Author Topic: Virus? (Read 33710 times)

Neik · « **on:** August 04, 2007, 09:20:59 PM »

I've downloaded a rar file because it was like free blahblahblah program and it had an exe file called Installer.exe i clicked it and my computer restarted. Then After a few days i had some FPS Problem, it wasnt stable it was going from 1-100 and bounced everywhere, but that was also when i downloaded a new driver for it. I've scanned with nod32 and spyware Doctor and found nothing with nod32 but found a few with spyware doctor. Scanned and cleaned
Also ran registry mechanic
So i dont know if its the catalyst or the "Installer.exe"

im really down right now and i need ugrent help

unlovedwarrior · « **Reply #1 on:** August 04, 2007, 09:44:52 PM »

what OS? try googling trend micro house call its a free online scanner.. please get hijackthis and post a log..

Neik · « **Reply #2 on:** August 04, 2007, 09:57:53 PM »

Thanks for your reply
I'm currently Using Windows XP Home Edition
Logfile of HijackThis v1.99.1
Scan saved at 11:55:31 PM, on 8/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Steam\steam.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\rzihjmcz.slt\prefs.js)
O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - D:\Program Files\IE7Pro\IE7Pro.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - D:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Itch ford four knob] C:\Documents and Settings\All Users\Application Data\third lies itch ford\thunk rule.exe
O4 - HKLM\..\Run: [Admin Soap Beep Knob] C:\Documents and Settings\All Users\Application Data\dumb bolt knob third\new show base.exe
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Name Creative] C:\DOCUME~1\Owner\APPLIC~1\CHICID~1\extragluecdrom.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - D:\Program Files\IE7Pro\IE7Pro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - D:\Program Files\IE7Pro\IE7Pro.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

unlovedwarrior · « **Reply #3 on:** August 04, 2007, 10:04:34 PM »

umm can we get the whole log please down to 023 itll take a couple of posts

patio · « **Reply #4 on:** August 05, 2007, 07:03:15 AM »

Hmmmm a .rar file ? ?
What program ? ?

Neik · « **Reply #5 on:** August 07, 2007, 03:51:56 PM »

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://esupport.sony.com/VaioInfo.CAB
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) -
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,64/mcinsctl.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1160164617859
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab53083.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: bw+0 - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program

Neik · « **Reply #6 on:** August 07, 2007, 03:56:26 PM »

O18 - Protocol: bwm0 - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: offline-8876480 - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - D:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe (file missing)

CBMatt · « **Reply #7 on:** August 07, 2007, 07:42:11 PM »

Looks like you picked up a Lop infection. Go ahead and follow these instructions... Once we start, you won't have access to this post anymore, so I recommend that you print out this post or save it to a Notepad file. Open HijackThis and scan again. Check the following entries, but don't do anything to them yet...

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

O4 - HKLM\..\Run: [Itch ford four knob] C:\Documents and Settings\All Users\Application Data\third lies itch ford\thunk rule.exe
O4 - HKLM\..\Run: [Admin Soap Beep Knob] C:\Documents and Settings\All Users\Application Data\dumb bolt knob third\new show base.exe
O4 - HKCU\..\Run: [Name Creative] C:\DOCUME~1\Owner\APPLIC~1\CHICID~1\extragluecdrom.exe

O18 - Protocol: bw+0 - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
(This one is still open to debate. It shouldn't be malicious, but many people are suspicious about it. Read here for some reviews. If you choose to remove it, be aware that there are many similar entries in your log that need to be removed.)

Now, close all windows (including this one) besides HijackThis, then click Fix Checked. Close HijackThis and reboot into Safe Mode and enable hidden files and folders.

Navigate to and delete the following folder(s) if present...

C:\Documents and Settings\Owner\Application Data\chicidledeaf
C:\Documents and Settings\All Users\Application Data\dumb bolt knob third
C:\Documents and Settings\All Users\Application Data\third lies itch ford

Navigate to and delete the following file(s) if present...

C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (It's your choice whether or not you want to remove this.)

Once you've done all of this, reboot into Normal Mode and post a new HijackThis log so we can see if there's any other junk we need to clean up. Let me know how everything's running now and if you had any problems following my steps.

In addition to a new HijackThis log, there's some other info I would like...

Open HijackThis.
Click on Open Misc Tools Section
Make sure that both boxes beside "Generate StartupList Log" are checked:

List all minor sections(Full)
List Empty Sections(Complete)

Click Generate StartupList Log.
Click Yes at the prompt.
It will open a text file. Please copy the entire contents of that page and paste it here.

Also, download lop.zip
Unzip it to your desktop.
Go into the new lop folder and double-click lop.bat
It will run and when done, a Notepad will open. Copy the contents of the Notepad and paste it here.

These will help me determine if Lop is hiding anywhere else on your computer.

Neik · « **Reply #8 on:** August 08, 2007, 08:04:33 AM »

thanks for the reply and instructions on how to remove them, i really appericate this.
What i did was i typed
C:\Documents and Settings\Owner\Application Data\chicidledeaf
C:\Documents and Settings\All Users\Application Data\dumb bolt knob third
C:\Documents and Settings\All Users\Application Data\third lies itch ford
in run because i didnt know how to get in Safe mode with this new mobo, it showed 4 options like boot from :C drive but no safe mode after i pressed F8, i bought a new mobo a few months ago. When ran those :C\Documents, Nod32 detected it was unsafe and deleted the files and the folder.

