BleepingComputer.com: Need Lots Of Help Please

Gmer2:

GMER 1.0.11.11390 - http://www.gmer.net
Autostart 2006-10-01 10:23:36
Windows 5.1.2600 Service Pack 1


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\System32\Userinit.exe,

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
Automatic LiveUpdate Scheduler /*Automatic LiveUpdate Scheduler*/@ = "C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe"
ccEvtMgr /*Symantec Event Manager*/@ = "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
ccSetMgr /*Symantec Settings Manager*/@ = "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
ColdFusion MX 7 Application Server /*ColdFusion MX 7 Application Server*/@ = "C:\CFusionMX7\runtime\bin\jrunsvc.exe"
ColdFusion MX 7 Search Server /*ColdFusion MX 7 Search Server*/@ = "C:\CFusionMX7\verity\k2\_nti40\bin\k2admin.exe" -cfg "C:\CFusionMX7\verity\k2\common\verity.cfg" -ntstart 1
ewido anti-spyware 4.0 guard /*ewido anti-spyware 4.0 guard*/@ = C:\Program Files\ewido anti-spyware 4.0\guard.exe
navapsvc /*Norton AntiVirus Auto-Protect Service*/@ = "C:\Program Files\Norton AntiVirus\navapsvc.exe"
NPFMntor /*Norton AntiVirus Firewall Monitor Service*/@ = "C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe"
npkcsvc /*npkcsvc*/@ = C:\WINDOWS\System32\npkcsvc.exe
NVSvc /*NVIDIA Display Driver Service*/@ = %SystemRoot%\System32\nvsvc32.exe
SNDSrvc /*Symantec Network Drivers Service*/@ = "C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe"
SnoopFreeSvc /*Snoop Free Service*/@ = System32\SnoopFreeSvc.exe
SPBBCSvc /*SPBBCSvc*/@ = "C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe"
Spooler /*Print Spooler*/@ = %SystemRoot%\system32\spoolsv.exe
Symantec Core LC /*Symantec Core LC*/@ = "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe"
UMWdf /*Windows User Mode Driver Framework*/@ = C:\WINDOWS\System32\wdfmgr.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@IMJPMIG8.1"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 = "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
@PHIME2002ASyncC:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC = C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
@PHIME2002AC:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName = C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
@SoundManSOUNDMAN.EXE = SOUNDMAN.EXE
@NvCplDaemonRUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
@nwiznwiz.exe /install = nwiz.exe /install
@NvMediaCenterRUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit = RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
@SnoopFreeUISnoopFreeUI.exe = SnoopFreeUI.exe
@KernelFaultCheck%systemroot%\system32\dumprep 0 -k = %systemroot%\system32\dumprep 0 -k
@BigDogPathC:\WINDOWS\VM_STI.EXE lebeca web camera driver = C:\WINDOWS\VM_STI.EXE lebeca web camera driver
@SunJavaUpdateSched"C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe" = "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
@ccApp"C:\Program Files\Common Files\Symantec Shared\ccApp.exe" = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
@SSC_UserPrompt"C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" = "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
@NAV CfgWizC:\Program Files\Common Files\Symantec Shared\SymProbe.exe -r "C:\Program Files\Norton AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT" /*file not found*/ = C:\Program Files\Common Files\Symantec Shared\SymProbe.exe -r "C:\Program Files\Norton AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT" /*file not found*/

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run@winupx Service = winupx.exe /*file not found*/

