Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hi Jack This Log Please Help Diagnose


  • Please log in to reply
9 replies to this topic

#1 denz1968

denz1968

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:41 PM

Posted 10 August 2006 - 02:06 PM

Logfile of HijackThis v1.99.1
Scan saved at 20:06:00, on 10/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\BullGuard Software\BullGuard\BullGuardUpdate.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NetLimiter 2 Monitor\nlsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\NetLimiter 2 Monitor\NLClient.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Common Files\Smith Micro Shared\FAX\SMLoader.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\SM1BG.EXE
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
C:\Program Files\Anfield Alerts\anfieldalerts.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\BullGuard Software\BullGuard\bullguard.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Denz\Desktop\HijackThis.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE /P30 "EPSON Stylus Photo R200 Series" /O5 "LPT1:" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [SMSI Loader] C:\Program Files\Common Files\Smith Micro Shared\FAX\SMLoader.exe /PRNDRV
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [LaunchList] "C:\Program Files\Pinnacle\Studio 8\LaunchList.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\Run: [wxz83470] RUNDLL32.EXE w019b23f.dll,n 0028346e0000000a019b23f
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
O4 - HKCU\..\Run: [Anfield Alerts] C:\Program Files\Anfield Alerts\anfieldalerts.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [BullGuard] "C:\Program Files\BullGuard Software\BullGuard\bullguard.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Warez] "C:\Program Files\Warez\Warez.exe" /minimized
O4 - Startup: XPizeReloader.lnk = C:\WINDOWS\XPize\XPizeReloader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SATARaid.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {1B9935E4-8A50-4DD8-BD09-A7518723BF97} (Talisma NetAgent Customer ActiveX Control version 3) - http://etalk.epson.co.uk/netagent/objects/custappx3.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-30.cab
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - https://moneymanager.egg.com/Pinsafe/accounttracking.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1129481717453
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} - http://www.autodesk.com/global/dwfviewer/i...ViewerSetup.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://downloads.broadbandassist.com/BTYah...tivePreQual.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...805/mcfscan.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: Syncmgr - C:\WINDOWS\system32\kt8ml7l11.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: BullGuard LiveUpdate (BGLiveSvc) - BullGuard Software - C:\Program Files\BullGuard Software\BullGuard\BullGuardUpdate.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - D:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Program Files\NetLimiter 2 Monitor\nlsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:41 PM

Posted 10 August 2006 - 02:50 PM

Hello there and welcome to Bleeping Computer's security forum.
My name is David, I will be helping you with your log today.

O4 - HKCU\..\Run: [Anfield Alerts] C:\Program Files\Anfield Alerts\anfieldalerts.exe

Err..Not a Liverpool fan!! :thumbsup:

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.

1) Download Brute Force Uninstaller.
Unzip it to a folder of it’s own (c:\BFU).
Read here how to unzip/extract properly:
http://metallica.geekstogo.com/xpcompressedexplanation.html
Start the Brute Force Uninstaller by doubleclicking BFU.exe

Next to the 'scriptfile to execute'-window you'll see a little icon as shown in next picture: Posted Image
When you click that icon, a little window will open that says: 'Please enter the full URL to the sript you want to execute'
In the field, copy and paste next URL:

http://metallica.geekstogo.com/alcanshorty.bfu

Click Ok.
Then click execute in Brute Force Uninstaller.

Extra note:
If nothing happens after pressing the Execute button, this means that the script didn't download. In that case, download the script ( alcanshorty.bfu ) manually from above url ( rightclick on it and choose 'save as' and save it in your BFU-folder). Then start BFU.exe again and click the browse button next to the 'scriptfile to execute'-window
Browse to the script you downloaded and Click Ok and Execute in Brute Force Uninstaller.


Wait for the complete script execution box to popup and press OK.
Press exit to terminate the BFU program.

2) Please download Ad-Aware SE Personal and install it.
If you already have Ad-Aware SE, please configure it as indicated below.
If you have a previous version of Ad-Aware, please uninstall your current version and install the newest version SE 1.06.