After i scanned with hijackthis and removed only
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

O4 - HKLM\..\Run: [Admin Soap Beep Knob] C:\Documents and Settings\All Users\Application Data\dumb bolt knob third\new show base.exe

and Fixed Check. Those were the only two that showed, so i guess nod32 have deleted some of them

Neik · « **Reply #9 on:** August 08, 2007, 08:07:23 AM »

StartupList report, 8/8/2007, 10:05:41 AM
StartupList version: 1.52.2
Started from : D:\Program Files\HijackThis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.6000.16473)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
D:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\HijackThis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Owner\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
*No files*

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

nod32kui = "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
SoundMan = SOUNDMAN.EXE
VTTimer = VTTimer.exe
StartCCC = C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
msnmsgr = "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

Neik · « **Reply #10 on:** August 08, 2007, 08:08:27 AM »

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\system32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}] *
StubPath = C:\WINDOWS\system32\ieudinit.exe

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = C:\WINDOWS\system32\ie4uinit.exe -BaseSettings

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=*Registry value not found*

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Neik · « **Reply #11 on:** August 08, 2007, 08:12:35 AM »

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

IE7Pro - D:\Program Files\IE7Pro\IE7Pro.dll - {00011268-E188-40DF-A514-835FCD78B1BF}
(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - D:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}
(no name) - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
(no name) - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll - {9030D464-4C02-4ABF-8ECC-5164760863C6}
(no name) - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll - {B56A7D7D-6927-48C8-A975-17DF180C71AC}

--------------------------------------------------

Enumerating Task Scheduler jobs:

1-Click Maintenance.job
80FF5EC69068CB32.job
Registration reminder 1.job

--------------------------------------------------

Enumerating Download Program Files:

[DirectAnimation Java Classes]
CODEBASE = file://C:\WINDOWS\Java\classes\dajava.cab

[Microsoft XML Parser for Java]
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

[VaioInfo.CMClass]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\VaioInfo.dll
CODEBASE = http://esupport.sony.com/VaioInfo.CAB

[Microsoft Data Collection Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MSDcode.dll
CODEBASE = https://support.microsoft.com/OAS/ActiveX/MSDcode.cab

[MessengerStatsClient Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MessengerStatsPAClient.dll
CODEBASE = http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE = http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab

[YInstStarter Class]

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

[McAfee.com Operating System Class]
InProcServer32 = C:\WINDOWS\system32\mcinsctl.dll
CODEBASE = http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,64/mcinsctl.cab

[Solitaire Showdown Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\SolitaireShowdown.dll
CODEBASE = http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab

[Symantec RuFSI Utility Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\rufsi.dll
CODEBASE = http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

[MUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\muweb.dll
CODEBASE = http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1160164617859

[Java Plug-in 1.5.0_10]
InProcServer32 = C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab

[MessengerStatsClient Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\messengerstatsclient.dll
CODEBASE = http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
CODEBASE = http://acs.pandasoftware.com/activescan/as5free/asinst.cab

[ZoneIntro Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ZIntro.ocx
CODEBASE = http://messenger.zone.msn.com/binary/ZIntro.cab53083.cab

[MessengerStatsClient Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\CONFLICT.1\MessengerStatsPAClient.dll
CODEBASE = http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

[Java Plug-in 1.4.0_03]
InProcServer32 = C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
CODEBASE = http://java.sun.com/products/plugin/autodl/jinstall-1_4_0_03-win.cab

[Java Plug-in 1.5.0_09]
InProcServer32 = C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab

[Java Plug-in 1.5.0_10]
InProcServer32 = C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab

[Java Plug-in 1.5.0_10]
InProcServer32 = C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9b.ocx
CODEBASE = https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\imon.dll
Protocol #2: C:\WINDOWS\system32\imon.dll
Protocol #3: C:\WINDOWS\system32\imon.dll
Protocol #4: C:\WINDOWS\system32\imon.dll
Protocol #5: C:\WINDOWS\system32\imon.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\rsvpsp.dll
Protocol #10: C:\WINDOWS\system32\rsvpsp.dll
Protocol #11: C:\WINDOWS\system32\imon.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll
Protocol #16: C:\WINDOWS\system32\mswsock.dll
Protocol #17: C:\WINDOWS\system32\mswsock.dll
Protocol #18: C:\WINDOWS\system32\mswsock.dll
Protocol #19: C:\WINDOWS\system32\mswsock.dll
Protocol #20: C:\WINDOWS\system32\mswsock.dll
Protocol #21: C:\WINDOWS\system32\mswsock.dll
Protocol #22: C:\WINDOWS\system32\mswsock.dll
Protocol #23: C:\WINDOWS\system32\mswsock.dll
Protocol #24: C:\WINDOWS\system32\mswsock.dll
Protocol #25: C:\WINDOWS\system32\mswsock.dll
Protocol #26: C:\WINDOWS\system32\mswsock.dll
Protocol #27: C:\WINDOWS\system32\mswsock.dll

Neik · « **Reply #12 on:** August 08, 2007, 08:18:38 AM »