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@CTFMON.EXEC:\WINDOWS\System32\ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe
@BitComet"C:\Program Files\BitComet\BitComet.exe" = "C:\Program Files\BitComet\BitComet.exe"
@updateMgr"C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1 = "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
@PeerGuardianC:\Program Files\PeerGuardian2\pg2.exe = C:\Program Files\PeerGuardian2\pg2.exe
@Yahoo! Pager"C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet = "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
@ksvhtclidsverksvhtclidsver.exe = ksvhtclidsver.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks@{57B86673-276A-48B2-BAE7-C6DBB3020EB8} = C:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Display Panning CPL Extension*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{4EB37360-49E8-11D3-95B5-004033382980} /*ALZip 4.0 Context Menu Shell Extension*/(null) =
@{2AA489CC-FEDC-4DD5-A693-0B8FED9D8B0D} /*ALSee 1.0 Context Menu Shell Extension*/C:\PROGRA~1\ESTsoft\ALSee\ASSHLE~1.DLL /*file not found*/ = C:\PROGRA~1\ESTsoft\ALSee\ASSHLE~1.DLL /*file not found*/
@{E976844F-E7A7-41E1-B7DF-6FDC48AE2C57} /*MJ2Desc Shell Extension*/(null) =
@{170C6CC2-9FB2-42e1-9184-5336C51EBE6D} /*ViRobot Expert Ver 4.0*/C:\Program Files\ViRobotXP\VShExt.dll /*file not found*/ = C:\Program Files\ViRobotXP\VShExt.dll /*file not found*/
@{239E3514-6AE0-4482-895F-F2A61B49B655} /*ViRobot Property scan Shell Extension*/(null) =
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Web Folders*/C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Program Files\Microsoft Office\OFFICE11\msohev.dll = C:\Program Files\Microsoft Office\OFFICE11\msohev.dll
@{B41DB860-8EE4-11D2-9906-E49FADC173CA} /*WinRAR shell extension*/C:\Program Files\WinRAR\rarext.dll = C:\Program Files\WinRAR\rarext.dll
@{A70C977A-BF00-412C-90B7-034C51DA2439} /*NvCpl DesktopContext Class*/C:\WINDOWS\System32\nvcpl.dll = C:\WINDOWS\System32\nvcpl.dll
@{FFB699E0-306A-11d3-8BD1-00104B6F7516} /*Play on my TV helper*/C:\WINDOWS\System32\nvcpl.dll = C:\WINDOWS\System32\nvcpl.dll
@{1CDB2949-8F65-4355-8456-263E7C208A5D} /*Desktop Explorer*/C:\WINDOWS\System32\nvshell.dll = C:\WINDOWS\System32\nvshell.dll
@{1E9B04FB-F9E5-4718-997B-B8DA88302A47} /*Desktop Explorer Menu*/C:\WINDOWS\System32\nvshell.dll = C:\WINDOWS\System32\nvshell.dll
@{1E9B04FB-F9E5-4718-997B-B8DA88302A48} /*nView Desktop Context Menu*/C:\WINDOWS\System32\nvshell.dll = C:\WINDOWS\System32\nvshell.dll
@{32020A01-506E-484D-A2A8-BE3CF17601C3} /*AlcoholShellEx*/C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll = C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll
@{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} /*iTunes*/C:\Program Files\iTunes\iTunesMiniPlayer.dll = C:\Program Files\iTunes\iTunesMiniPlayer.dll
@{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} /*Shell Extensions for RealOne Player*/(null) =
@{967B2D40-8B7D-4127-9049-61EA0C2C6DCE} /*PowerISO*/C:\Program Files\PowerISO\PWRISOSH.DLL = C:\Program Files\PowerISO\PWRISOSH.DLL
@{e82a2d71-5b2f-43a0-97b8-81be15854de8} /*ShellLink for Application References*/C:\WINDOWS\System32\dfshim.dll = C:\WINDOWS\System32\dfshim.dll
@{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} /*Shell Icon Handler for Application References*/C:\WINDOWS\System32\dfshim.dll = C:\WINDOWS\System32\dfshim.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
ALSee@{2AA489CC-FEDC-4DD5-A693-0B8FED9D8B0D} = C:\PROGRA~1\ESTsoft\ALSee\ASSHLE~1.DLL /*file not found*/
ewido anti-spyware@{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
PowerISO@{967B2D40-8B7D-4127-9049-61EA0C2C6DCE} = C:\Program Files\PowerISO\PWRISOSH.DLL
Symantec.Norton.Antivirus.IEContextMenu@{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA} = C:\Program Files\Norton AntiVirus\NavShExt.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ >>>
ewido anti-spyware@{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
PowerISO@{967B2D40-8B7D-4127-9049-61EA0C2C6DCE} = C:\Program Files\PowerISO\PWRISOSH.DLL
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
PowerISO@{967B2D40-8B7D-4127-9049-61EA0C2C6DCE} = C:\Program Files\PowerISO\PWRISOSH.DLL
Symantec.Norton.Antivirus.IEContextMenu@{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA} = C:\Program Files\Norton AntiVirus\NavShExt.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
@{53707962-6F74-2D53-2644-206D7942484F}C:\PROGRA~1\SPYBOT~1\SDHelper.dll = C:\PROGRA~1\SPYBOT~1\SDHelper.dll
@{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll = C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
@{A8F38D8D-E480-4D52-B7A2-731BB6995FDD}C:\Program Files\Norton AntiVirus\NavShExt.dll = C:\Program Files\Norton AntiVirus\NavShExt.dll
@{AA58ED58-01DD-4d91-8333-CF10577473F7}c:\program files\google\googletoolbar2.dll = c:\program files\google\googletoolbar2.dll

