --a------ C:\Program Files\pnmi3260.dll
    2006-08-17 12:52 105 --a------ C:\Program Files\subs.url
    2006-08-17 11:16 127992 --a------ C:\Documents and Settings\default\Application Data\GDIPFONTCACHEV1.DAT
    2006-08-13 14:13 -------- d-------- C:\Program Files\Internet Explorer
    2006-08-10 11:18 -------- d-------- C:\Documents and Settings\default\Application Data\AdobeUM
    2006-08-09 10:41 -------- d-------- C:\Program Files\Google
    2006-08-08 10:30 26112 --a------ C:\WINDOWS\npigl.dll
    2006-08-08 10:30 26112 --a------ C:\npigl.dll
    2006-08-08 08:09 7680 --a------ C:\WINDOWS\system32\igApi32.dll
    2006-08-08 08:09 6144 --a------ C:\WINDOWS\system32\igApi329x.dll
    2006-08-08 08:04 4608 --a------ C:\WINDOWS\system32\igApiOps.dll
    2006-08-07 09:23 -------- d-------- C:\Program Files\LexmarkX83
    2006-08-04 12:59 131072 --a------ C:\WINDOWS\system32\pluginhostctrl.dll
    2006-07-28 15:04 24576 --a------ C:\WINDOWS\igBrowse.exe
    2006-07-28 15:04 24576 --a------ C:\igBrowse.exe
    2006-07-27 14:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
    2006-07-21 09:24 72704 --a------ C:\WINDOWS\system32\hlink.dll
    2006-06-22 06:06 69120 --a------ C:\WINDOWS\system32\ciodm.dll
    2006-06-22 06:06 1435648 --a------ C:\WINDOWS\system32\query.dll


    (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

    *Note* empty entries are not shown

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NVIEW "= "rundll32.exe nview.dll,nViewLoadHook "
    "Spyware Doctor "= "\ "C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q "

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray "= "C:\\WINDOWS\\ehome\\ehtray.exe "
    "NvCplDaemon "= "RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup "
    "nwiz "= "nwiz.exe /install "
    "ezShieldProtector for Px "= "C:\\WINDOWS\\System32\\ezSP_Px.exe "
    "PinnacleDriverCheck "= "C:\\WINDOWS\\system32\\PSDrvCheck.exe "
    "Lexmark X83 Button Monitor "= "C:\\PROGRA~1\\LEXMAR~1\\ACMonitor_X83.exe "
    "Lexmark X83 Button Manager "= "C:\\PROGRA~1\\LEXMAR~1\\AcBtnMgr_X83.exe "
    "PrinTray "= "C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\printray.exe "
    "SunJavaUpdateSched "= "C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe "
    "LogitechVideoRepair "= "C:\\Program Files\\Logitech\\Video\\ISStart.exe "
    "QuickTime Task "= "\ "C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime "
    "ccApp "= "\ "C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\" "
    "Symantec NetDriver Monitor "= "C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer "
    "RFX_auto_upgrade "=" "
    "Windows Defender "= "\ "C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide "
    "!ewido "= "\ "C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized "

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
    "Installed "= "1 "

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
    "NoChange "= "1 "
    "Installed "= "1 "

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
    "Installed "= "1 "

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
    "DeskHtmlVersion "=dword:00000110
    "DeskHtmlMinorVersion "=dword:00000005
    "Settings "=dword:00000001
    "GeneralFlags "=dword:00000005

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
    "Source "= "About:Home "
    "SubscribedURL "= "About:Home "
    "FriendlyName "= "My Current Home Page "
    "Flags "=dword:00000002
    "Position "=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
    00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
    "CurrentState "=hex:04,00,00,40
    "OriginalStateInfo "=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
    ff,ff,04,00,00,00
    "RestoredStateInfo "=hex:18,00,00,00,12,01,00,00,23,00,00,00,dc,00,00,00,d2,00,\
    00,00,01,00,00,00

    [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE "= "C:\\WINDOWS\\System32\\CTFMON.EXE "
    "NvMediaCenter "= "RUNDLL32.EXE C:\\WINDOWS\\System32\\NVMCTRAY.DLL,NvTaskbarInit "
    "Spyware Doctor "= "\ "C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q "