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
Adobe LM Service: "C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe" (manual start)
aeaudio: system32\drivers\aeaudio.sys (manual start)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (system)
Agere Systems Soft Modem: System32\DRIVERS\AGRSM.sys (manual start)
Service for Realtek AC97 Audio (WDM): system32\drivers\ALCXWDM.SYS (manual start)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
AMON: \SystemRoot\system32\drivers\amon.sys (autostart)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
1394 ARP Client Protocol: System32\DRIVERS\arp1394.sys (manual start)
ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
Ati HotKey Poller: %SystemRoot%\system32\Ati2evxx.exe (autostart)
ATI Smart: C:\WINDOWS\system32\ati2sgag.exe (autostart)
ati2mtag: system32\DRIVERS\ati2mtag.sys (manual start)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Closed Caption Decoder: System32\DRIVERS\CCDECODE.sys (manual start)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
.NET Runtime Optimization Service v2.0.50727_X86: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (manual start)
COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Sony DMI Call service: System32\DRIVERS\DMICall.sys (system)
dmio: System32\drivers\dmio.sys (disabled)
dmload: System32\drivers\dmload.sys (disabled)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
Intel(R) PRO/1000 Adapter Driver: System32\DRIVERS\e1000325.sys (manual start)
Intel(R) PRO Adapter Driver: System32\DRIVERS\e100b325.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver: System32\DRIVERS\fetnd5.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
FltMgr: system32\drivers\fltmgr.sys (system)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Microsoft HID Class Driver: system32\DRIVERS\hidusb.sys (manual start)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
ialm: System32\DRIVERS\ialmnt5.sys (manual start)
File Security Kernel Anti-Spyware Driver: system32\drivers\ikhfile.sys (system)
Kernel Anti-Spyware Driver: system32\drivers\ikhlayer.sys (system)
CD-Burning Filter Driver: System32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)
IntelIde: System32\DRIVERS\intelide.sys (system)
Intel Processor Driver: System32\DRIVERS\intelppm.sys (system)
IPv6 Windows Firewall Driver: system32\drivers\ip6fw.sys (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Logitech USB Monitor Filter: system32\drivers\lvusbsta.sys (manual start)
mchInjDrv: \??\C:\WINDOWS\TEMP\mc21.tmp (disabled)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: System32\DRIVERS\mouhid.sys (manual start)
Marvell TOPDOG 802.11n WLAN Driver for Windows XP (USB8x): system32\DRIVERS\MRVW245.sys (manual start)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\System32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: System32\DRIVERS\mssmbios.sys (manual start)
Microsoft Streaming Tee/Sink-to-Sink Converter: system32\drivers\MSTEE.sys (manual start)
NABTS/FEC VBI Codec: System32\DRIVERS\NABTSFEC.sys (manual start)
Microsoft TV/Video Connection: System32\DRIVERS\NdisIP.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
1394 Net Driver: System32\DRIVERS\nic1394.sys (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
nod32drv: \SystemRoot\system32\drivers\nod32drv.sys (system)
NOD32 Kernel Service: "C:\Program Files\Eset\nod32krn.exe" (autostart)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
NEC FireWarden OHCI Compliant IEEE 1394 Host Controller: System32\DRIVERS\ohci1394.sys (system)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
PCIIde: System32\DRIVERS\pciide.sys (system)
Logitech QuickCam Express(PID_0928): system32\DRIVERS\LV561AV.SYS (manual start)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
Microsoft IntelliPoint Filter Driver: system32\DRIVERS\point32.sys (manual start)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)

Neik · « **Reply #13 on:** August 08, 2007, 08:19:12 AM »

Processor Driver: System32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
PxHelp20: System32\DRIVERS\PxHelp20.sys (system)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Realtek RTL8139/810x Family Fast Ethernet NIC NT Driver: System32\DRIVERS\R8139n51.SYS (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
PC Tools Spyware Doctor: D:\Program Files\Spyware Doctor\sdhelp.exe (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (autostart)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
BDA Slip De-Framer: System32\DRIVERS\SLIP.sys (manual start)
Sony MPEG RealTime encoder board: System32\DRIVERS\smrt.sys (manual start)
smwdm: system32\drivers\smwdm.sys (manual start)
Sony Memory Stick controller(WB): System32\DRIVERS\SonyWBMS.SYS (manual start)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
Sony SPTI Service: C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe (manual start)
System Restore Filter Driver: \SystemRoot\System32\DRIVERS\sr.sys (disabled)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
BDA IPSink: System32\DRIVERS\StreamIP.sys (manual start)
StyleXPService: "C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe" (autostart)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{69696CEC-E2CA-4941-AB22-36C7B80BEB66} (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Microsoft AGPv3.5 Filter: system32\DRIVERS\uagp35.sys (system)
Windows User Mode Driver Framework: C:\WINDOWS\system32\wdfmgr.exe (autostart)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
USB Audio Driver (WDM): system32\drivers\usbaudio.sys (manual start)
Microsoft USB Generic Parent Driver: system32\DRIVERS\usbccgp.sys (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: System32\DRIVERS\usbehci.sys (manual start)
USB2 Enabled Hub: System32\DRIVERS\usbhub.sys (manual start)
Microsoft USB PRINTER Class: System32\DRIVERS\usbprint.sys (manual start)
USB Mass Storage Driver: system32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start)
Messenger Sharing Folders USN Journal Reader service: "C:\Program Files\MSN Messenger\usnsvc.exe" (manual start)
VAIO Media Music Server: "C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server" (disabled)
VAIO Media Music Server (HTTP): "C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP" (disabled)
VAIO Media Music Server (UPnP): C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe (disabled)
VAIO Media Photo Server: C:\Program Files\Sony\Photo Server\appsrv\PhotoAppSrv.exe (disabled)
VAIO Media Photo Server (HTTP): "C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP" (disabled)
VAIO Media Photo Server (UPnP): C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe (disabled)
VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)
viagfx: system32\DRIVERS\vtmini.sys (manual start)
ViaIde: system32\DRIVERS\viaide.sys (system)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
Windows Socket 2.0 Non-IFS Service Provider Support Environment: \SystemRoot\System32\drivers\ws2ifsl.sys (system)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
World Standard Teletext Codec: System32\DRIVERS\WSTCODEC.SYS (manual start)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NTPort Library Driver: \??\C:\WINDOWS\system32\zntport.sys (autostart)
Intel(R) Graphics Platform (SoftBIOS) Driver: system32\drivers\ialmsbw.sys (manual start)
Intel(R) Graphics Chipset (KCH) Driver: system32\drivers\ialmkchw.sys (manual start)

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Neik · « **Reply #14 on:** August 08, 2007, 08:19:39 AM »

End of report, 38,166 bytes
Report generated in 0.156 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

CBMatt · « **Reply #15 on:** August 08, 2007, 08:34:15 AM »

Quote from: CBMatt on August 07, 2007, 07:42:11 PM

Also, download lop.zip
Unzip it to your desktop.
Go into the new lop folder and double-click lop.bat
It will run and when done, a Notepad will open. Copy the contents of the Notepad and paste it here.

