PDA

View Full Version : hijack this log



nunzi
2005-12-18, 17:00
help, i know nothing but am very good at following instructions, i have followed the removal steps for spy sheriff and now am at log stage, could someone advise me on what should go and what should stay. the log is below
thankyou in advance
Nunzi

Logfile of HijackThis v1.99.1
Scan saved at 12:08:10 AM, on 19/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Canon\MultiPASS\mpservic.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSI\Live Update 3\LMonitor.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Canon\MultiPASS\monitr32.exe
C:\Program Files\Canon\MultiPASS\MPTBox.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINDOWS\system32\cmd32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\VIA Technologies, Inc\VIA Audio Driver Setup Program\AudioDeck\AudioDeck.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\system32\FxRedir.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\Tina\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MP_STATUS_MONITOR] "C:\Program Files\Canon\MultiPASS\monitr32.exe" I
O4 - HKLM\..\Run: [MPTBox] "C:\Program Files\Canon\MultiPASS\MPTBox.exe"
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\system32\cmd32.exe internat.dll,LoadKeyboardProfile
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: AudioDeck.lnk = C:\Program Files\VIA Technologies, Inc\VIA Audio Driver Setup

Program\AudioDeck\AudioDeck.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program

Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file

missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66}

- %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -

http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125B84} (CR64Loader Object) -

http://www.arcadetown.com/swf/cosmicbugs/r64loader.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) -

http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) -

http://tw.msi.com.tw/autobios/client/iftwclix.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) -

http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) -

http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) -

http://zone.msn.com/binGame/ZAxRcMgr.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) -

http://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) -

http://fdl.msn.com/zone/datafiles/heartbeat.cab
O20 - Winlogon Notify: explorer - C:\WINDOWS\SYSTEM32\explorer.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program

Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program

Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: MPService - Canon Information Systems, Inc. - C:\Program Files\Canon\MultiPASS\mpservic.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -

C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

LonnyRJones
2005-12-18, 20:06
Hi nunzi
Explain to us the troubleshooting youve done prior to posting that log.
next time you post one turn off word wrap first so that the lines are not all mixed up please.

Start Hijackthis and place a check next to these items If there.
Close all browser windows and shut down all other programs that show in the taskbar.(even Folders)
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\system32\cmd32.exe internat.dll,LoadKeyboardProfile
O20 - Winlogon Notify: explorer - C:\WINDOWS\SYSTEM32\explorer.dll
====================================
Hit fix checked and close Hijackthis.

Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Post a fresh hijackthis


What version is your norton program and is it able to update its definitions ?

Download and run Silentrunners.Vbs post the log it creates please
http://www.silentrunners.org/sr_scriptuse.html click no to not skip the suplimentry searchs
Wait until there is a All Done message !!, Then open and post the log next to it. Your antivirus script protection might interfear or alert, please allow it to run after a bit box will say done.

nunzi
2005-12-19, 05:43
Thanks Lonny,

Since friday i have run symantec virus scan followed by rebooting and running in safe mode, then followed the steps about five times with no luck until the repair you sent me this morning
1. add/remove spy sheriff
2. run adaware scan
3. run spybot s&d
4. reboot normal mode
5. remove HKEY_USERS\S-1-5-21-1275210071-583907252-1801674531-1003\SOFTWARE\Microsoft\Windows|currentVersion|Run\Windows installer.

I have also downloaded and run killbox which didnt work
I followed the steps on before you post a log by doing an online scan with bit defender, followed by spy bot s&d and then hijackthis which was the first log sent.
this is what spy bot detected and tried to repair:
--- Search result list ---
Smitfraud-C.: Settings (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1275210071-583907252-1801674531-1003\WindowsSubVersion

Smitfraud-C.: Data (File, nothing done)
C:\WINDOWS\system32\svcp.csv

Smitfraud-C.: Web page (File, nothing done)
C:\WINDOWS\system32\winsub.xml

Smitfraud-C.: Autorun settings (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1275210071-583907252-1801674531-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows installer


Here is the Hijack This log from this morning after i removed the files you suggested and rebooted:

Logfile of HijackThis v1.99.1
Scan saved at 1:08:18 PM, on 19/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSI\Live Update 3\LMonitor.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Canon\MultiPASS\monitr32.exe
C:\Program Files\Canon\MultiPASS\MPTBox.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Canon\MultiPASS\mpservic.exe
C:\Program Files\VIA Technologies, Inc\VIA Audio Driver Setup Program\AudioDeck\AudioDeck.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\FxRedir.EXE
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Tina\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MP_STATUS_MONITOR] "C:\Program Files\Canon\MultiPASS\monitr32.exe" I
O4 - HKLM\..\Run: [MPTBox] "C:\Program Files\Canon\MultiPASS\MPTBox.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: AudioDeck.lnk = C:\Program Files\VIA Technologies, Inc\VIA Audio Driver Setup Program\AudioDeck\AudioDeck.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125B84} (CR64Loader Object) - http://www.arcadetown.com/swf/cosmicbugs/r64loader.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw/autobios/client/iftwclix.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: MPService - Canon Information Systems, Inc. - C:\Program Files\Canon\MultiPASS\mpservic.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

nunzi
2005-12-19, 05:47
Cont; lonny

And lastly silent runner scan (in two parts as it is too long for one reply)

my virus scanner is Symantec Antivirus Full Version 9.0.0.338 and can update definitions.

The problem seems to be gone but i will leave it to you to give me the all clear.

Thankyou heaps
Nunzi


"Silent Runners.vbs", revision 41, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"MediaFace Integration" = "C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe" ["Fellowes, Inc."]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe" ["Sun Microsystems, Inc."]
"RoxioEngineUtility" = ""C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"" ["Roxio"]
"RoxioDragToDisc" = ""C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"" ["Roxio"]
"RoxioAudioCentral" = ""C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"" ["Roxio, Inc."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"LiveMonitor" = "C:\Program Files\MSI\Live Update 3\LMonitor.exe" [empty string]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"vptray" = "C:\PROGRA~1\SYMANT~1\VPTray.exe" ["Symantec Corporation"]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]
"MP_STATUS_MONITOR" = ""C:\Program Files\Canon\MultiPASS\monitr32.exe" I" ["Canon Information Systems, Inc."]
"MPTBox" = ""C:\Program Files\Canon\MultiPASS\MPTBox.exe"" ["Canon Information Systems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{6E3C607A-B99C-4FA8-98F5-1AC1ADF7F5B9}" = "MediaFace extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Fellowes\MediaFACE 4.0\MFShlExt.dll" ["Fellowes, Inc."]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{5E44E225-A408-11CF-B581-008029601108}" = "Roxio DragToDisc Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\shellex.dll" ["Roxio"]
"{A44D5ACC-3411-40DE-9AD3-214FFB2ED7AC}" = "My Media"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\MediaSX.dll" ["Roxio, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}" = "LDVP Shell Extensions"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! NavLogon\DLLName = "C:\WINDOWS\system32\NavLogon.dll" ["Symantec Corporation"]
INFECTION WARNING! PCANotify\DLLName = "PCANotify.dll" ["Symantec Corporation"]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
MediaFaceExtension\(Default) = "{6E3C607A-B99C-4FA8-98F5-1AC1ADF7F5B9}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Fellowes\MediaFACE 4.0\MFShlExt.dll" ["Fellowes, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
MediaFaceExtension\(Default) = "{6E3C607A-B99C-4FA8-98F5-1AC1ADF7F5B9}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Fellowes\MediaFACE 4.0\MFShlExt.dll" ["Fellowes, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

nunzi
2005-12-19, 05:49
here's the rest of silent runner log

thanks again

Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Tina\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\ssflwbox.scr" [MS]


Startup items in "Tina" & "All Users" startup folders:
------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"AudioDeck" -> shortcut to: "C:\Program Files\VIA Technologies, Inc\VIA Audio Driver Setup Program\AudioDeck\AudioDeck.exe -min" [empty string]
"InterVideo WinCinema Manager" -> shortcut to: "C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe" [empty string]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0005-ABCDEFFEDCBC}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll" ["Sun Microsystems, Inc."]

{85D1F590-48F4-11D9-9669-0800200C9A66}\
"MenuText" = "Uninstall BitDefender Online Scanner v8"
"Exec" = "%windir%\bdoscandel.exe" [null data]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
MPService, MPService, "C:\Program Files\Canon\MultiPASS\mpservic.exe" ["Canon Information Systems, Inc."]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
Symantec AntiVirus, Symantec AntiVirus, ""C:\Program Files\Symantec AntiVirus\Rtvscan.exe"" ["Symantec Corporation"]
Symantec AntiVirus Definition Watcher, DefWatch, ""C:\Program Files\Symantec AntiVirus\DefWatch.exe"" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]


Keyboard Driver Filters:
------------------------

HKLM\System\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\
"UpperFilters" = INFECTION WARNING! "aw_host" [file not found]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
BJ Language Monitor2\Driver = "CNBJMON2.DLL" [MS]
CutePDF Monitor\Driver = "cutemon2k.dll" [null data]
MPL Language Monitor\Driver = "MPASSMON.DLL" ["Canon Information Systems, Inc."]
PRTmate\Driver = "PRTmate.dll" [null data]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 18 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 16 seconds.
---------- (total run time: 62 seconds)