    [HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE "= "C:\\WINDOWS\\System32\\CTFMON.EXE "
    "NvMediaCenter "= "RUNDLL32.EXE C:\\WINDOWS\\System32\\NVMCTRAY.DLL,NvTaskbarInit "
    "Spyware Doctor "= "\ "C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q "

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
    "{AEB6717E-7E19-11d0-97EE-00C04FD91972} "=" "
    "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} "= "Microsoft AntiMalware ShellExecuteHook "
    "{57B86673-276A-48B2-BAE7-C6DBB3020EB8} "= "ewido anti-spyware 4.0 "

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
    "NoDriveTypeAutoRun "=dword:00000091

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
    "dontdisplaylastusername "=dword:00000000
    "legalnoticecaption "=" "
    "legalnoticetext "=" "
    "shutdownwithoutlogon "=dword:00000001
    "undockwithoutlogon "=dword:00000001

    [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
    "NoDriveTypeAutoRun "=dword:00000091

    [HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
    "NoDriveTypeAutoRun "=dword:00000091

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    "PostBootReminder "= "{7849596a-48ea-486e-8937-a2a3009f31a9} "
    "CDBurn "= "{fbeb8a05-beee-4442-804e-409d6c4515e9} "
    "WebCheck "= "{E6FB5E20-DE35-11CF-9C87-00AA005127ED} "
    "SysTray "= "{35CEC8A3-2BE6-11D2-8773-92E220524153} "

    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winepi32

    HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
    securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


    Contents of the 'Scheduled Tasks' folder
    C:\WINDOWS\tasks\MP Scheduled Scan.job
    C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - default.job

    Completion time: 14/09/2006 20:03:39.18
    ComboFix.txt
    ComboFix2.txt
     
    Oddie,
    #14
  16. 2006/09/14
    Oddie

    Oddie Inactive Thread Starter

    Joined:
    2006/09/09
    Messages:
    12
    Likes Received:
    0
    HJT log

    Logfile of HijackThis v1.99.1
    Scan saved at 20:09:14, on 14/09/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\WINDOWS\ehome\ehSched.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Spyware Doctor\sdhelp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\system32\wdfmgr.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\ehome\ehtray.exe
    C:\WINDOWS\ehome\ehmsas.exe
    C:\WINDOWS\System32\ezSP_Px.exe
    C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
    C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\ewido anti-spyware 4.0\ewido.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Spyware Doctor\swdoctor.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
    C:\WINDOWS\system32\cscript.exe
    C:\WINDOWS\system32\cscript.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\Logitech\Video\AlbumDB2.exe
    C:\PROGRA~1\Logitech\Video\FxSvr2.exe
    C:\HJT\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.blueyonder.co.uk/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {D3E1853E-8878-49FA-8523-17FB2F3F1434} - C:\WINDOWS\system32\ssttq.dll (file missing)
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
    O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe
    O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
    O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
    O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O20 - Winlogon Notify: winepi32 - winepi32.dll (file missing)
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Sony SCSI Helper Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\Fsk\SonySCSIHelperService.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
     
    Oddie,
    #15
  17. 2006/09/14
    TeMerc

    TeMerc Inactive Alumni

    Joined:
    2006/05/13
    Messages:
    3,226
    Likes Received:
    4
    OK, it looks like the tool worked nicely, tho we have one rogue file we need to eliminate.