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.hangame.com = http://www.hangame.com
@Start Pagehttp://www.hangame.com = http://www.hangame.com

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
@Start Pagehttp://www.cnet.com/ = http://www.cnet.com/

HKLM\Software\Classes\PROTOCOLS\Filter\text/xml@CLSID = C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = C:\WINDOWS\System32\msvidctl.dll
its@CLSID = C:\WINDOWS\System32\ITSS.DLL
mhtml@CLSID = %SystemRoot%\System32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\System32\ITSS.DLL
msnim@CLSID = "C:\PROGRA~1\MSNMES~1\msgrapp.dll"
mso-offdap@CLSID = C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
mso-offdap11@CLSID = C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
tv@CLSID = C:\WINDOWS\System32\msvidctl.dll
vnd.ms.radio@CLSID = C:\WINDOWS\System32\msdxm.ocx

HKLM\Software\Classes\PROTOCOLS\Handler\wia@CLSID = C:\WINDOWS\System32\wiascr.dll

C:\Documents and Settings\All Users\Start Menu\Programs\Startup >>>
Adobe Gamma Loader.lnk = Adobe Gamma Loader.lnk
Adobe Reader Speed Launch.lnk = Adobe Reader Speed Launch.lnk

---- EOF - GMER 1.0.11 ----

Hi pcdome,

Hopefully before you disappear for a few (noted) days, can you do a re-run of the HJT Startup List:, the last one appears to be incomplete, please ensure that both boxes to the right of the button are checked...

If you run out of space then split it like you did with the Gmer logs

GT ;)

I haven't left yet, so that's good. It's strange that the list was only partial, because I followed all your instructions before. I have attempted to make a full HJT startup list again. It is posted below.

Have a good week.

pcDome

StartupList report, 10/3/2006, 9:37:40 AM
StartupList version: 1.52.2
Started from : C:\Program Files\HijackThis\HJT.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\SnoopFreeUI.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\VM_STI.EXE
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\BitComet\BitComet.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\CFusionMX7\runtime\bin\jrunsvc.exe
C:\CFusionMX7\verity\k2\_nti40\bin\k2admin.exe
C:\CFusionMX7\runtime\bin\jrun.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\SnoopFreeSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\CFusionMX7\verity\k2\_nti40\bin\k2server.exe
C:\CFusionMX7\verity\k2\_nti40\bin\k2index.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\HijackThis\HJT.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\System32\Userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

IMJPMIG8.1 = "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
PHIME2002ASync = C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
PHIME2002A = C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
SoundMan = SOUNDMAN.EXE
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
nwiz = nwiz.exe /install
NvMediaCenter = RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
SnoopFreeUI = SnoopFreeUI.exe
BigDogPath = C:\WINDOWS\VM_STI.EXE lebeca web camera driver
SunJavaUpdateSched = "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
SSC_UserPrompt = "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
NAV CfgWiz = C:\Program Files\Common Files\Symantec Shared\SymProbe.exe -r "C:\Program Files\Norton AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

CTFMON.EXE = C:\WINDOWS\System32\ctfmon.exe
BitComet = "C:\Program Files\BitComet\BitComet.exe"
updateMgr = "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
PeerGuardian = C:\Program Files\PeerGuardian2\pg2.exe
Yahoo! Pager = "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
ksvktcgidscer = ksvktcgidscer.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD}
(no name) - c:\program files\google\googletoolbar2.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Norton AntiVirus - Run Full System Scan - Robb.job

--------------------------------------------------

Enumerating Download Program Files:

[QuickTime Object]
InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE = http://fpdownload.macromedia.com/get/shock...director/sw.cab

[cRsiteup.acRsiteup]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\cRsiteup.ocx
CODEBASE = http://www.hebogo.com/ActiveX/cRsiteup.cab

[AniCastH Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\axACastH.dll
CODEBASE = http://gogo.jaeminara.co.kr/gogo/hansol/na...ol/axacastH.cab

[Office Update Installation Engine]
InProcServer32 = C:\WINDOWS\opuc.dll
CODEBASE = http://office.microsoft.com/officeupdate/content/opuc3.cab

[Malicious Software Removal Tool]
InProcServer32 = C:\WebCleaner.dll
CODEBASE = http://download.microsoft.com/download/b/d.../WebCleaner.cab