LonnyRJones
2005-12-19, 09:36
Hi

Im more concerned with that explorer.dll file and what it does than smithfraud at this point

Troj/SCLog-B logs keypresses and system activities to temporary files named rerolpxe.dat and rerolpxe.le are also located in the Windows system folder. The Trojan periodically creates a ZIP file of the collected information and sends it to a remote user via email.
http://www.sophos.com/virusinfo/analyses/trojsclogb.html

I suggest running sysclean while in safe mode, then changing your email address and passwords

Sysclean a standalone scanner
Make a new folder called C:\Sysclean
Download Sysclean from
http://www.trendmicro.com/download/dcs.asp
Click the sysclean.txt link to learn how to use it. Download the latest pattern file : http://www.trendmicro.com/download/pattern.asp
lpt(xxxx).zip (AS/400, S/390, Windows)
Unzip it to the Sysclean folder.
Boot to Safe Mode. Scan the system with Sysclean. It will take awhile but
it is very thorough. When it's done, close Sysclean. restart back to a normal session.

nunzi
2005-12-19, 10:39
lonny, i am confused, is this file on my computer somewhere

Troj/SCLog-B logs keypresses and system activities to temporary files named rerolpxe.dat and rerolpxe.le are also located in the Windows system folder. The Trojan periodically creates a ZIP file of the collected information and sends it to a remote user via email.

does everything else look ok as i have stopped receiving those warning popup but my windows security alerts icon is still red.

thanks nunzi

LonnyRJones
2005-12-19, 14:08
Let us know what problems exist after running sysclean in safe mode please.

nunzi
2005-12-20, 07:59
hi lonny,
have done the sysclean scan in safe mode and attached the log, i am unsure if this a a problem but i just had a small amount of problem getting around on this site, i clicked next post and my internet page said site not found after a few attempts i retyped the site address and here i am, would this be because i am trying to access further pages from a link to this site in my favorites? or could it be something else.

LOG part one

/--------------------------------------------------------------\
| Trend Micro Sysclean Package |
| Copyright 2002, Trend Micro, Inc. |
| http://www.trendmicro.com |
\--------------------------------------------------------------/


2005-12-20, 14:05:09, Auto-clean mode specified.
2005-12-20, 14:05:09, Running scanner "C:\sysclean\TSC.BIN"...
2005-12-20, 14:08:42, Scanner "C:\sysclean\TSC.BIN" has finished running.
2005-12-20, 14:08:42, TSC Log:

Damage Cleanup Engine (DCE) 3.9(Build 1020)
Windows XP(Build 2600: Service Pack 2)

Start time : Tue Dec 20 2005 14:05:09

Load Damage Cleanup Template (DCT) "C:\sysclean\tsc.ptn" (version 688) [success]

Complete time : Tue Dec 20 2005 14:08:42
Execute pattern count(4590), Virus found count(0), Virus clean count(0), Clean failed count(0)