Run Ad-Aware, and click Check for updates now.
Select Configurations (click the Gear wheel at the top) as follows:
General Button > Safety & Settings > Check (Green) all three.
Tweak Button > Cleaning Engine > uncheck "Always try to unload modules before deletion".
Click Proceed.

To start the scan, Click > "Scan Now" at left.
Select "Search for low-risk threats".
Select "Perform full system scan".
Click "Next".

When the scan has completed, select Next.
In the Scanning Results window, select the "Critical Objects" tab.
Right-click on the screen and choose "Select all objects".
Click Next to remove the infections found, and click OK to the prompt.
Restart the computer.

3) Run HijackThis.
On the first menu, click Open the Misc Tools Section
Click Open Uninstall Manager
Click Save List - Save it anywhere.
A notepad will pop-up after it's saved, please copy everything in that Notepad and paste it here.

4) Download Combofix to your desktop.
Doubleclick combo.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.
Also post the uninstall list.

David

#3 denz1968

denz1968
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:41 PM

Posted 11 August 2006 - 07:30 AM

1st MP3 Tag Editor 4.9
ABITEQ
Ad-Aware SE Personal
Adobe Reader 7.0.8
AirPlus G
AmbiCom WL11-SD (PocketPC2002 C1-13)
Anfield Alerts (remove only)
ANIO Service
ANIWZCS2 Service
AnyDVD
AOL Instant Messenger
BeClean
BullGuard 6.1
CleanUp!
CloneDVD2
CoPilot - Pocket PC 5
Cypress USB Mass Storage Driver Installation
DAEMON Tools
Driver Genius Professional Edition 2005 5.3.016
EA SPORTS online 2006
EPSON PhotoQuicker3.5
EPSON Print CD
EPSON PRINT Image Framer Tool2.1
EPSON Printer Software
ESPR200 Reference Guide
ESPR200 Software Guide
ewido anti-spyware 4.0
exPressIT
exPressit S.E. 2.1
Family Tree Maker 2005
FIFA 06
Football Manager 2006
Google Earth
Google Toolbar for Internet Explorer
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 1.99.1
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows XP (KB896344)
ICQ 5
Internet CommSuite
iTunes
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 6
Kaspersky Online Scanner
Lavasoft VX2 Cleaner
LEGO Star Wars
LimeWire 4.10.9
LiveReg (Symantec Corporation)
LiveUpdate 3.0 (Symantec Corporation)
Logitech Desktop Messenger
Logitech Gaming Software
Logitech iTouch Software
Logitech MouseWare 9.71
Logitech Print Service
Logitech QuickCam
Logitech Resource Center
Logitech® Camera Driver
Macromedia Dreamweaver 4
Macromedia Extension Manager
Macromedia Fireworks 4
Macromedia Flash Player 8
Macromedia Shockwave Player
MailWasher Free
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft .NET Framework SDK (English) 1.1
Microsoft ActiveSync 3.7
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Office 2000 Premium
Microsoft Outlook 2002
Microsoft Visual C++ 2005 Redistributable
MotoPhoenix
Mozilla Thunderbird (1.5)
Musicmatch® Jukebox
Napster
Napster Burn Engine
Nero 6 Ultra Edition
NETCommOCX
NetLimiter 2 Monitor (remove only)
Network Stumbler 0.4.0 (remove only)
NokiaFREE Unlock Codes Calculator
NVIDIA Drivers
NVIDIA nForce Drivers
NvMixer
Panda ActiveScan
PIF DESIGNER2.1
PowerDVD
QuickTime
SATARaid
ScanToWeb
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Skype 2.0
Spybot - Search & Destroy 1.3
Spyware Doctor 4.0
SpywareBlaster v3.5.1
TaskSwitchXP
ToolBar888
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB900930)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
USB Storage Adapter FX (SM1)
Video Strip Poker
Viewpoint Media Player
WinAce Archiver
Windows Driver Package - MSN (usbccgp) USB (04/19/2006 1.1.0.2)
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Connect
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB887797
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinZip
XPize 4.2 MCE BETA
Yahoo! Browser Services
Yahoo! Mail
Yahoo! Messenger
YH-920 Driver & Utilities
Zoo Tycoon 2



