cli and scvhost error onbootup

hello, i have recently been havng problms
when i turn on windows i get two error messages
scvhost not found
and
cli failed to initilize

also when i type oftern nothin appears on te screen and i have to press the key repeatively for it to show

additionally i can no longer do window updates

i get a screen that says checking for updates (or similar)
and sometimes it has a animated green bar but most times it doesnt
it then also makes svchost run a 99 percent cpu
(it appears to be the windows update controller)
here is my log:
Logfile of HijackThis v1.99.1
Scan saved at 8:21:32 PM, on 27/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Free Download Manager\fdm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\utorrent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\armold trojan remover\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common

Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe "
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe "
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe "
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe "
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download

Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download

Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download

Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

(file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network

Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} (Dldrv2 Control) -

http://download.gigabyte.com.tw/object/Dldrv.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1163775142873
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1164461540218
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) -

http://javadl-esd.sun.com/update/1.5.0/jinstall-1_5-windows-i586.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems

Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

any help would be much appreciated

 

Hello and welcome to WindowsBBS Forums.

Nothing obvious in the log, so lets get an online scan and do a file search for hidden nasties.

Go to this page, Panda ActiveScan

• Click the 'Scan your PC' button. ( You may have to disable any pop up blockers)
• Then press the green 'Check Now' button.
• Enter your country and state along with a valid email address.
• Allow the ActiveX install, it may be a few minutes for all components. (For XP SP 2 watch for the yellow bar at the top of IE)
• Once installation is complete you will need to select a device to scan. Please select 'My Computer' and the scan will begin.
• Once the scan is done, click the 'See report' button, then the 'save report' button. Be sure to save the log file created in a place easy for you to find.

Then do an online scan with Kaspersky Online Scanner

Click on Kaspersky Online Scanner icon.
Accept the Kaspersky agreement and the program will load.
You will then be prompted to install an ActiveX component from Kaspersky, click Yes

The program will then begin downloading the latest definition files. This will take a few minutes, even with hi-speed.
Once the files have been downloaded click on Next

Now click on Scan Settings button.
In the scan settings make sure that the following are selected:

• Scan using the following Anti-Virus database:
• Extended (if available otherwise Standard)

• Scan Options:
  Scan Archives
  Scan Mail Bases

Click OK

Now under the Please select a target to scan:
Select My Computer

The program will begin the scanning process.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Then click on theSave as Text button
Save the file to your desktop.

Copy and paste that information in your next post for me to review.

Then download SilentRunners from here

Unzip it to the desktop and double-click on it. If you get any kind of warning message about scripts, please choose to allow the script to run. When the scan is finished, a message will pop up and a logfile will have been created on the desktop.

Please post the entire contents of this logfile created back into this thread for me to see.

 

Thanks TeMerc for your response

Thanks TeMerc for your response

at the risk of stating the obvious
ive run nod32 (updated) on my computer and removed the malicious software it found on its first scan, since it has found anything.

Here are the results from panda

Incident Status Location

Adware:adware/ist.istbar Not disinfected Windows Registry
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@ehg-idg.hitbox[2].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@fastclick[2].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[1].txt

Virus:Bck/HackMess.A Disinfected F:\Programs\BitLord Pro [UseNext]\Bitlord Pro (UseNext)\Bitlord Pro (UseNext)\Bitlord Pro (UseNext) incl acount-maker 100% working. Download with ur whole bandwitch. Enjoy\lsass.exe
Virus:Bck/HackMess.A Disinfected F:\Programs\BitLord Pro [UseNext]\Bitlord Pro (UseNext)\Bitlord Pro (UseNext)\Bitlord Pro (UseNext) incl acount-maker 100% working. Download with ur whole bandwitch. Enjoy\svchost.exe
Virus:Bck/HackMess.A Not disinfected F:\Programs\BitLord Pro [UseNext]\Bitlord Pro (UseNext).rar[Bitlord Pro (UseNext)\Bitlord Pro (UseNext) incl acount-maker 100% working. Download with ur whole bandwitch. Enjoy\lsass.exe]
Virus:Bck/HackMess.A Not disinfected F:\Programs\BitLord Pro [UseNext]\Bitlord Pro (UseNext).rar[Bitlord Pro (UseNext)\Bitlord Pro (UseNext) incl acount-maker 100% working. Download with ur whole bandwitch. Enjoy\svchost.exe]
Spyware:Spyware/SafeSurf Not disinfected F:\Programs\evillyrics.zip[setup.exe][²ÃœÃ‡\ExtractDLL.dll]
Potentially unwanted tool:Application/ServUBased.A Not disinfected G:\mft\MFT 39927[Serv-U FTP 5.0 Corporate Cracked\susetup.exe]
Potentially unwanted tool:Application/ServUBased.A Not disinfected G:\mft\MFT 39927[Serv-U FTP 5.0 Corporate Cracked\susetup.exe][SERVUDAEMON.EXE]
Potentially unwanted tool:Application/ServUBased.A Not disinfected G:\mft\MFT 39927[Serv-U FTP 5.0 Corporate Cracked\susetup.exe][SERVUTRAY.EXE]
Here are the results from kaspersky
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, November 28, 2006 1:27:57 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 27/11/2006
Kaspersky Anti-Virus database records: 232212
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 172022
Number of viruses found: 3
Number of infected objects: 5 / 0
Number of suspicious objects: 0
Duration of the scan process: 03:42:50