[YahooCS Class]
CODEBASE = http://kr.memo.yahoo.com/CAB/YahooWCS.cab

[XML DOM Document 4.0]
InProcServer32 = %SystemRoot%\System32\msxml4.dll
CODEBASE = http://www.spatic.go.kr/www/msxml4.cab

[{95FAA6CA-9CD5-40A5-B9EA-2ED419D4D9E7}]
CODEBASE = http://www.spatic.go.kr/www/ZeusWEB.cab

[{A4508A45-F1C4-40F3-99B4-0CA08AC77E3B}]
CODEBASE = http://kings.nefficient.co.kr/kings/kdfx/k...29/kdfense8.cab

[HanSetupCtrl1008 Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\HanSetup1008.dll
CODEBASE = http://id.hangame.com/common/HanSetup1008.cab

[{D27CDB6E-AE6D-11CF-96B8-444553530000}]
CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\Macromed\Flash\Flash9.ocx
CODEBASE = http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

[Kdfense5 Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\kdfense5.ocx
CODEBASE = http://kings.cachenet.com/kdf5106/kdfense5.cab

[CongnamulMap Control]
InProcServer32 = C:\WINDOWS\System32\CONGNA~1.OCX
CODEBASE = http://www.congnamul.com/ActiveX/Release/C...amulMap_V17.cab

[GameDesire Pool 8]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\Billard8.dll
CODEBASE = http://67.15.101.3/g_bin/eng/billard8_2_0_0_28.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

winupx Service = winupx.exe

--------------------------------------------------

End of report, 9,509 bytes
Report generated in 0.656 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Hi pcdome,

The scans reveal a couple of items that need fixing in the registry so we will attend to that after using a program called Killbox to get rid of some files. In addition the scans throw up the possibility of a couple of infected files

• The first possible infection occurs within Ewido but this is a known false positive, it so happens that there is an update to Ewido available so please uninstall Ewido and remove your earlier download, if you still have it. Download an updated version of the program here the suite is fully functional on a 30 day trial basis
  
  
• The second file is an Office file so please download MSOXMLMF.DLL and save to your desktop. Now navigate to the C:\Program Files\Common Files\Microsoft Shared\OFFICE11 directory and delete the existing MSOXMLMF.DLL file and replace it with the file from your desktop
  
  
• Please download PocketKillbox by Option^Explicit Software from here
  • Click the Killbox.zip file and choose Extract
    
  • I suggest you extract it to its own folder on your desktop
  
  
• Please open a new notepad document and from the menu select Format ; ensure that there is no tick against Word Wrap
  • Please do a search for winupx.exe and copy the full path when found to the new notepad document
    
  • Please do another search using ?sv?tc?ids?er.exe and again copy all of the paths and files to the new notepad
    
  • Select the files from within the quote box and place on the clipboard by selecting Ctrl+C and paste these into the same notepad document.
    
  • Select all of the entries in the notepad document and select Copy or Ctrl+C

  Quote

  C:\WINDOWS\asvvtccidsger.exe
  C:\WINDOWS\csvatcgidsher.exe
  C:\WINDOWS\gsvctcaidsger.exe
  C:\WINDOWS\ksvhtclidsver.exe
  C:\WINDOWS\lsvktcvidsaer.exe
  C:\WINDOWS\ksvhtcgidsler.exe
  C:\WINDOWS\vsv\tchidsver.exe
  C:\WINDOWS\hsvgtccidsker.exe
  
  
• Open the Killbox folder and click to open killbox.exe
  • Click on the File menu and then select the Paste from Clipboard item
    If you select the down arrow to the right of the box you may find that some files are missing, this is because Killbox will check to see if the file still exists on your computer.
    
  • Click on Delete on Reboot.
    
  • Place a tick in the box next to End Explorer Shell While Killing File
    Click All Files to the right of the flashing green "Single files"
    
  • Click Yes at the confirmation message that files will be deleted on next reboot
    
  • Click Yes to reboot.
    
  • Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
    
    If your computer does not restart automatically, please restart it manually.
    
    If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.
    
  • After rebooting, open up Killbox again. Click File -> Logs -> Actions History Log
    
  • Post this log in your next reply.
  We will now remove a couple of entries from the registry
  
• Please open a new notepad document and from the menu select Format ; ensure that there is no tick against Word Wrap
  

  Quote

  REGEDIT 4
  
  [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
  "ksvhtclidsver"=-
  
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\]
  "winupx Service"=-
  • Copy the contents of the quote box and paste into the Notepad document
    
  • Save the file as Fix.reg
    
  • Ensure that the Save as type is set to All Files
    
  • Save the file to your desktop
    
  • Make sure there are NO blank lines before REGEDIT4
    
  • Make sure there IS one blank line after each entry.
    