I would like you to do this as well before we move on.

Neik · « **Reply #16 on:** August 08, 2007, 12:24:11 PM »

Sorry about that CBMatt I forgot that last part

Volume in drive C has no label.
Volume Serial Number is F034-6802

Directory of C:\Documents and Settings\Administrator\Application Data

04/11/2003 07:52 AM <DIR> Adobe
04/11/2003 03:19 AM <DIR> Help
04/09/2003 09:47 PM <DIR> Identities
04/11/2003 05:52 AM <DIR> InterTrust
04/11/2003 06:17 AM <DIR> Mozilla
04/11/2003 06:14 AM <DIR> MSN6
04/11/2003 05:57 AM <DIR> Real
0 File(s) 0 bytes
7 Dir(s) 1,663,037,440 bytes free
Volume in drive C has no label.
Volume Serial Number is F034-6802

Directory of C:\Documents and Settings\All Users\Application Data

04/29/2007 05:12 PM <DIR> Adobe
01/03/2007 01:21 AM <DIR> avg7
09/17/2006 11:51 AM <DIR> CyberLink
05/01/2007 09:59 PM <DIR> Google
11/05/2006 04:04 PM <DIR> McAfee
01/03/2007 12:23 AM <DIR> McAfee.com
09/26/2006 07:03 PM <DIR> Messenger Plus!
04/11/2003 06:13 AM <DIR> MSN Messenger 5.0.0527
04/11/2003 06:14 AM <DIR> MSN6
05/19/2007 12:39 PM <DIR> NVIDIA
10/07/2006 07:07 PM <DIR> QuickTime
08/02/2007 10:49 PM <DIR> Roam Inside Hole Tons
04/09/2003 09:57 PM <DIR> SBSI
08/08/2007 02:14 PM <DIR> Screaming Bee
04/26/2007 05:38 PM <DIR> Sony Corporation
04/11/2003 07:23 AM <DIR> Support.com
08/04/2007 11:22 PM <DIR> TEMP
07/01/2007 04:54 PM <DIR> TuneUp Software
04/11/2003 05:54 AM <DIR> VAIO Media Platform
10/05/2006 04:03 PM <DIR> Viewpoint
10/06/2006 04:09 PM <DIR> Windows Genuine Advantage
0 File(s) 0 bytes
21 Dir(s) 1,663,033,344 bytes free
Volume in drive C has no label.
Volume Serial Number is F034-6802

Directory of C:\Documents and Settings\Owner\Application Data

01/28/2007 12:16 PM <DIR> Actual Tools
07/13/2007 07:47 PM <DIR> Adobe
07/19/2007 01:19 PM <DIR> Ahead
06/13/2007 09:28 PM <DIR> ATI
01/02/2007 07:23 PM <DIR> AVG7
03/16/2007 11:46 PM <DIR> DivX
10/07/2006 07:12 PM <DIR> FotoWire
06/29/2007 04:51 PM <DIR> Google
04/11/2003 03:19 AM <DIR> Help
04/09/2003 09:47 PM <DIR> Identities
07/18/2007 11:56 PM <DIR> IE7Pro
01/02/2007 11:14 PM <DIR> Internet Download Accelerator
04/11/2003 05:52 AM <DIR> InterTrust
07/23/2007 10:38 PM <DIR> Lavasoft
09/19/2006 03:40 PM <DIR> Leadertech
09/18/2006 09:36 PM <DIR> Macromedia
09/18/2006 05:13 PM <DIR> Mozilla
04/11/2003 06:14 AM <DIR> MSN6
04/29/2007 07:41 PM <DIR> MusicIP
04/29/2007 05:18 PM <DIR> Opera
01/03/2007 12:24 AM <DIR> PC Tools
08/08/2007 02:14 PM <DIR> Screaming Bee
03/13/2007 06:16 PM <DIR> Screenshot Sender
02/18/2007 05:19 PM <DIR> Styler
11/12/2006 07:49 PM <DIR> Sun
07/13/2007 12:43 PM <DIR> teamspeak2
09/19/2006 03:50 PM <DIR> Template
07/01/2007 04:55 PM <DIR> TuneUp Software
07/17/2007 01:38 PM <DIR> Uniblue
01/14/2007 06:41 PM <DIR> Ventrilo
07/04/2007 08:46 PM <DIR> WinRAR
0 File(s) 0 bytes
31 Dir(s) 1,663,033,344 bytes free
Volume in drive C has no label.
Volume Serial Number is F034-6802

Directory of C:\Documents and Settings\Default User\Application Data

04/11/2003 05:57 AM <DIR> .
04/11/2003 05:57 AM <DIR> ..
04/09/2003 02:42 PM 62 desktop.ini
1 File(s) 62 bytes
2 Dir(s) 1,663,033,344 bytes free
Volume in drive C has no label.
Volume Serial Number is F034-6802

Directory of C:\Documents and Settings\LocalService\Application Data

Volume in drive C has no label.
Volume Serial Number is F034-6802

Directory of C:\Documents and Settings\NetworkService\Application Dat

CBMatt · « **Reply #17 on:** August 08, 2007, 08:27:51 PM »

No worries, I just wanted to make sure we're being thorough here. There's one other folder you need to delete...