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Messenger\psychokiller87@hotmail.com\SharingMetadata\Logs\Dfsr.log Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Messenger\psychokiller87@hotmail.com\SharingMetadata\pending.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Messenger\psychokiller87@hotmail.com\SharingMetadata\Working\database_BA70_3CC_7003_8E77\dfsr.db Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Messenger\psychokiller87@hotmail.com\SharingMetadata\Working\database_BA70_3CC_7003_8E77\fsr.log Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Messenger\psychokiller87@hotmail.com\SharingMetadata\Working\database_BA70_3CC_7003_8E77\fsrtmp.log Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Messenger\psychokiller87@hotmail.com\SharingMetadata\Working\database_BA70_3CC_7003_8E77\tmp.edb Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Live Contacts\psychokiller87@hotmail.com\real\members.stg Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Live Contacts\psychokiller87@hotmail.com\shadow\members.stg Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012006112820061129\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\Perflib_Perfdata_674.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF5BCB.tmp Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF5C8E.tmp Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\~DFBFDD.tmp Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\~DFC044.tmp Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\ESET\cache\CACHE.NDB Object is locked skipped
C:\Program Files\ESET\infected\NTJQDAAA.NQF Infected: Trojan.Win32.KillAV.gf skipped
C:\Program Files\ESET\logs\virlog.dat Object is locked skipped
C:\Program Files\ESET\logs\warnlog.dat Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{9A6114F5-0FCD-48C9-A09E-6C843C41F97E}\RP36\A0022208.exe Infected: Trojan-Spy.Win32.Agent.ph skipped
C:\System Volume Information\_restore{9A6114F5-0FCD-48C9-A09E-6C843C41F97E}\RP40\change.log Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{C1641C34-C85E-4536-A8D6-6808C4D372CD}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

F:\System Volume Information\_restore{9A6114F5-0FCD-48C9-A09E-6C843C41F97E}\RP40\change.log Object is locked skipped
G:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
G:\System Volume Information\_restore{9A6114F5-0FCD-48C9-A09E-6C843C41F97E}\RP40\change.log Object is locked skipped

Scan process completed.

(note that some of the infected files were removed for privacy reasons, these files i have declared as safe or not unwanted)

 

Silent runners

this is the log from silent runners
"Silent Runners.vbs ", revision 49, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++} "