Combofix log is nearly blank

Start Time= 11/08/2006 13:22:48.15


Hijack this log

Logfile of HijackThis v1.99.1
Scan saved at 13:30:00, on 11/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\BullGuard Software\BullGuard\BullGuardUpdate.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NetLimiter 2 Monitor\nlsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NetLimiter 2 Monitor\NLClient.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Common Files\Smith Micro Shared\FAX\SMLoader.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
C:\Program Files\Anfield Alerts\anfieldalerts.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\BullGuard Software\BullGuard\bullguard.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Documents and Settings\Denz\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE /P30 "EPSON Stylus Photo R200 Series" /O5 "LPT1:" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [SMSI Loader] C:\Program Files\Common Files\Smith Micro Shared\FAX\SMLoader.exe /PRNDRV
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [LaunchList] "C:\Program Files\Pinnacle\Studio 8\LaunchList.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [wxz83470] RUNDLL32.EXE w019b23f.dll,n 0028346e0000000a019b23f
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
O4 - HKCU\..\Run: [Anfield Alerts] C:\Program Files\Anfield Alerts\anfieldalerts.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [BullGuard] "C:\Program Files\BullGuard Software\BullGuard\bullguard.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Warez] "C:\Program Files\Warez\Warez.exe" /minimized
O4 - Startup: XPizeReloader.lnk = C:\WINDOWS\XPize\XPizeReloader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SATARaid.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {1B9935E4-8A50-4DD8-BD09-A7518723BF97} (Talisma NetAgent Customer ActiveX Control version 3) - http://etalk.epson.co.uk/netagent/objects/custappx3.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-30.cab
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - https://moneymanager.egg.com/Pinsafe/accounttracking.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1129481717453
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} - http://www.autodesk.com/global/dwfviewer/i...ViewerSetup.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://downloads.broadbandassist.com/BTYah...tivePreQual.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...805/mcfscan.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: RunOnceEx - C:\WINDOWS\system32\wvaueng.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: BullGuard LiveUpdate (BGLiveSvc) - BullGuard Software - C:\Program Files\BullGuard Software\BullGuard\BullGuardUpdate.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - D:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Program Files\NetLimiter 2 Monitor\nlsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:41 PM

Posted 11 August 2006 - 11:52 AM

Hey there,

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.

Please download Look2Me-Destroyer from here to your desktop.
Close all programs before continuing.
Double-click Look2Me-Destroyer.exe icon to run it.
Put a check next to "Run this program as a task".
You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click "OK"
When Look2Me-Destroyer re-opens, click the "Scan for L2M" button, your desktop icons will disappear, this is normal.
Once it's done scanning, click the "Remove L2M" button.
You will receive a Done Scanning message, click OK.
When completed, you will receive this message - Done removing infected files....., click OK.
After the restart, please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.
Note, if Look2Me-Destroyer does not reopen automatically, reboot and try again.

When you ran Combofix did you save the file to your desktop?
If run from a temporary directory it probably will not work.
Can you try again.
David

#5 denz1968

denz1968
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:41 PM

Posted 11 August 2006 - 05:20 PM

Start Time= 11/08/2006 23:15:49.39

Combofix log as above ran this time from c:\combofix directory.