C:\Documents and Settings\All Users\Application Data\Roam Inside Hole Tons

You said you're not sure how to get to Safe Mode with your new motherboard, correct? I think it would be a good idea to spend a few minutes figuring it out. Instead of F8, try some of the other function keys. F5 is what I have to use for my computer, and some use F10. Just give each key a try (you'll have to reboot a few times) until you find out which one will take you to Safe Mode.

When in Safe Mode, infections are disabled because your computer starts up with only the necessary applications. This makes it much easier to detect and remove infections, which is why Safe Mode is very important here. The particular folder above can probably be removed in Normal Mode, but it's still important to know how to get into Safe Mode.

Now, with that said... Copy everything inside the quote box below (starting with @) and paste it into Notepad. Go up to File > Save As and click the drop-down box to change the "Save As Type" to "All Files". Save it as remlop.bat on your desktop.

Quote

@echo off
cd C:\WINDOWS\Tasks
attrib -r -s -h 80FF5EC69068CB32.job
del 80FF5EC69068CB32.job
exit

Double-click remlop.bat A window will open and close quickly; this is normal.

Then go ahead and head over HERE to run Panda's ActiveScan

Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report along with a new HijackThis log.

Neik · « **Reply #18 on:** August 09, 2007, 10:45:11 AM »

I have done the Notepad remlop.bat, but when i do the panda active scan it downloads the compents and when it finishes, I click on My Computer and waited. It didnt perform a scan or anything. I tried 3 times

CBMatt · « **Reply #19 on:** August 10, 2007, 02:34:43 PM »

Okay...go ahead and download Spybot - Search & Destroy and SUPERAntiSpyware. Install and update both programs. You should then reboot into Safe Mode and then scan with each program, one at a time. Have you figured out how to get into Safe Mode with your computer yet?

Neik · « **Reply #20 on:** August 10, 2007, 10:59:37 PM »

Yes I figured how to get into safe mode, it was also F5 for me ty.
I have spyware doctor, can i scan with that in safe mode instead of getting new programs? I dont have much GB left, This computer is pretty old, Holds only 15 GB $:-\$
I'm not sure why you would need more than 1 anti spyware, would it be better?

CBMatt · « **Reply #21 on:** August 11, 2007, 03:51:58 AM »

You don't have to download them; they would just be really handy to have. It's generally not a good idea to have more than one anti-virus, but more than one anti-spyware can be helpful. Because you have Spyware Doctor active, you don't have to worry about Spybot. However, I would still get SUPERAntiSpyware, as it's good at picking up a lot of infections. Either way, you should update your protection and scan with in Safe Mode.

CBMatt · « **Reply #22 on:** August 19, 2007, 06:20:22 AM »

Due to lack of feedback, I am closing this topic. If you are the original poster and you would like this topic to be re-opened for any reason, PM me or another moderator and it can be arranged.

If you are not the original poster and you require help, please start a New Topic with information about your computer and your problem.

patio · « **Reply #23 on:** August 27, 2007, 06:20:35 PM »

Topic unlocked at OP's request...

Neik · « **Reply #24 on:** August 27, 2007, 06:27:46 PM »

Sorry for reOpening this, it has been awhile since i got back on my computer. I had to go out a lot and didn't have a chance to reply, I let my sister go on While i was away.

After things have been removed from the list in Hijackthis it was running fine for a week, Then i let my sister go on the computer. When i came back I had the same problem, again. $:-\$ With no programs running i heard this weird music out of no where come from my computer.

I have scanned for Viruses Using Nod32, Scanned for spyware using spysweeper
Both scanned in safe mode but no luck

Neik · « **Reply #25 on:** August 27, 2007, 06:29:43 PM »

Heres my HijackThis Log Now
Logfile of HijackThis v1.99.1
Scan saved at 8:28:06 PM, on 8/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Eset\nod32krn.exe
D:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Steam\steam.exe
C:\Program Files\Ventrilo\Ventrilo.exe
D:\Program Files\mIRC\mirc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\rzihjmcz.slt\prefs.js)
O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - D:\Program Files\IE7Pro\IE7Pro.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - D:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Name Creative] C:\DOCUME~1\Owner\APPLIC~1\CHICID~1\extragluecdrom.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://esupport.sony.com/VaioInfo.CAB
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) -

Neik · « **Reply #26 on:** August 27, 2007, 06:31:03 PM »

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,64/mcinsctl.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1160164617859
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab53083.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: bw+0 - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

Neik · « **Reply #27 on:** August 27, 2007, 06:33:08 PM »

O18 - Protocol: bwm0 - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: offline-8876480 - {81338E24-FA0C-453F-A679-AF0F20ACD10C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

Neik · « **Reply #28 on:** August 27, 2007, 06:33:27 PM »

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - D:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe

patio · « **Reply #29 on:** August 27, 2007, 07:38:13 PM »

You don't have a virus...you have a sister !

Just kiddin...someone should be along shortly.

Neik · « **Reply #30 on:** August 27, 2007, 07:40:15 PM »

Quote from: patio on August 27, 2007, 07:38:13 PM

You don't have a virus...you have a sister !

Just kiddin...someone should be along shortly.

lol!

true,

Update: Scanned with SUPERantispy, Found 34 infections, Adware now cleaned. I will tell you if things have been okay now

CBMatt · « **Reply #31 on:** August 28, 2007, 02:40:58 AM »

This entry should be fixed...