2005-12-20, 14:08:56, Could not set file for reading on "C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp": Access is denied.
2005-12-20, 14:14:13, An error occurred while scanning file "C:\Documents and Settings\LocalService\NTUSER.DAT": Access is denied.
2005-12-20, 14:14:13, An error occurred while scanning file "C:\Documents and Settings\LocalService\ntuser.dat.LOG": Access is denied.
2005-12-20, 14:14:13, An error occurred while scanning file "C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat": Access is denied.
2005-12-20, 14:14:13, An error occurred while scanning file "C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG": Access is denied.
2005-12-20, 14:14:13, An error occurred while scanning file "C:\Documents and Settings\NetworkService\NTUSER.DAT": Access is denied.
2005-12-20, 14:14:13, An error occurred while scanning file "C:\Documents and Settings\NetworkService\ntuser.dat.LOG": Access is denied.
2005-12-20, 14:14:13, An error occurred while scanning file "C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat": Access is denied.
2005-12-20, 14:14:13, An error occurred while scanning file "C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG": Access is denied.
2005-12-20, 14:14:13, An error occurred while scanning file "C:\Documents and Settings\Tina\NTUSER.DAT": Access is denied.
2005-12-20, 14:14:13, An error occurred while scanning file "C:\Documents and Settings\Tina\NTUSER.DAT.LOG": Access is denied.
2005-12-20, 14:17:09, An error occurred while scanning file "C:\Documents and Settings\Tina\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat": Access is denied.
2005-12-20, 14:17:09, An error occurred while scanning file "C:\Documents and Settings\Tina\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG": Access is denied.
2005-12-20, 14:22:48, An error was detected on "C:\Documents and Settings\Tina\My Documents\everything\kite\kite\special\tio.doc": The system cannot find the file specified.
2005-12-20, 14:44:30, Could not set file for reading on "C:\RECYCLER\NPROTECT\00129860.exe": Access is denied.
2005-12-20, 14:44:30, Could not set file for reading on "C:\RECYCLER\NPROTECT\00129862.exe": Access is denied.
2005-12-20, 14:44:30, Could not set file for reading on "C:\RECYCLER\NPROTECT\00129863._P": Access is denied.
2005-12-20, 14:44:52, An error was detected on "C:\System Volume Information\*.*": Access is denied.
2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\AGENTSVR.EXE-002E45AB.pf": Access is denied.
2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\AUPDATE.EXE-2253CB60.pf": Access is denied.
2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\AUTOUPDATER.EXE-37B623C2.pf": Access is denied.
2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\CAPTUREDAEMON.EXE-0FF458A5.pf": Access is denied.
2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\CINEPLAYER.EXE-216DF75E.pf": Access is denied.
2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\CLEANMGR.EXE-1F86EA8E.pf": Access is denied.
2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\CONTROL.EXE-013DBFB5.pf": Access is denied.
2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\COSMICBUGS.EXE-308B6BB9.pf": Access is denied.
2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\CPSALBUMCORE.EXE-0487CC85.pf": Access is denied.
2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\CPSHELPRUNNER.EXE-085D357E.pf": Access is denied.
2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\CREATOR7.EXE-04F78116.pf": Access is denied.
2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\DEFRAG.EXE-273F131E.pf": Access is denied.
2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\DFRGNTFS.EXE-269967DF.pf": Access is denied.
2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\DISCCOPIER7.EXE-0C370A8B.pf": Access is denied.
2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\DISCIMAGELOADER.EXE-0961872B.pf": Access is denied.
2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\DIVXTODVD.EXE-171309C4.pf": Access is denied.
2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\DRGTODSC.EXE-1737E026.pf": Access is denied.
2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\DRGTODSC.EXE-2EA93301.pf": Access is denied.
2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\DUMPREP.EXE-1B46F901.pf": Access is denied.
2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\DVDBUILDER7.EXE-0D7AA66D.pf": Access is denied.
2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\DWWIN.EXE-30875ADC.pf": Access is denied.
2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9.pf": Access is denied.
2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\HELPSVC.EXE-2878DDA2.pf": Access is denied.
2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\HOMEPAGEAPP.EXE-0827C022.pf": Access is denied.
2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\IDRIVER.EXE-205A2558.pf": Access is denied.
2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\IEXPLORE.EXE-27122324.pf": Access is denied.
2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\IMAPI.EXE-0BF740A4.pf": Access is denied.
2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\INSANIQUARIUM.EXE-1D5A95D2.pf": Access is denied.
2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\KGROXIOEMC75.EXE-21743C7C.pf": Access is denied.
2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\Layout.ini": Access is denied.
2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\LOGONUI.EXE-0AF22957.pf": Access is denied.
2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\LUCOMS~1.EXE-02DB5950.pf": Access is denied.
2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\MEDIAMANAGER7.EXE-38CF7959.pf": Access is denied.
2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\MSIB4.TMP-3B10AF99.pf": Access is denied.
2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\MSIEXEC.EXE-2F8A8CAE.pf": Access is denied.
2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\NDETECT.EXE-16E64095.pf": Access is denied.
2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\NOTEPAD.EXE-336351A9.pf": Access is denied.
2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\NTOSBOOT-B00DFAAD.pf": Access is denied.
2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\NTVDM.EXE-1A10A423.pf": Access is denied.
2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\OUTLOOK.EXE-27D5965C.pf": Access is denied.
2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\REGSVR32.EXE-25EEFE2F.pf": Access is denied.
2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\ROXIOCAPTURE7.EXE-0CC76A84.pf": Access is denied.