    Also, in your ComboFix log, all of the files in the 'Program Files' folder:
    2006-08-17 14:52 1991 --a------ C:\Program Files\channels.xml
    2006-08-17 14:52 114 --a------ C:\Program Files\chdata.xml
    2006-08-17 13:15 -------- d-------- C:\Program Files\Msg
    2006-08-17 12:54 -------- d-------- C:\Program Files\Setup
    2006-08-17 12:53 71168 --a------ C:\Program Files\rprp3260.dll
    2006-08-17 12:53 50176 --a------ C:\Program Files\rppu3260.dll
    2006-08-17 12:53 3895 --a------ C:\Program Files\realplay.CNT
    2006-08-17 12:53 275425 --a------ C:\Program Files\realplay.HLP
    2006-08-17 12:53 25289 --a------ C:\Program Files\playrlic.txt
    2006-08-17 12:53 24983 --a------ C:\Program Files\playrlic.html
    2006-08-17 12:52 84403 --a------ C:\Program Files\firstrun.rm
    2006-08-17 12:52 835 --a------ C:\Program Files\tuner.xml
    2006-08-17 12:52 625 --a------ C:\Program Files\firstrun.smi
    2006-08-17 12:52 57458 --a------ C:\Program Files\firstrun.swf
    2006-08-17 12:52 5492 --a------ C:\Program Files\def.gd
    2006-08-17 12:52 395264 --a------ C:\Program Files\rpap3260.dll
    2006-08-17 12:52 389120 --a------ C:\Program Files\rpbasic.dll
    2006-08-17 12:52 3800 --a------ C:\Program Files\120.chl
    2006-08-17 12:52 3032 --a------ C:\Program Files\33.chl
    2006-08-17 12:52 26112 --a------ C:\Program Files\realplay.exe
    2006-08-17 12:52 25026 --a------ C:\Program Files\Readme.html
    2006-08-17 12:52 2456 --a------ C:\Program Files\72.chl
    2006-08-17 12:52 242176 --a------ C:\Program Files\rpde3260.dll
    2006-08-17 12:52 2366 --a------ C:\Program Files\52.chl
    2006-08-17 12:52 18944 --a------ C:\Program Files\twebbrowse.dll
    2006-08-17 12:52 17766 --a------ C:\Program Files\videotest.rm
    2006-08-17 12:52 149504 --a------ C:\Program Files\pset3260.dll
    2006-08-17 12:52 146432 --a------ C:\Program Files\rnms3260.dll
    2006-08-17 12:52 14336 --a------ C:\Program Files\rpun3260.dll
    2006-08-17 12:52 12800 --a------ C:\Program Files\rpshellsearch.dll
    2006-08-17 12:52 10752 --a------ C:\Program Files\pnmi3260.dll
    2006-08-17 12:52 105 --a------ C:\Program Files\subs.url

    These are very strange and should not be there, most all are from your RealPlayer. I woould uninstall Real Player and re-install it, if you use it. The install went wrong somehow.

    1) Please download the Killbox.
    Save it to the desktop and run it.

    2) Select "Delete on Reboot ", and then select "All files ".

    3) Copy the file names below to the clipboard by highlighting them and pressing Control-C:
    winepi32.dll
    C:\WINDOWS\system32\jjhjjh.sys

    4) Return to Killbox, go to the File menu, and choose "Paste from Clipboard ".

    5) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

    Open HijackThis!, and look over the following entries I have listed, check the boxes next to them and press the "Fix Checked" button with HijackThis. When you are doing this, make sure you have No IE windows, or other browsers open, including this one. Reboot if I have specified below, and post a fresh HijackThis log.

    O2 - BHO: (no name) - {D3E1853E-8878-49FA-8523-17FB2F3F1434} - C:\WINDOWS\system32\ssttq.dll (file missing)


    O20 - Winlogon Notify: winepi32 - winepi32.dll (file missing)

    Reboot and run ComboFix first, then HJT and post both logs back into this thread.
     
    TeMerc,
    #16
  18. 2006/09/15
    Oddie

    Oddie Inactive Thread Starter

    Joined:
    2006/09/09
    Messages:
    12
    Likes Received:
    0
    ..done! here are those log files.

    default - 06-09-15 19:49:31.17
    ComboFix 06.09.11B - Running from: C:\Documents and Settings\default\Desktop

    Microsoft Windows XP [Version 5.1.2600]

    ((((((((((((((((((((((((((((((( Files Created from 2006-08-15 to 2006-09-15 ))))))))))))))))))))))))))))))))))


    2006-09-12 17:59 18,944 --a------ C:\WINDOWS\system32\cool.exe
    2006-09-09 14:19 53,248 --a------ C:\WINDOWS\system32\Process.exe
    2006-09-09 14:19 40,960 --a------ C:\WINDOWS\system32\swsc.exe
    2006-09-09 14:19 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
    2006-09-09 14:19 135,168 --a------ C:\WINDOWS\system32\swreg.exe
    2006-09-05 18:35 91,904 --a------ C:\WINDOWS\system32\S32EVNT1.DLL