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"MsnMsgr" = " "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background" [MS]
"Free Download Manager" = "C:\Program Files\Free Download Manager\fdm.exe -autorun" [null data]
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"µTorrent" = " "C:\Documents and Settings\Administrator\Desktop\utorrent.exe" " [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"SoundMan" = "SOUNDMAN.EXE" [ "Realtek Semiconductor Corp."]
"SunJavaUpdateSched" = " "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" " [ "Sun Microsystems, Inc."]
"itype" = " "C:\Program Files\Microsoft IntelliType Pro\itype.exe" " [MS]
"IntelliPoint" = " "C:\Program Files\Microsoft IntelliPoint\ipoint.exe" " [MS]
"nod32kui" = " "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE" [ "Eset "]
"ATICCC" = " "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" " [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class "
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll" [ "Sun Microsystems, Inc."]
{9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Windows Live Sign-in Helper "
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension "
-> {HKLM...CLSID} = "Display Panning CPL Extension "
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext "
-> {HKLM...CLSID} = "HyperTerminal Icon Ext "
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" [ "Hilgraeve, Inc."]
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders "
-> {HKLM...CLSID} = "My Sharing Folders "
\InProcServer32\(Default) = "C:\Program Files\MSN Messenger\fsshext.8.0.0812.00.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension "
-> {HKLM...CLSID} = "WinRAR "
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{B8323370-FF27-11D2-97B6-204C4F4F5020}" = "SmartFTP Shell Extension DLL "
-> {HKLM...CLSID} = "SmartFTP Shell Extension DLL "
\InProcServer32\(Default) = "C:\Program Files\SmartFTP Client 2.0\smarthook.dll" [ "SmartFTP"]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu "
-> {HKLM...CLSID} = "Portable Media Devices Menu "
\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{1825D0FA-5B0C-4e20-A929-3EFD15B6DF71}" = "IntelliType Pro Touchpad Control Property Page "
-> {HKLM...CLSID} = "IntelliType Pro Touchpad Control Property Page "
\InProcServer32\(Default) = " "C:\Program Files\Microsoft IntelliType Pro\itcpltp.dll" " [MS]
"{A2569D1F-4E06-43EC-9825-0088B471BE47}" = "IntelliType Pro Wireless Control Panel Property Page "
-> {HKLM...CLSID} = "IntelliType Pro Wireless Control Panel Property Page "
\InProcServer32\(Default) = " "C:\Program Files\Microsoft IntelliType Pro\itcplwir.dll" " [MS]
"{97FA8AA2-EE77-4FF2-9449-424D8924EF21}" = "IntelliType Pro Zooming Control Panel Property Page "
-> {HKLM...CLSID} = "IntelliType Pro Zooming Property Page "
\InProcServer32\(Default) = " "C:\Program Files\Microsoft IntelliType Pro\itcplzm.dll" " [MS]
"{111D8120-25EB-4E1C-A4DF-C9EE5FCA35CB}" = "IntelliType Pro Scrolling Control Panel Property Page "
-> {HKLM...CLSID} = "IntelliType Pro Scrolling Property Page "
\InProcServer32\(Default) = " "C:\Program Files\Microsoft IntelliType Pro\itcplwhl.dll" " [MS]
"{ED6E87C6-8A83-43aa-8208-8DBC8247F4D2}" = "IntelliType Pro Key Settings Control Panel Property Page "
-> {HKLM...CLSID} = "IntelliType Pro Key Settings Property Page "
\InProcServer32\(Default) = " "C:\Program Files\Microsoft IntelliType Pro\itcplkey.dll" " [MS]
"{20082881-FC36-4E47-9A7A-644C95FF749F}" = "IntelliPoint Wireless Control Panel Property Page "
-> {HKLM...CLSID} = "Wireless Property Page "
\InProcServer32\(Default) = " "C:\Program Files\Microsoft IntelliPoint\ipcplwir.dll" " [MS]
"{AF90F543-6A3A-4C1B-8B16-ECEC073E69BE}" = "IntelliPoint Wheel Control Panel Property Page "
-> {HKLM...CLSID} = "Wheel Property Page "
\InProcServer32\(Default) = " "C:\Program Files\Microsoft IntelliPoint\ipcplwhl.dll" " [MS]
"{653DCCC2-13DB-45B2-A389-427885776CFE}" = "IntelliPoint Activities Control Panel Property Page "
-> {HKLM...CLSID} = "Activities Property Page "
\InProcServer32\(Default) = " "C:\Program Files\Microsoft IntelliPoint\ipcplact.dll" " [MS]
"{124597D8-850A-41AE-849C-017A4FA99CA2}" = "IntelliPoint Buttons Control Panel Property Page "
-> {HKLM...CLSID} = "Buttons Property Page "
\InProcServer32\(Default) = " "C:\Program Files\Microsoft IntelliPoint\ipcplbtn.dll" " [MS]
"{B089FE88-FB52-11D3-BDF1-0050DA34150D}" = "NOD32 Context Menu Shell Extension "
-> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension "
\InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" [null data]
"{5E2121EE-0300-11D4-8D3B-444553540000}" = "Catalyst Context Menu extension "
-> {HKLM...CLSID} = "SimpleShlExt Class "
\InProcServer32\(Default) = "C:\Program Files\ATI Technologies\ATI.ACE\atiacmxx.dll" [empty string]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler "
-> {HKLM...CLSID} = "Microsoft Office Outlook "
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler "
-> {HKLM...CLSID} = "Outlook File Icon Extension "
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler "
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{2F5AC606-70CF-461C-BFE1-734234536262}" = "WindowBlinds CPL Extension "
-> {HKLM...CLSID} = "DisplayCplExt Class "
\InProcServer32\(Default) = "C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbui.dll" [ "Stardock.Net, Inc"]