  • Double-click on the fix.reg file, and when it prompts to merge say Yes , this will clear the bad registry entries.
  One entry to go from HijackThis
  
• Start your HijackThis and click on Scan
  • Click in the check-box to the left of the following entry, if found
    
    
    • O4 - HKCU\..\Run: [ksvhtclidsver] ksvhtclidsver.exe
      
    
    
  • With all windows closed except HijackThis, select Fix Checked
  
  
• Start your Killbox and select File
  • Click on Open !Killbox Backups
    
  • Highlight the contents of the folder, right-click and zip the files
    
  • Forward the compressed file to our analysis cell
  
  
• Please reboot the computer and then post the Actions History log and a new HijackThis log together with an update on the computers behaviour

GT

Hi pcdome,

Any updates please?

GT

Hi Whisperer,

I'm so sorry. I told you about the week long holiday, but I didn't tell you that after the holiday my family was coming for two weeks for my wedding. So right now, I'm extremely busy with work, family, and the wedding, so I won't be able to actually try to fix my pc again until after 10/22. I'm really sorry to keep you hanging and to continue doing this kinds of things to you.

Thank you in advance for your patience and understanding.

Sincerely,

pcDome

I shall start badgering you again on the 24th! (got to give you one day at least with your Wife) - in the meantime have a superbly special happy day for you and your bride.

GT

Alright Whisperer,

Thanks for your blessing, and I even cancelled my honeymoon just for you. JK! I'm hoping I will be able to go away in January, but this month I've had way too much time off from work that I can't take more time off to go on a honeymoon. Booooo!!!

Anyhow, I've got no idea what's going on here. I had success removing and adding ewido. However, when I tried to delete the old MSOXMLMF.DLL file I received a message telling me that the file couldn't be accessed due to it was in use or write-protected. I have downloaded the new .dll but I haven't replaced it yet.

Second problem, I can't find the winupx.exe file anywhere, I searched back on these postings and noticed many notes next to it reading "file not found." So, do you have any idea where or how I might find it?

The next one I searched for was the ?sv?tc?ids?er.exe file and the only file that came up there was csvatcgidsher.exe which was located at C:\Windows\csvatcgidsher.exe. No other similar files were found.

I did as you instructed me and used Killbox and pasted the files from the clipboard and if Killbox was working correctly the only file it found on the computer from the pasting was csvatcgidsher.exe So, I tried to run Killbox but I never received the "Click Yes at the confirmation message that files will be deleted on next reboot" or the "Click Yes to reboot." prompts. So, I clicked exit thinking that might launch the prompts but it didn't so I tried again, and still the same thing. This time when I exited though I decided to restart the computer to see if that would get Killbox to work. However, judging by the Killbox log, and that the csvatcgidsher.exe file is still on my computer it didn't work. Here is the log just in case I'm wrong:

Pocket Killbox version 2.0.0.648
Running on Windows XP as Robb(Administrator)
was started @ Sunday, October 22, 2006, 7:55 PM

Killbox Closed(Exit) @ 8:01:05 PM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as Robb(Administrator)
was started @ Sunday, October 22, 2006, 8:01 PM

Killbox Closed(Exit) @ 8:01:57 PM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as Robb(Administrator)
was started @ Sunday, October 22, 2006, 8:05 PM


Just a note about the messages from Killbox you said I may get, I never got any of those.

So, since I seem to be doing everything wrong, I've stopped at this point to tell you what's happening to see if it's really something I'm doing or something with the software, etc.

Thanks for your help and your congratulations again. I should be in contact more frequently again.

pcDome

Can I have an updated HijackThis log please.