O4 - HKCU\..\Run: [Name Creative] C:\DOCUME~1\Owner\APPLIC~1\CHICID~1\extragluecdrom.exe

You also need to delete the following folder...
C:\Documents and Settings\Owner\Application Data\chicidledeaf

Once you have done that...
Download ComboFix and save it to your desktop. Run the program and read its disclaimer (it's fairly short) and make sure you really pay attention to what it says. Follow the prompts and when finished, it will produce a log at C:\ComboFix.txt. Go ahead and post that here. Note: Don't click on the window while it's running; this may cause stalls.

Neik · « **Reply #32 on:** August 28, 2007, 12:19:49 PM »

The link for ComboFix does not work, if tried googling it, but it comes with the same broken link.

Fed · « **Reply #33 on:** August 28, 2007, 07:33:26 PM »

It's a broken link Neik, try Google again later on.

F5 to get into safe mode, what's this about?
Safe mode is a Windows function, nothing to do with mobos is it?

Neik · « **Reply #34 on:** August 28, 2007, 08:30:06 PM »

Quote from: Fed on August 28, 2007, 07:33:26 PM

It's a broken link Neik, try Google again later on.

F5 to get into safe mode, what's this about?
Safe mode is a Windows function, nothing to do with mobos is it?

I'm not sure, but for my old motherboard i replaced I remember pressing F8 or something to access SafeMode, I think $:-\$ It use to be a Sony Vaio, I've seen different brand computers like Dell and MDG have to press different buttons like F8 to get in

I still can't find ComboFix on google, they all provide the same link which is broken

Fed · « **Reply #35 on:** August 28, 2007, 08:54:19 PM »

I expect then you have seen where ComboFix was taken offline earlier this year, perhaps it has happened again.
I'd give it a day to see what comes out on the net, I have a fresh ComboFix sitting on my desktop that I can upload (1.4Mbs) but I'm reluctant to do that in case ComboFix has a problem we're unaware of yet.
Have patience.

EDIT: As I suspected...
http://forums.spybot.info/showthread.php?t=17284

CBMatt · « **Reply #36 on:** August 29, 2007, 06:32:47 AM »

Odd... The link is working for me, so perhaps ComboFix has been un-pulled. I don't really know what the situation is and I'm far too tired to look into it right now, but I will ASAP.

Neik · « **Reply #37 on:** August 29, 2007, 01:07:23 PM »

Alright thanks, I will wait

Fed · « **Reply #38 on:** August 29, 2007, 01:20:48 PM »

Neik, it was back when CBMatt posted.

Neik · « **Reply #39 on:** August 30, 2007, 02:03:29 PM »

Okay I downloaded it and ran the program, Heres the log

ComboFix 07-08-30.3 - "Owner" 2007-08-30 15:54:13.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1131 [GMT -4:00]

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\DOCUME~1\Owner\APPLIC~1\microsoft\internet explorer\quick launch\intern~1.lnk
C:\DOCUME~1\Owner\Desktop\internet explorer.lnk

((((((((((((((((((((((((( Files Created from 2007-07-28 to 2007-08-30 )))))))))))))))))))))))))))))))

2007-08-30 15:53   51,200   --a------   C:\WINDOWS\nircmd.exe
2007-08-27 20:37   <DIR>   d--------   C:\DOCUME~1\Owner\APPLIC~1\SUPERAntiSpyware.com
2007-08-27 20:37   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-08-27 00:30   <DIR>   d--------   C:\Program Files\chicidledeaf
2007-08-25 13:23   <DIR>   d--------   C:\Program Files\Windows Live
2007-08-25 13:23   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\WLInstaller
2007-08-25 13:23   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\WindowsLiveInstaller
2007-08-24 23:29   <DIR>   d--------   C:\WINDOWS\SxsCaPendDel
2007-08-21 15:51   512,096   --a------   C:\WINDOWS\system32\drivers\amon.sys
2007-08-21 15:51   298,104   --a------   C:\WINDOWS\system32\imon.dll
2007-08-21 15:51   15,424   --a------   C:\WINDOWS\system32\drivers\nod32drv.sys
2007-08-21 13:07   <DIR>   d--------   C:\DOCUME~1\NETWOR~1\APPLIC~1\Webroot
2007-08-20 18:49   <DIR>   d--------   C:\Program Files\Windows Media Connect 2
2007-08-20 18:44   <DIR>   d--------   C:\WINDOWS\system32\LogFiles
2007-08-20 18:44   <DIR>   d--------   C:\WINDOWS\system32\drivers\UMDF
2007-08-15 15:50   23,864   --a------   C:\WINDOWS\system32\drivers\sskbfd.sys
2007-08-15 15:50   21,816   --a------   C:\WINDOWS\system32\drivers\sshrmd.sys
2007-08-15 15:50   20,280   --a------   C:\WINDOWS\system32\drivers\SSFS0BB8.sys
2007-08-15 15:50   163,128   --a------   C:\WINDOWS\system32\drivers\ssidrv.sys
2007-08-15 15:50   1,521,464   --a------   C:\WINDOWS\WRSetup.dll
2007-08-15 15:50   <DIR>   d--------   C:\DOCUME~1\Owner\APPLIC~1\Webroot
2007-08-15 15:50   <DIR>   d--------   C:\DOCUME~1\LOCALS~1\APPLIC~1\Webroot
2007-08-15 15:50   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Webroot
2007-08-14 23:03   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Screaming Bee
2007-08-13 23:32   0   -ra------   C:\logwmemory.bin
2007-08-13 23:30   <DIR>   d--------   C:\DOCUME~1\Owner\APPLIC~1\Soldat
2007-08-08 14:14   <DIR>   d--------   C:\DOCUME~1\Owner\APPLIC~1\Screaming Bee
2007-08-08 14:13   <DIR>   d--------   C:\Program Files\Common Files\Screaming Bee
2007-08-06 11:15   <DIR>   d--------   C:\Program Files\ATI Technologies
2007-08-06 11:11   520,192   ---------   C:\WINDOWS\system32\ati2sgag.exe
2007-07-23 22:39   51,072   --a------   C:\WINDOWS\system32\drivers\ikhlayer.sys
2007-07-23 22:39   30,592   --a------   C:\WINDOWS\system32\drivers\ikhfile.sys
2007-07-19 13:19   <DIR>   d--------   C:\DOCUME~1\Owner\APPLIC~1\Ahead
2007-07-19 13:18   476,320   --a------   C:\WINDOWS\system32\imagXpr7.dll
2007-07-19 13:18   471,040   --a------   C:\WINDOWS\system32\imagXRA7.dll
2007-07-19 13:18   364,544   --a------   C:\WINDOWS\system32\TwnLib4.dll
2007-07-19 13:18   262,144   --a------   C:\WINDOWS\system32\imagXR7.dll
2007-07-19 13:18   1,568,768   --a------   C:\WINDOWS\system32\imagX7.dll
2007-07-19 13:18   <DIR>   d--------   C:\Program Files\Common Files\Ahead
2007-07-18 23:55   <DIR>   d--------   C:\DOCUME~1\Owner\APPLIC~1\IE7Pro
2007-07-17 13:38   <DIR>   d--------   C:\DOCUME~1\Owner\APPLIC~1\Uniblue
2007-07-13 12:43   <DIR>   d--------   C:\DOCUME~1\Owner\APPLIC~1\teamspeak2
2007-07-12 19:31   765,952   -----c---   C:\WINDOWS\system32\dllcache\vgx.dll
2007-07-04 20:39   <DIR>   d--------   C:\DOCUME~1\Owner\APPLIC~1\WinRAR
2007-07-01 16:55   <DIR>   d--------   C:\DOCUME~1\Owner\APPLIC~1\TuneUp Software
2007-07-01 16:54   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\TuneUp Software