Hijack this log below

Logfile of HijackThis v1.99.1
Scan saved at 23:15:18, on 11/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\BullGuard Software\BullGuard\BullGuardUpdate.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NetLimiter 2 Monitor\nlsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NetLimiter 2 Monitor\NLClient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Common Files\Smith Micro Shared\FAX\SMLoader.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
C:\Program Files\Anfield Alerts\anfieldalerts.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\BullGuard Software\BullGuard\bullguard.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Warez\Warez.exe
C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Documents and Settings\Denz\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE /P30 "EPSON Stylus Photo R200 Series" /O5 "LPT1:" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [SMSI Loader] C:\Program Files\Common Files\Smith Micro Shared\FAX\SMLoader.exe /PRNDRV
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [LaunchList] "C:\Program Files\Pinnacle\Studio 8\LaunchList.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [wxz83470] RUNDLL32.EXE w019b23f.dll,n 0028346e0000000a019b23f
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
O4 - HKCU\..\Run: [Anfield Alerts] C:\Program Files\Anfield Alerts\anfieldalerts.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [BullGuard] "C:\Program Files\BullGuard Software\BullGuard\bullguard.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Warez] "C:\Program Files\Warez\Warez.exe" /minimized
O4 - Startup: XPizeReloader.lnk = C:\WINDOWS\XPize\XPizeReloader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SATARaid.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {1B9935E4-8A50-4DD8-BD09-A7518723BF97} (Talisma NetAgent Customer ActiveX Control version 3) - http://etalk.epson.co.uk/netagent/objects/custappx3.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-30.cab
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - https://moneymanager.egg.com/Pinsafe/accounttracking.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1129481717453
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} - http://www.autodesk.com/global/dwfviewer/i...ViewerSetup.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://downloads.broadbandassist.com/BTYah...tivePreQual.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...805/mcfscan.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: BullGuard LiveUpdate (BGLiveSvc) - BullGuard Software - C:\Program Files\BullGuard Software\BullGuard\BullGuardUpdate.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - D:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Program Files\NetLimiter 2 Monitor\nlsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe




Look2me log below


Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 11/08/2006 21:01:09

Infected! C:\System Volume Information\_restore{E3B6D931-BCE8-4118-9943-3DCFF8886136}\RP12\A0000648.dll
Infected! C:\System Volume Information\_restore{E3B6D931-BCE8-4118-9943-3DCFF8886136}\RP12\A0000726.dll
Infected! C:\System Volume Information\_restore{E3B6D931-BCE8-4118-9943-3DCFF8886136}\RP12\A0000737.dll
Infected! C:\System Volume Information\_restore{E3B6D931-BCE8-4118-9943-3DCFF8886136}\RP12\A0000741.dll
Infected! C:\System Volume Information\_restore{E3B6D931-BCE8-4118-9943-3DCFF8886136}\RP13\A0002750.dll
Infected! C:\WINDOWS\system32\atifil32.dll
Infected! C:\WINDOWS\system32\ngwrsru.dll
Infected! C:\WINDOWS\system32\r88slil718q.dll
Infected! C:\WINDOWS\system32\wciscmgr.dll
Infected! C:\WINDOWS\system32\wvaueng.dll

Attempting to delete infected files...

Attempting to delete: C:\System Volume Information\_restore{E3B6D931-BCE8-4118-9943-3DCFF8886136}\RP12\A0000648.dll
C:\System Volume Information\_restore{E3B6D931-BCE8-4118-9943-3DCFF8886136}\RP12\A0000648.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{E3B6D931-BCE8-4118-9943-3DCFF8886136}\RP12\A0000726.dll
C:\System Volume Information\_restore{E3B6D931-BCE8-4118-9943-3DCFF8886136}\RP12\A0000726.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{E3B6D931-BCE8-4118-9943-3DCFF8886136}\RP12\A0000737.dll
C:\System Volume Information\_restore{E3B6D931-BCE8-4118-9943-3DCFF8886136}\RP12\A0000737.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{E3B6D931-BCE8-4118-9943-3DCFF8886136}\RP12\A0000741.dll
C:\System Volume Information\_restore{E3B6D931-BCE8-4118-9943-3DCFF8886136}\RP12\A0000741.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{E3B6D931-BCE8-4118-9943-3DCFF8886136}\RP13\A0002750.dll
C:\System Volume Information\_restore{E3B6D931-BCE8-4118-9943-3DCFF8886136}\RP13\A0002750.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\atifil32.dll
C:\WINDOWS\system32\atifil32.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\ngwrsru.dll
C:\WINDOWS\system32\ngwrsru.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\r88slil718q.dll
C:\WINDOWS\system32\r88slil718q.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\wciscmgr.dll
C:\WINDOWS\system32\wciscmgr.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\wvaueng.dll
C:\WINDOWS\system32\wvaueng.dll Deleted successfully!

Making registry repairs.


Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{561394BC-2B7A-42D9-A06D-1AC1CB628998}"
HKCR\Clsid\{561394BC-2B7A-42D9-A06D-1AC1CB628998}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{F606653D-A2FD-4179-A422-A2926311DE53}"
HKCR\Clsid\{F606653D-A2FD-4179-A422-A2926311DE53}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{1AF701A2-F79F-46F3-86AA-79344E48C646}"
HKCR\Clsid\{1AF701A2-F79F-46F3-86AA-79344E48C646}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{5BE49584-98A5-44D7-B80B-AF85FB0654C7}"
HKCR\Clsid\{5BE49584-98A5-44D7-B80B-AF85FB0654C7}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{221D7642-CD6F-4185-A88B-88510A89FF7B}"
HKCR\Clsid\{221D7642-CD6F-4185-A88B-88510A89FF7B}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded

#6 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:41 PM

Posted 12 August 2006 - 03:52 AM

Hey there,
Let's continue..

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [wxz83470] RUNDLL32.EXE w019b23f.dll,n 0028346e0000000a019b23f


Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Clean your Cache and Cookies in IE

° Close all instances of Internet Explorer .
° Go to your control panel and open "Internet Options".
° Click on the "General" tab.
° Click the "Delete Cookies" button, then the "Delete Files" button.
° When prompted, place a tick in the "Delete all offline content" box and click OK.

Clean your Cache and Cookies in Firefox

° Open the firefox browser.
° Click on the "tools" button and click on "options".
° Click "privacy" in the menu on the left side window.
° Open the History, Cookies and Cache tabs individually.
° Choose the "clear" button on each.
° Click OK to close the Options window

Clean other Temporary files and Empty the Recycle Bin

° Go to start and click on the "run" button.
° Type the following in the fox --> cleanmgr and click ok.
° Let it scan your system for files to remove.
° Make sure only Temporary Files, Temporary Internet Files, and Recycle Bin are checked.
° Press OK to remove them.

Please download, install, and update Ewido anti-spyware
Load Ewido and then click the Update tab at the top.
Under Manual Update click Start update.

After the update finishes (the status bar at the bottom will display "Update successful")
Then click on the Scanner tab at the top.
Click the "Settings" tab and then change the recommended action to Quarantine.
Click Automatically generate report after every scan.
Click back to the "Scan" tab and then click on Complete System Scan.
This scan can take quite a while to run, so be prepared.
Ewido will list any infections found on the left hand side.

When the scan has finished, it will automatically set the recommended action.
Click the Apply all actions button.
Ewido will display "All actions have been applied" on the right hand side.
Click on "Save Report", then "Save Report As".
This will create a text file. Make sure you know where to find this file again (like on the Desktop).
Close Ewido and reboot!! I need the log later.

Please post the ewido log and a new Hijackthis log.
David

#7 denz1968

denz1968
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:41 PM

Posted 13 August 2006 - 04:42 AM

Hi

Did everything except Ewido keeps crashing the PC. Therefore i do not get a log file, however i have attached the Ewido error log file it created