    (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


    2006-09-15 19:47 -------- d-------- C:\Program Files\Common Files
    2006-09-15 19:30 -------- d-------- C:\Program Files\Common Files\Real
    2006-09-14 18:55 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
    2006-09-13 20:46 -------- d-------- C:\Program Files\Ricochet Xtreme
    2006-09-13 20:45 -------- d-------- C:\Program Files\Cosmic Bugs
    2006-09-09 23:26 -------- d-------- C:\Program Files\Registry Mechanic
    2006-09-09 14:40 -------- d-------- C:\Program Files\Windows Defender
    2006-09-09 14:40 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
    2006-09-09 08:46 -------- d-------- C:\Program Files\Common Files\Symantec Shared
    2006-09-05 21:56 -------- d-------- C:\Program Files\Spyware Doctor
    2006-09-05 21:53 -------- d-------- C:\Documents and Settings\default\Application Data\PC Tools
    2006-09-05 21:11 -------- d--h----- C:\Program Files\InstallShield Installation Information
    2006-09-05 21:11 -------- d-------- C:\Program Files\Samsung
    2006-09-05 18:51 -------- d-------- C:\Program Files\Norton AntiVirus
    2006-09-05 18:49 -------- d-------- C:\Program Files\SymNetDrv
    2006-09-05 18:49 -------- d-------- C:\Program Files\Symantec
    2006-09-05 18:35 4608 --a------ C:\WINDOWS\system32\drivers\symlcbrd.sys
    2006-09-05 17:52 -------- d-------- C:\Documents and Settings\default\Application Data\Symantec
    2006-09-05 17:41 -------- d-------- C:\Program Files\Swarm
    2006-09-01 18:12 -------- d-------- C:\Program Files\Luxor Amun Rising
    2006-08-28 10:35 -------- d-------- C:\Documents and Settings\default\Application Data\Adobe
    2006-08-27 18:51 -------- d-------- C:\Documents and Settings\default\Application Data\wsInspector
    2006-08-21 13:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
    2006-08-21 10:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
    2006-08-21 10:14 128896 --------- C:\WINDOWS\system32\drivers\fltmgr.sys
    2006-08-17 11:16 127992 --a------ C:\Documents and Settings\default\Application Data\GDIPFONTCACHEV1.DAT
    2006-08-13 14:13 -------- d-------- C:\Program Files\Internet Explorer
    2006-08-10 11:18 -------- d-------- C:\Documents and Settings\default\Application Data\AdobeUM
    2006-08-09 10:41 -------- d-------- C:\Program Files\Google
    2006-08-08 10:30 26112 --a------ C:\WINDOWS\npigl.dll
    2006-08-08 10:30 26112 --a------ C:\npigl.dll
    2006-08-08 08:09 7680 --a------ C:\WINDOWS\system32\igApi32.dll
    2006-08-08 08:09 6144 --a------ C:\WINDOWS\system32\igApi329x.dll
    2006-08-08 08:04 4608 --a------ C:\WINDOWS\system32\igApiOps.dll
    2006-08-07 09:23 -------- d-------- C:\Program Files\LexmarkX83
    2006-08-04 12:59 131072 --a------ C:\WINDOWS\system32\pluginhostctrl.dll
    2006-07-28 15:04 24576 --a------ C:\WINDOWS\igBrowse.exe
    2006-07-28 15:04 24576 --a------ C:\igBrowse.exe
    2006-07-27 14:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
    2006-07-21 09:24 72704 --a------ C:\WINDOWS\system32\hlink.dll
    2006-06-22 06:06 69120 --a------ C:\WINDOWS\system32\ciodm.dll
    2006-06-22 06:06 1435648 --a------ C:\WINDOWS\system32\query.dll


    (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

    *Note* empty entries are not shown

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NVIEW "= "rundll32.exe nview.dll,nViewLoadHook "
    "Spyware Doctor "= "C:\\PROGRA~1\\SPYWAR~1\\swdoctor.exe /Q "