Neik · « **Reply #40 on:** August 30, 2007, 02:04:37 PM »

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-30 13:22   ---------   d--------   C:\Program Files\Steam
2007-08-27 20:37   ---------   d--------   C:\Program Files\Common Files\Wise Installation Wizard
2007-08-27 00:29   ---------   d--------   C:\Program Files\Messenger Plus! Live
2007-08-25 13:04   ---------   d--------   C:\Program Files\MSN Messenger
2007-08-23 12:17   ---------   d--------   C:\Program Files\LimeWire
2007-08-19 13:27   ---------   d-a------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-08-17 13:07   ---------   d--------   C:\Program Files\Winamp
2007-08-06 11:19   ---------   d--h-----   C:\Program Files\InstallShield Installation Information
2007-07-30 19:19   92504   --a------   C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19   549720   --a------   C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19   53080   --a------   C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19   43352   --a------   C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19   325976   --a------   C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19   271224   --a------   C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19   207736   --a------   C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19   203096   --a------   C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19   1712984   --a------   C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18   33624   --a------   C:\WINDOWS\system32\wups.dll
2007-07-23 22:38   ---------   d--------   C:\DOCUME~1\Owner\APPLIC~1\Lavasoft
2007-07-03 22:40   ---------   d--------   C:\Program Files\Starcraft
2007-06-29 16:51   ---------   d--------   C:\DOCUME~1\Owner\APPLIC~1\Google
2007-06-28 17:48   12528   --a------   C:\WINDOWS\system32\drivers\secdrv.sys
2007-06-26 02:08   1104896   --a------   C:\WINDOWS\system32\msxml3.dll
2007-06-19 09:31   282112   --a------   C:\WINDOWS\system32\gdi32.dll
2007-06-18 14:20   564736   --a------   C:\WINDOWS\system32\ah.scr
2007-06-18 14:20   45056   --a------   C:\WINDOWS\system32\sstunst3.exe
2007-06-13 06:23   1033216   --a------   C:\WINDOWS\explorer.exe
2007-06-01 08:20   51568   --a------   C:\WINDOWS\system32\sirenacm.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-03-01 19:22 C:\WINDOWS\SOUNDMAN.EXE]
"VTTimer"="VTTimer.exe" [2006-08-03 02:53 C:\WINDOWS\system32\VTTimer.exe]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-08-21 15:50]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Spyware Doctor"=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= D:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
D:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 D:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
backup=C:\WINDOWS\pss\Billminder.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

Neik · « **Reply #41 on:** August 30, 2007, 02:05:00 PM »

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]
backup=C:\WINDOWS\pss\Quicken Startup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
Ati2mdxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus Photo R200 Series]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\holetonsinteronline]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
"C:\Program Files\Logitech\Video\ManifestEngine.exe" boot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
C:\Program Files\Logitech\Video\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
C:\Program Files\Logitech\Video\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
C:\WINDOWS\system32\LVCOMSX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /installquiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SHS]
"C:\Program Files\Rogers\SelfHealing\SHS.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Update Manager]
"C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Recovery]
C:\Windows\Sonysys\VAIO Recovery\PartSeal.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZTgServerSwitch]
c:\program files\support.com\client\lserver\server.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"VAIOMediaPlatform-PhotoServer-UPnP"=3 (0x3)
"VAIOMediaPlatform-PhotoServer-HTTP"=3 (0x3)
"VAIOMediaPlatform-PhotoServer-AppServer"=3 (0x3)
"VAIOMediaPlatform-MusicServer-UPnP"=3 (0x3)
"VAIOMediaPlatform-MusicServer-HTTP"=3 (0x3)
"VAIOMediaPlatform-MusicServer-AppServer"=3 (0x3)
"NVSvc"=2 (0x2)
"gusvc"=3 (0x3)