Error: failed to create socket, Value: 00002742, Position: .\DownloadHttp.cpp, 234
Error: failed to create socket, Value: 00002742, Position: .\DownloadHttp.cpp, 234
Error: failed to create socket, Value: 00002742, Position: .\DownloadHttp.cpp, 234
Error: failed to create socket, Value: 00002742, Position: .\DownloadHttp.cpp, 234
Error: failed to create socket, Value: 00002742, Position: .\DownloadHttp.cpp, 234
Error: failed to create socket, Value: 00002742, Position: .\DownloadHttp.cpp, 234
Error: failed to create socket, Value: 00002742, Position: .\DownloadHttp.cpp, 234
Error: message type not known, switching to RED, Position: .\GuardMessage.cpp, 156
Error: message type not known, switching to RED, Position: .\GuardMessage.cpp, 156
Error: message type not known, switching to RED, Position: .\GuardMessage.cpp, 156
Error: message type not known, switching to RED, Position: .\GuardMessage.cpp, 156
Error: message type not known, switching to RED, Position: .\GuardMessage.cpp, 156
Error: message type not known, switching to RED, Position: .\GuardMessage.cpp, 156
Error: message type not known, switching to RED, Position: .\GuardMessage.cpp, 156
Error: message type not known, switching to RED, Position: .\GuardMessage.cpp, 156
Error: message type not known, switching to RED, Position: .\GuardMessage.cpp, 156
Error: message type not known, switching to RED, Position: .\GuardMessage.cpp, 156
Error: message type not known, switching to RED, Position: .\GuardMessage.cpp, 156
Error: message type not known, switching to RED, Position: .\GuardMessage.cpp, 156
Error: message type not known, switching to RED, Position: .\GuardMessage.cpp, 156
Error: pipe creation failed, Value: 000000E7, Position: .\pipe.cpp, 152
Error: pipe creation failed, Value: 000000E7, Position: .\pipe.cpp, 152
Error: pipe creation failed, Value: 000000E7, Position: .\pipe.cpp, 152
Error: pipe creation failed, Value: 000000E7, Position: .\pipe.cpp, 152
Error: pipe creation failed, Value: 000000E7, Position: .\pipe.cpp, 152
Error: failed to create socket, Value: 00002742, Position: .\DownloadHttp.cpp, 234
Error: failed to create socket, Value: 00002742, Position: .\DownloadHttp.cpp, 234
Error: failed to create socket, Value: 00002742, Position: .\DownloadHttp.cpp, 234
Error: message type not known, switching to RED, Position: .\GuardMessage.cpp, 156
Error: message type not known, switching to RED, Position: .\GuardMessage.cpp, 156
Error: message type not known, switching to RED, Position: .\GuardMessage.cpp, 156
Error: message type not known, switching to RED, Position: .\GuardMessage.cpp, 156
Error: message type not known, switching to RED, Position: .\GuardMessage.cpp, 156
Error: message type not known, switching to RED, Position: .\GuardMessage.cpp, 156
Error: message type not known, switching to RED, Position: .\GuardMessage.cpp, 156
Error: message type not known, switching to RED, Position: .\GuardMessage.cpp, 156
Error: Cannot open config key, Value: 000005AA, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: Cannot open config key, Value: 00000013, Position: .\config.cpp, 50
Error: failed to connect to server, Value: 00002741, Position: .\DownloadHttp.cpp, 287
Error: failed to connect to server, Value: 00002741, Position: .\DownloadHttp.cpp, 287
Error: failed to connect to server, Value: 00002741, Position: .\DownloadHttp.cpp, 287
Error: failed to connect to server, Value: 0000274C, Position: .\DownloadHttp.cpp, 287
Error: failed to connect to server, Value: 0000274C, Position: .\DownloadHttp.cpp, 287
Error: failed to connect to server, Value: 00002741, Position: .\DownloadHttp.cpp, 287



Here is the latest status of hijackthis


Logfile of HijackThis v1.99.1
Scan saved at 10:41:17, on 13/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\BullGuard Software\BullGuard\BullGuardUpdate.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NetLimiter 2 Monitor\nlsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NetLimiter 2 Monitor\NLClient.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Common Files\Smith Micro Shared\FAX\SMLoader.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\SM1BG.EXE
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\BullGuard Software\BullGuard\bullguard.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Denz\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE /P30 "EPSON Stylus Photo R200 Series" /O5 "LPT1:" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [SMSI Loader] C:\Program Files\Common Files\Smith Micro Shared\FAX\SMLoader.exe /PRNDRV
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [LaunchList] "C:\Program Files\Pinnacle\Studio 8\LaunchList.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [BullGuard] "C:\Program Files\BullGuard Software\BullGuard\bullguard.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Warez] "C:\Program Files\Warez\Warez.exe" /minimized
O4 - Startup: XPizeReloader.lnk = C:\WINDOWS\XPize\XPizeReloader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SATARaid.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {1B9935E4-8A50-4DD8-BD09-A7518723BF97} (Talisma NetAgent Customer ActiveX Control version 3) - http://etalk.epson.co.uk/netagent/objects/custappx3.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-30.cab
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - https://moneymanager.egg.com/Pinsafe/accounttracking.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1129481717453
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} - http://www.autodesk.com/global/dwfviewer/i...ViewerSetup.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://downloads.broadbandassist.com/BTYah...tivePreQual.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...805/mcfscan.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: BullGuard LiveUpdate (BGLiveSvc) - BullGuard Software - C:\Program Files\BullGuard Software\BullGuard\BullGuardUpdate.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - D:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Program Files\NetLimiter 2 Monitor\nlsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

#8 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:41 PM

Posted 13 August 2006 - 04:46 AM

Ok, don't worry about the Ewido error for now.
That's the 3rd time i've seen this error this week.
I think it may be a bug with the program.