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray "= "C:\\WINDOWS\\ehome\\ehtray.exe "
    "NvCplDaemon "= "RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup "
    "nwiz "= "nwiz.exe /install "
    "ezShieldProtector for Px "= "C:\\WINDOWS\\System32\\ezSP_Px.exe "
    "PinnacleDriverCheck "= "C:\\WINDOWS\\system32\\PSDrvCheck.exe "
    "Lexmark X83 Button Monitor "= "C:\\PROGRA~1\\LEXMAR~1\\ACMonitor_X83.exe "
    "Lexmark X83 Button Manager "= "C:\\PROGRA~1\\LEXMAR~1\\AcBtnMgr_X83.exe "
    "PrinTray "= "C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\printray.exe "
    "SunJavaUpdateSched "= "C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe "
    "LogitechVideoRepair "= "C:\\Program Files\\Logitech\\Video\\ISStart.exe "
    "QuickTime Task "= "\ "C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime "
    "ccApp "= "\ "C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\" "
    "Symantec NetDriver Monitor "= "C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer "
    "RFX_auto_upgrade "=" "
    "Windows Defender "= "\ "C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide "
    "!ewido "= "\ "C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized "

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
    "Installed "= "1 "

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
    "NoChange "= "1 "
    "Installed "= "1 "

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
    "Installed "= "1 "

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
    "DeskHtmlVersion "=dword:00000110
    "DeskHtmlMinorVersion "=dword:00000005
    "Settings "=dword:00000001
    "GeneralFlags "=dword:00000005

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
    "Source "= "About:Home "
    "SubscribedURL "= "About:Home "
    "FriendlyName "= "My Current Home Page "
    "Flags "=dword:00000002
    "Position "=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
    00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
    "CurrentState "=hex:04,00,00,40
    "OriginalStateInfo "=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
    ff,ff,04,00,00,00
    "RestoredStateInfo "=hex:18,00,00,00,12,01,00,00,23,00,00,00,dc,00,00,00,d2,00,\
    00,00,01,00,00,00

    [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE "= "C:\\WINDOWS\\System32\\CTFMON.EXE "
    "NvMediaCenter "= "RUNDLL32.EXE C:\\WINDOWS\\System32\\NVMCTRAY.DLL,NvTaskbarInit "
    "Spyware Doctor "= "\ "C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q "

    [HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE "= "C:\\WINDOWS\\System32\\CTFMON.EXE "
    "NvMediaCenter "= "RUNDLL32.EXE C:\\WINDOWS\\System32\\NVMCTRAY.DLL,NvTaskbarInit "
    "Spyware Doctor "= "\ "C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q "

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
    "{AEB6717E-7E19-11d0-97EE-00C04FD91972} "=" "
    "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} "= "Microsoft AntiMalware ShellExecuteHook "
    "{57B86673-276A-48B2-BAE7-C6DBB3020EB8} "= "ewido anti-spyware 4.0 "

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
    "NoDriveTypeAutoRun "=dword:00000091

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
    "dontdisplaylastusername "=dword:00000000
    "legalnoticecaption "=" "
    "legalnoticetext "=" "
    "shutdownwithoutlogon "=dword:00000001
    "undockwithoutlogon "=dword:00000001

    [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
    "NoDriveTypeAutoRun "=dword:00000091

    [HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
    "NoDriveTypeAutoRun "=dword:00000091

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    "PostBootReminder "= "{7849596a-48ea-486e-8937-a2a3009f31a9} "
    "CDBurn "= "{fbeb8a05-beee-4442-804e-409d6c4515e9} "
    "WebCheck "= "{E6FB5E20-DE35-11CF-9C87-00AA005127ED} "
    "SysTray "= "{35CEC8A3-2BE6-11D2-8773-92E220524153} "


    HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
    securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


    Contents of the 'Scheduled Tasks' folder
    C:\WINDOWS\tasks\MP Scheduled Scan.job
    C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - default.job

    Completion time: 15/09/2006 19:51:32.23
    ComboFix.txt
    ComboFix2.txt
    ComboFix3.txt