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
<<!>> "Shell" = "Explorer.exe scvhost.exe" [MS], [file not found]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\
<<!>> "AppInit_DLLs" = "wbsys.dll" [ "Stardock.Net, Inc"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" [ "ATI Technologies Inc."]
<<!>> WBSrv\DLLName = "C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll" [ "Stardock"]

HKLM\Software\Classes\PROTOCOLS\Filter\
<<!>> application/octet-stream\CLSID = "{1E66F26B-79EE-11D2-8710-00C04F79ED0D} "
-> {HKLM...CLSID} = "Cor MIME Filter, CorFltr, CorFltr 1 "
\InProcServer32\(Default) = "mscoree.dll" [file not found]
<<!>> application/x-complus\CLSID = "{1E66F26B-79EE-11D2-8710-00C04F79ED0D} "
-> {HKLM...CLSID} = "Cor MIME Filter, CorFltr, CorFltr 1 "
\InProcServer32\(Default) = "mscoree.dll" [file not found]
<<!>> application/x-msdownload\CLSID = "{1E66F26B-79EE-11D2-8710-00C04F79ED0D} "
-> {HKLM...CLSID} = "Cor MIME Filter, CorFltr, CorFltr 1 "
\InProcServer32\(Default) = "mscoree.dll" [file not found]
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945} "
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
NOD32 Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11D3-BDF1-0050DA34150D} "
-> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension "
\InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA} "
-> {HKLM...CLSID} = "WinRAR "
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA} "
-> {HKLM...CLSID} = "WinRAR "
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
NOD32 Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11D3-BDF1-0050DA34150D} "
-> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension "
\InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA} "
-> {HKLM...CLSID} = "WinRAR "
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoActiveDesktop" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|Desktop|Desktop / Active Desktop|
Disable Active Desktop}

"NoSaveSettings" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|Desktop|
Don't save settings at exit}

"ClassicShell" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|Windows Components|Windows Explorer|
Enable Classic Shell / Turn on Classic Shell}

"NoThemesTab" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"ForceActiveDesktopOn" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|Desktop|Desktop / Active Desktop|
Enable Active Desktop}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoActiveDesktopChanges" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"DisableTaskMgr" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|System|Ctrl+Alt+Del Options|
Remove Task Manager}

"NoDispAppearancePage" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoColorChoice" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoSizeChoice" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoDispBackgroundPage" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|Control Panel|Display|
Hide Desktop tab}

"NoDispScrSavPage" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoDispCPL" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|Control Panel|Display|
Remove Display in Control Panel}

"NoVisualStyleChoice" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoDispSettingsPage" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

"DisableTaskMgr" = (REG_DWORD) hex:0x00000000
{unrecognized setting}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\web\wallpaper\Bliss.bmp "

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\web\wallpaper\Bliss.bmp "


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]


Startup items in "Administrator" & "All Users" startup folders:
---------------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" [ "Adobe Systems, Inc."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
C:\WINDOWS\system32\imon.dll [ "Eset "], 01 - 05, 21
%SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 11 - 20
%SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{F2CF5485-4E02-4F68-819C-B92DE9277049} "
-> {HKLM...CLSID} = "&Links "
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research "
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console "
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC} "
-> {HKCU...CLSID} = "Java Plug-in 1.5.0_09 "
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll" [ "Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_09 "
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll" [ "Sun Microsystems, Inc."]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research "

{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001 "
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger "
"MenuText" = "Windows Messenger "
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" [ "ATI Technologies Inc."]
HTTP SSL, HTTPFilter, "C:\WINDOWS\System32\svchost.exe -k HTTPFilter" { "C:\WINDOWS\System32\w3ssl.dll" [MS]}
Machine Debug Manager, MDM, " "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe" " [MS]
Messenger Sharing USN Journal Reader service, usnsvc, "C:\WINDOWS\System32\svchost.exe -k usnsvc" { "C:\Program Files\MSN Messenger\usnsvc.dll" [MS]}
NOD32 Kernel Service, NOD32krn, " "C:\Program Files\Eset\nod32krn.exe" " [ "Eset "]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Microsoft Office Document Image Writer Monitor\Driver = "mdimon.dll" [MS]


----------
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 42 seconds, including 14 seconds for message boxes)

the results from the silent runners test

(p.s. sorry for the late response, it takes a long time to scan 3 harddrives 2 of which are 250gig in total size, so i let it run while i slept)

 

So I gather the threat has been removed? Want to clarify, becuase your wording seems a bit off. You do mean the scan 'hasn't found anything, correct? Due to your av finding and removing it?