Neik · « **Reply #42 on:** August 30, 2007, 02:05:25 PM »

R0 SSFS0BB8;Spy Sweeper File System Filer Driver: 0BB8;C:\WINDOWS\system32\Drivers\SSFS0BB8.SYS
R3 SCREAMINGBDRIVER;Screaming Bee Audio;C:\WINDOWS\system32\drivers\ScreamingBAudio.sys
S3 Point32;Microsoft IntelliPoint Filter Driver;C:\WINDOWS\system32\DRIVERS\point32.sys
S3 smrt;Sony MPEG RealTime encoder board;C:\WINDOWS\system32\DRIVERS\smrt.sys
S3 SONYWBMS;Sony Memory Stick controller(WB);C:\WINDOWS\system32\DRIVERS\SonyWBMS.SYS

*Newly Created Service* - CATCHME

Contents of the 'Scheduled Tasks' folder
2007-08-24 21:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job - D:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
2007-08-30 19:00:00 C:\WINDOWS\Tasks\AADE655F9362182B.job - c:\docume~1\owner\applic~1\chicid~1\Tool Bird Coal.exe
2006-09-17 15:50:24 C:\WINDOWS\Tasks\Registration reminder 1.job - C:\WINDOWS\System32\OOBE\oobebaln.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-30 15:56:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-30 15:58:22
C:\ComboFix-quarantined-files.txt ... 2007-08-30 15:58

--- E O F ---

CBMatt · « **Reply #43 on:** August 30, 2007, 08:17:08 PM »

You've still got a small trace of Lop on your computer...

Copy everything inside the quote box below (starting with @) and paste it into Notepad. Go up to File > Save As and click the drop-down box to change the "Save As Type" to "All Files". Save it as remlop.bat on your desktop.

Quote

@echo off
cd C:\WINDOWS\Tasks
attrib -r -s -h AADE655F9362182B.job
del AADE655F9362182B.job
exit

Double-click remlop.bat A window will open and close quickly; this is normal.

Have you deleted this folder yet?...
C:\Documents and Settings\Owner\Application Data\chicidledeaf

Another one that needs to be deleted is C:\Program Files\chicidledeaf.

Neik · « **Reply #44 on:** August 30, 2007, 08:45:28 PM »

Yes I have deleted those folders and done the remlop.bat,

Can Nod32 scan C:\Documents and Settings\All Users\Application Data during safe mode and delete viruses? because Application Data seems hidden.

How come Webroot Spysweeper and SUPERantispy didnt remove all the Lop traces that were still on my computer?

CBMatt · « **Reply #45 on:** August 30, 2007, 09:33:05 PM »

Scanners can't pick up every infection. It'd be nice if they could detect/clean every infection, but unfortunately, none of them are perfect. You should still scan in Safe Mode, though. And yes, Nod32 should be able to scan that folder. To be able to access it manually, you need to enable hidden files and folders.

Neik · « **Reply #46 on:** August 30, 2007, 10:01:11 PM »

Well, Thank you very much CBMatt I appericate your help to clean out my computer

my computer is running fine now and it seems normal

Thank you

CBMatt · « **Reply #47 on:** August 31, 2007, 09:10:53 AM »

Awesome, I'm glad to hear it. If you have any problems, don't be afraid to ask.

Your Java is out of date. You'll want to correct this quickly, as it will help provide further protection for you. To do so, go here and click on Free Java Download. You will be given instructions on what to do next.

Also...you're vulnerable without a firewall, so you should look into getting either ZoneAlarm, Kerio Personal Firewall, or Comodo. They're all good free firewalls. Just be sure you only have one installed at a time! Download the firewall of your choice, disconnect from the internet, disable Windows Firewall, and install your new firewall.

Neik · « **Reply #48 on:** August 31, 2007, 10:46:21 AM »

The new java is now installed

thanks,

Will the free firewalls I download Slow down your computer?
The firewall from windows isn't as good as other ones?

patio · « **Reply #49 on:** August 31, 2007, 04:28:40 PM »

The main difference in the firewalls suggested is their ability to scan both incoming and outgoing traffic...Windows firewall only does incoming.
For example you wound up with a dialer for example. Windows will not detect out going traffic where the others would.
There is a slight performance hit initially and it takes a while to let the firewall learn your surfing habits but after awhile it smooths out nicely...

CBMatt · « **Reply #50 on:** August 31, 2007, 07:58:39 PM »

I couldn't have said it any better, patio.

patio · « **Reply #51 on:** August 31, 2007, 09:07:31 PM »

Thanx Chris !

CBMatt · « **Reply #52 on:** September 22, 2007, 02:54:28 AM »

As this issue appears to be resolved, I am closing this topic. If you are the original poster and you would like this topic to be re-opened for any reason, PM me or another moderator and it can be arranged.

If you are not the original poster and you require help, please start a New Topic with information about your computer and your problem.

Computer Hope Forum

News:

Author Topic: Virus? (Read 33710 times)

Neik

unlovedwarrior

Neik

unlovedwarrior

patio

Neik

Neik

CBMatt

Neik

Neik

Neik

Neik

Neik

Neik

Neik

CBMatt

Neik

CBMatt

Neik

CBMatt

Neik

CBMatt

CBMatt

patio

Neik

Neik

Neik

Neik

Neik

patio

Neik

CBMatt

Neik

Fed

Neik

Fed

CBMatt

Neik

Fed

Neik

Neik

Neik

Neik

CBMatt

Neik

CBMatt

Neik

CBMatt

Neik

patio

CBMatt

patio

CBMatt