GT

Here's my latest HJT Whisperer:

Logfile of HijackThis v1.99.1
Scan saved at 3:38:43 PM, on 10/27/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\SnoopFreeUI.exe
C:\WINDOWS\VM_STI.EXE
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\BitComet\BitComet.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\CFusionMX7\runtime\bin\jrunsvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\CFusionMX7\runtime\bin\jrun.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\SnoopFreeSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\conime.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\HijackThis\HJT.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SnoopFreeUI] SnoopFreeUI.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE lebeca web camera driver
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\SymProbe.exe -r "C:\Program Files\Norton AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {3D51DCE5-683F-422E-AB48-9D21E6DD5808} (cRsiteup.acRsiteup) - http://www.hebogo.com/ActiveX/cRsiteup.cab
O16 - DPF: {3E5BBDC8-18F9-4A70-94B5-DD64929C0AF4} (AniCastH Class) - http://gogo.jaeminara.co.kr/gogo/hansol/na...ol/axacastH.cab
O16 - DPF: {4E52C32F-C143-4963-A758-2DB07703CB49} (YahooCS Class) - http://kr.memo.yahoo.com/CAB/YahooWCS.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://www.spatic.go.kr/www/msxml4.cab
O16 - DPF: {95FAA6CA-9CD5-40A5-B9EA-2ED419D4D9E7} - http://www.spatic.go.kr/www/ZeusWEB.cab
O16 - DPF: {A4508A45-F1C4-40F3-99B4-0CA08AC77E3B} - http://kings.nefficient.co.kr/kings/kdfx/k...29/kdfense8.cab
O16 - DPF: {C044CD87-DFB0-4130-A5E4-49361106FBC8} (HanSetupCtrl1008 Class) - http://id.hangame.com/common/HanSetup1008.cab
O16 - DPF: {D2A4C311-F608-4E0E-BBFE-6B25E31AC15B} (Kdfense5 Control) - http://kings.cachenet.com/kdf5106/kdfense5.cab
O16 - DPF: {E0BF7A2B-2F7C-497A-B50F-292D3F317965} (CongnamulMap Control) - http://www.congnamul.com/ActiveX/Release/C...amulMap_V17.cab
O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) - http://67.15.101.3/g_bin/eng/billard8_2_0_0_28.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ColdFusion MX 7 Application Server - Macromedia Inc. - C:\CFusionMX7\runtime\bin\jrunsvc.exe
O23 - Service: ColdFusion MX 7 Search Server - Unknown owner - C:\CFusionMX7\verity\k2\_nti40\bin\k2admin.exe" -cfg "C:\CFusionMX7\verity\k2\common\verity.cfg" -ntstart 1 (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Snoop Free Service (SnoopFreeSvc) - Unknown owner - C:\WINDOWS\System32\SnoopFreeSvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

pcDome

Thank you for the HJT

I note that the 'Personal Firewall Checker' service in Norton is running and I am not too sure of their set-up and what package you have.

Does the Symantec/Norton installation that you have include a firewall?

GT

As far as I can tell it doesn't have a firewall on it. I'm running Norton Antivirus 2006 if that helps you know if it has a firewall. I looked at all the coverage options in the "Protection Center" and I didn't see anything about a firewall.

I hope this info helps you.

BTW, just out of curiosity what does "GT" mean? I'm not 2 up on my computer lingo talk, but I always like to learn these things b/c I like to use them when sending text msgs.

Thanks.

I don't want to be a pest, but just curious if you have any updates?

Thanks,

pcDome

I had prepared a response BUT had forgotten to post it for checking by my tutor - sorry, it has been posted now and will come to you as soon as it has been checked

Hi pcdome,

There is no greater significance to GT other than they are my initials The log is looking good in spite of your problems running some of the fixes especially as we seem to have got rid of that “?sv?tc?ids?er.exe” series of files.

Please boot into safe mode and then move the MSOXMLMF.DLL that you have downloaded straight into its correct directory of C:\Program Files\Common Files\Microsoft Shared\OFFICE11\ clickYes when asked whether to overwrite the old one.

With regards WinUPX, it was a freebie program that you may have removed a while ago, we will have a stay of execution on that one.

Please do an online scan with Kaspersky Online Scanner You must use Internet Explorer for this scanner.

• Click on Kaspersky Online Scanner
  
• You will be prompted to install an ActiveX component from Kaspersky, Click Yes .
  
• The program will launch and then start to download the latest definition files.
  
• Once the scanner is installed and the definitions downloaded, click Next.
  
• Now click on Scan Settings and ensure that the following are selected:
  • Under Scan using the following Anti-Virus database:
    • Extended (If available otherwise Standard)
    
    
  • Under Scan Options:
    • Scan Archives
      
    • Scan Mail Bases
  
  
• Click OK
  
• Now under select a target to scan select My Computer
  
• The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  
• Now click on the Save as Text button:
  
• Save the file to your desktop.
  
• Copy and paste that information in your next post together with a new HijackThis log.

GT