 

my bad

no sorry i ment to say before i run the the recommended scans i run nod32

but the problem still exsists, i just wanted to say that incase u recommended me scan that again

the problem is still there

 

Oh, ok, lets kill a file then. I wasn't sure if the results were proper or not.

Download the Killbox from here and save it to the desktop.

• Double-click the KillBox icon on your desktop to open it
• Select "Delete on Reboot "
• Then select "All files ".

Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINDOWS\system32\scvhost.exe

Return to Killbox

• Go to the File menu, and choose "Paste from Clipboard ".
• Click the red-and-white "Delete File" button.
• Click "Yes" at the Delete on Reboot prompt. Click "Yes" at the Pending Operations prompt.

Reboot the system, post a new HJT logfile and let me know if any problems persist.

 

ok i have deleted the svchost file using killbox

here is new log:
Logfile of HijackThis v1.99.1
Scan saved at 1:40:37 PM, on 29/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Free Download Manager\fdm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Administrator\Desktop\utorrent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\armold trojan remover\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe "
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe "
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe "
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe "
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [µTorrent] "C:\Documents and Settings\Administrator\Desktop\utorrent.exe "
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} (Dldrv2 Control) - http://download.gigabyte.com.tw/object/Dldrv.ocx
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1163775142873
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1164461540218
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jinstall-1_5-windows-i586.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

additional information:
now when i shut down it asks me to insert a disk into the floppy drive (A or to make sure the tray is shut

i still get the startup errors

and something that hadnt occured to me before
was that some websites (in particular msn related and my isp login and ebay)
i get the page cannot be displayed and have to manually refresh perhaps 3 times befoer the page will load
i was wondering if it could be related

also i use process explorer to note that svchost uses high amount of cpu (up to 99) and is loading the windows update client

and since i deleted that computer bootup took longer (might have been replacing the svchost tho)

 

Ok, I need to verify one thing, the file you deleted, was it scvhost.exe or svchost.exe......HUGE difference.

svchost.exe is a normal system file, scvhost.exe is designed to trick users into thinking it is the legit file by transposing the v and c.

Let me know please.

 

the file i deleted was:
C:\WINDOWS\system32\scvhost.exe

i copied and pasted the file like you suggested (one because its what u said to do and two it was easier then typing it in)

 

Ok, we need to look a little deeper. After having someon else look at your logs, they thnk there may be somethng still hidden.

Open HJT, click the 'None of the above, just start the program' button.
Then click the 'Config' button in the lower right hand of the program.
Then select the 'Misc Tools' button.
In the upper left hand side of the program tick the two boxes 'List also minor sections (full)' button and the 'List empty sections (complete)' button and select 'Yes' when prompted by the dialog box. The resultant scan will produce a notepad log file, please paste that log file back here for me to review.

 

Also:

Ok, we need to get a registry key exported to see what it actually shows. Please do as instructed below.

We'll first back up your registry. This is just a precautionary step, and you can delete the saved file once we are done.

Click the 'Start' button, select 'Run', hit 'Enter'.

When box appears, type 'regedit', hit 'Enter'.

Navigate to the following key, by unticking the '+' next to each subkey:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Right click the Winlogon key and select 'Edit' from the menu. Notepad will open up with the contents of your registry file, go to 'Edit', choose the 'Select all' option and then copy the contents to post back here. You can close the editor once you have copied the information.

 

Logfile of HijackThis v1.99.1
Scan saved at 11:39:01 PM, on 30/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Free Download Manager\fdm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Administrator\Desktop\utorrent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\armold trojan remover\hijackthis\HijackThis.exe
C:\WINDOWS\regedit.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe "
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe "
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe "
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe "
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [µTorrent] "C:\Documents and Settings\Administrator\Desktop\utorrent.exe "
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} (Dldrv2 Control) - http://download.gigabyte.com.tw/object/Dldrv.ocx
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1163775142873
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1164461540218
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jinstall-1_5-windows-i586.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E9410E3D-44EF-4D78-958E-ED029B0483B3}: NameServer = 10.1.1.3
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

 

http://download.yousendit.com/4BD1DC425B038039

i followed the instructions the best i could, but i found some parts not to be sufficent (for example i couldnt find where you said to right click go to edit, i dont have an edit option)

i saved the entire registry, zipped it and uploaded it to the above website

 

Ummm...no, the entire registry won't do.