    Logfile of HijackThis v1.99.1
    Scan saved at 19:52:37, on 15/09/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\WINDOWS\ehome\ehSched.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Spyware Doctor\sdhelp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\system32\wdfmgr.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\WINDOWS\ehome\ehmsas.exe
    C:\WINDOWS\System32\ezSP_Px.exe
    C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
    C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\ewido anti-spyware 4.0\ewido.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\PROGRA~1\SPYWAR~1\swdoctor.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
    C:\WINDOWS\system32\cscript.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\cscript.exe
    C:\PROGRA~1\Logitech\Video\AlbumDB2.exe
    C:\PROGRA~1\Logitech\Video\FxSvr2.exe
    C:\HJT\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.blueyonder.co.uk/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
    O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe
    O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
    O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
    O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [Spyware Doctor] C:\PROGRA~1\SPYWAR~1\swdoctor.exe /Q
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Sony SCSI Helper Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\Fsk\SonySCSIHelperService.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
     
    Oddie,
    #17
  19. 2006/09/15
    TeMerc

    TeMerc Inactive Alumni

    Joined:
    2006/05/13
    Messages:
    3,226
    Likes Received:
    4
    Excellent, evreything looks good, no nasties. Is the machine running smoothly now, with no unwanted symptoms? Let me know please.

    We have 3 more things to do, to help ensure you have removed all the little 'leftovers' which may be hiding:

    Empty the TIF (Temporary Internet Files)
    Delete all the files in (and any subfolders of) the C:\Windows\Temp folder
    The app below will help with temp files.
    Index.dat Suite

    Also, delete all your cookies, and empty your recycle bin. But remember, by deleting your cookies, you will have to re-enter any passwords and log-in info for any sites you are usually required to do so with.

    This would also be a good time to set a new system restore point for your machine.
    Set New System Restore Point. Do not do this unless there are no other user accounts to be diagnosed.

    Also, as you are an XP user, if there are any other accounts on this machine, they too, must be cleaned with AdAware, Spybot S&D, then HJT. Not all infections are global, nor are all the HJT fixes global. You can post each user account here into this thread, but please, do only one at a time to avoid confusion.

    Here is a link which describes how security apps work with WIN XP machines.
    XP User Accts Security Apps Operation

    To further prevent the installation of ad/mal/spyware, DL the apps below, which are just as good the fight against ad/mal/spyware as AdAware & Spybot S&D:

    SpywareBlaster
    With SpywareBlaster v3.5.1 , just DL, install and check for updates, enable Internet Explorer protection, and your done! I don't recommend using IE restricted sites protection as it's not a very large database. Use IE-SPYADs below.

    To avoid known malware infested sites from loading in IE install IESPY ADS.
    And MVPS Hosts File will accomplish a similar tactic and provide another layer of protection.

    And to prevent unknown applications from being inserted to start up on your machine install WinPatrol v10.0.1.

    Another thing I would suggest, is to install SiteAdvisor. It gives sites a few different 'ratings' and while not fool proof, a good additional layer of information about many sites.

    Links for tutorials for all the apps I mentioned can be found on my site as well.

    Confused about which apps are good or not? Read about Rogue/Approved Anti Security apps

    And just because you have security apps installed, they are useless unless updated regularly. Keep track of updates for ALL your security needs here:
    Calendar of Updates

    Subscribe to update alerts for all the above security apps here.

    You can also see my own ongoing security testing with all the above apps proving how securely you can safe with them installed.
    TeMerc Test Box Forum

    Happy surfing!!
    Tom :D
     
    TeMerc,
    #18
  20. 2006/09/15
    Oddie

    Oddie Inactive Thread Starter

    Joined:
    2006/09/09
    Messages:
    12
    Likes Received:
    0
    Thanx Tom!

    ..everything seems to be running fine this end now. Ive installed some of the recommended utilities to hopefully stop this sort of thing happening in the future, cheers for the advice.

    one question though, there is another user account on my pc, though it never gets used. Would the virus have spread to that area or would it have been isolated to the user area that is operating?

    I'm keeping my fingers crossed that all will now be well, and I'll be popping you on my christmas card list! Again, big thanks.

    Od
     
    Oddie,
    #19
  21. 2006/09/15
    TeMerc

    TeMerc Inactive Alumni

    Joined:
    2006/05/13
    Messages:
    3,226
    Likes Received:
    4
    It is very rare we find much of anything on secondary accounts, but to be safe run HJT and lets see what we find.
     
    TeMerc,
    #20

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...