Please download Ad-Aware SE Personal and install it.
If you already have Ad-Aware SE, please configure it as indicated below.
If you have a previous version of Ad-Aware, please uninstall your current version and install the newest version SE 1.06.

Run Ad-Aware, and click Check for updates now.
Select Configurations (click the Gear wheel at the top) as follows:
General Button > Safety & Settings > Check (Green) all three.
Tweak Button > Cleaning Engine > uncheck "Always try to unload modules before deletion".
Click Proceed.

To start the scan, Click > "Scan Now" at left.
Select "Search for low-risk threats".
Select "Perform full system scan".
Click "Next".

When the scan has completed, select Next.
In the Scanning Results window, select the "Critical Objects" tab.
Right-click on the screen and choose "Select all objects".
Click Next to remove the infections found, and click OK to the prompt.
Restart the computer.

You are using the Warez p2p file sharing program.
This is not technically malware by itself, but it installs malware in order to run properly.
It also opens the door for every other nasty program you can think of.
I strongly recommend that you remove it from your computer.
Read this article for alternatives that will provide some of the same function without the garbage:
http://www.spywareinfo.com/articles/p2p/

I suggest you remove the program now.
Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present:
Warez

This is another article you can read:
http://www.cexx.org/adware.htm

At the moment your Hijackthis log is clean..
How is the computer running.
David

#9 denz1968

denz1968
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:41 PM

Posted 13 August 2006 - 07:48 AM

The computer is running much better thanks. I already removed warez, however it still loads, and it doesn't appear on add remove programs list. I tried to delete the folder but it would not let me, and caused the PC to restart with an error message of wystem resources low. Adaware had no critical objects found.

Error signature attached below after warez system crash

BCCode : 1000008e BCP1 : C0000005 BCP2 : EEF1041D BCP3 : EB1CCB3C
BCP4 : 00000000 OSVer : 5_1_2600 SP : 2_0 Product : 256_1

C:\DOCUME~1\Denz\LOCALS~1\Temp\WER4f0a.dir00\Mini081306-02.dmp
C:\DOCUME~1\Denz\LOCALS~1\Temp\WER4f0a.dir00\sysdata.xml

#10 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:41 PM

Posted 13 August 2006 - 08:28 AM

Hey there denz1968,

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.

In regards to Warez, it looks like we are going to have to force an uninstall.
Open HijackThis.
Click Open the Misc Tools section.
Click Open Uninstall Manager.
Find and Select this item: Warez.
After you have selected the item click Delete this entry.
Then close HijackThis.

Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.

Find and delete this folder:
C:\Program Files\Warez

Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

O4 - HKCU\..\Run: [Warez] "C:\Program Files\Warez\Warez.exe" /minimized

Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Reboot back to normal mode now.

In relation the crash errors you may like to read the following thread at the link below. If Windows XP restarts because of a serious error, the Windows Error Reporting tool prompts you to report the problem to Microsoft for troubleshooting purposes. Windows may prompt you to report this information every time that you restart the computer, even if no error occurred during the previous session. After this problem begins to occur, you are prompted to send the information after every restart, even if you do not send the information:
http://support.microsoft.com/?kbid=317277

I also saw infomation where nvidia graphics card's drivers need updating,
This may solve the error message.

I now see a clean log here, there are no signs of malware or anything that may cause the problems you are having. I recommend that you post your question in the following forum as you will recieve better help there. Let them know you have had your Hijackthis log checked, and it isn't a serious security issue.
Windows XP Home and Professional

David




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users