My bad, I grabbed wrong copy and paste from my notes.

Select WinLogon, right-click, select 'Export' then when window pops up, select 'Save As..' and select 'Text Files' and post contents here, sorry about that.

 

Key Name: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Class Name: <NO CLASS>
Last Write Time: 1/12/2006 - 7:52 AM
Value 0
Name: ParseAutoexec
Type: REG_SZ
Data: 1

Value 1
Name: ExcludeProfileDirs
Type: REG_SZ
Data: Local Settings;Temporary Internet Files;History;Temp;Local Settings\Application Data\Microsoft\Outlook

Value 2
Name: BuildNumber
Type: REG_DWORD
Data: 0xa28

Value 3
Name: shell
Type: REG_SZ
Data: Explorer.exe scvhost.exe


ok lol that is a hell of a lot easier to paste
usually i dont paste my registry

i see also, where the problem is
scvhost.exe ... should be svchost.exe i am to presume

 

Ok, we need to get another bit of info from you, to verify things before we remove them.

Go to: Start > Run > type " cmd ", then click OK
A command prompt window will appear, and then copy and paste the following into the command box and hit 'Enter'

reg query "hklm\software\microsoft\windows nt\currentversion\winlogon" /v shell > shell.txt & start shell.txt

A notepad will pop up and then copy\paste the info back here for us.

 

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon
shell REG_SZ Explorer.exe

for some reason i never recieved notifcation you had posted a new reply

so while i was waitting i downloaded some additional spyware scanners

including
spybot
ad aware
spy sweeper
spyware doctor
panda (anti virus and spyware)

despite the fact each one is supposed to be the industry leader
they all found different/more spyware after i run each scan, so i removed all that they found

(just thought it might be relevent to know, it might have fixed what you found)

to add to this, the scvhost seems to have stopped causing and error on startup, however i still cant use windows updates, (it gets the green bar scanning computer and nothing happens) ... also i get the cli error on startup still.

that being said, my computer seems to be running weird (its hard to describe) but it is running slow

thanks for your time, you have been a great help
hit me back if u still got info

 

That is good, seems the file reference is gone. And the errors has gone away too.

More times than not, this is the norm. I'd be curios tho to know what they removed.

I've never even heard of 'cli' until this thread. Can you tell me what the specific error says and I'll Google it to see what I find.

When is it slow? Start up...surfing...switching between applications? Opening applications?

 

cli is something to do with the ati drivers, ill just disable it on startup, as the drivers seem to work good themselves.

as for the computer running slow, my internet seems ok.. but i get internet explorer cannot find the page (or with opera) all i have to do is refresh the page, sometimes 2 or 3 times before it will work... but if im using something like msn, im still connected and able to recieve messages. (or something like runescape which is an online game) so the internet is working (id have said download but u would have said it was hogging the bandwidth, which isnt the problem because it can do it when im not downloading)

i dont restart my computer a lot to know if it has a slow startup (its been 4 days since i last restarted) usually i only restart it when i install something and it asks me to.

i dont generally have problems loading applications.

however last night to explain what my problem is ill use a scenario.

i was doing my homework, using microsoft office, i went to get a drink and must have took longer then i thought i came back and i had a new message on msn. i went to click msn and my screen turned black (as if the monitor had been unplugged) i moved my mouse and went to get up to see if it had been knocked (by the dog) and it come back. it was my screensaver (it was like it couldnt load the screen saver when it was supposed to). i couldnt bring up task manager to see why it was running slow, but i did get process explorer to open which told me microsoft word was using 99cpu, but word wasnt running slow (usually when an application uses 99 percent they run slow unless they are designed to, like ripping programs) (i found anyway)
so i saved my work and closed it, it closed normally, but the window i recieved the message from had locked up, not msn. but the window so i killed msn aswell after that it was ok.


this is the stuff that happens to me, and it seems to be random and no process or hardware resources seem to cause it

(process explorer it an advanced version of task manager, it tells u more specifically what is running, by which user etc)