nunzi
2005-12-20, 07:59
log part 2

2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-1831A4F3.pf": Access is denied.
2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-2A94BB85.pf": Access is denied.
2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-2CD85FD3.pf": Access is denied.
2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-2E5AF1D7.pf": Access is denied.
2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-451FC2C0.pf": Access is denied.
2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\RXLABELCREATOR.EXE-2A281096.pf": Access is denied.
2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\RXMON.EXE-06BF68E3.pf": Access is denied.
2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\SETUP_WM.EXE-3135CBD6.pf": Access is denied.
2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\SSFLWBOX.SCR-12F43B2F.pf": Access is denied.
2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\SVCHOST.EXE-3530F672.pf": Access is denied.
2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\TASKMGR.EXE-20256C55.pf": Access is denied.
2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\VWHELPSERVICE7.EXE-26DE30BF.pf": Access is denied.
2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\WINDVD.EXE-073928FB.pf": Access is denied.
2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\WINWORD.EXE-29F5CB89.pf": Access is denied.
2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\WMIPRVSE.EXE-28F301A9.pf": Access is denied.
2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\WMPLAYER.EXE-18DDEF9D.pf": Access is denied.
2005-12-20, 14:52:51, Could not set file for reading on "C:\WINDOWS\Prefetch\WSCNTFY.EXE-1B24F5EB.pf": Access is denied.
2005-12-20, 14:52:51, Could not set file for reading on "C:\WINDOWS\Prefetch\WUAUCLT.EXE-399A8E72.pf": Access is denied.
2005-12-20, 14:52:51, Could not set file for reading on "C:\WINDOWS\Prefetch\Z12.EXE-127F50C9.pf": Access is denied.
2005-12-20, 14:52:51, Could not set file for reading on "C:\WINDOWS\Prefetch\_IS14.TMP-00321A11.pf": Access is denied.
2005-12-20, 14:54:42, An error occurred while scanning file "C:\WINDOWS\system32\config\default": Access is denied.
2005-12-20, 14:54:42, An error occurred while scanning file "C:\WINDOWS\system32\config\default.LOG": Access is denied.
2005-12-20, 14:54:42, An error occurred while scanning file "C:\WINDOWS\system32\config\SAM": Access is denied.
2005-12-20, 14:54:42, An error occurred while scanning file "C:\WINDOWS\system32\config\SAM.LOG": Access is denied.
2005-12-20, 14:54:42, An error occurred while scanning file "C:\WINDOWS\system32\config\SECURITY": Access is denied.
2005-12-20, 14:54:42, An error occurred while scanning file "C:\WINDOWS\system32\config\SECURITY.LOG": Access is denied.
2005-12-20, 14:54:42, An error occurred while scanning file "C:\WINDOWS\system32\config\software": Access is denied.
2005-12-20, 14:54:42, An error occurred while scanning file "C:\WINDOWS\system32\config\software.LOG": Access is denied.
2005-12-20, 14:54:42, An error occurred while scanning file "C:\WINDOWS\system32\config\system": Access is denied.
2005-12-20, 14:54:42, An error occurred while scanning file "C:\WINDOWS\system32\config\system.LOG": Access is denied.
2005-12-20, 14:55:45, Running scanner "C:\sysclean\VSCANTM.BIN"...
2005-12-20, 15:26:07, Files Detected:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 12/20/2005 14:55:46
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 115 (116250 Patterns) (2005/12/19) (311500)
Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\sysclean

C:\WINDOWS\system32\explorer.dll [TSPY_SCKEYLOG.O]
96819 files have been read.
96819 files have been checked.
62018 files have been scanned.
125277 files have been scanned. (including files in archived)
1 files containing viruses.
Found 1 viruses totally.
Maybe 0 viruses totally.
Stop At : 12/20/2005 15:26:06
---------*---------*---------*---------*---------*---------*---------*---------*
2005-12-20, 15:26:07, Files Clean:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 12/20/2005 14:55:46
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 115 (116250 Patterns) (2005/12/19) (311500)
Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\sysclean

Success Clean [ TSPY_SCKEYLOG.O]( 1) from C:\WINDOWS\system32\explorer.dll
96819 files have been read.
96819 files have been checked.
62018 files have been scanned.
125277 files have been scanned. (including files in archived)
1 files containing viruses.
Found 1 viruses totally.
Maybe 0 viruses totally.
Stop At : 12/20/2005 15:26:06 30 minutes 18 seconds (1818.74 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2005-12-20, 15:26:07, Clean Fail:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 12/20/2005 14:55:46
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 115 (116250 Patterns) (2005/12/19) (311500)
Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\sysclean

96819 files have been read.
96819 files have been checked.
62018 files have been scanned.
125277 files have been scanned. (including files in archived)
1 files containing viruses.
Found 1 viruses totally.
Maybe 0 viruses totally.
Stop At : 12/20/2005 15:26:06 30 minutes 18 seconds (1818.74 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2005-12-20, 15:26:07, Scanner "C:\sysclean\VSCANTM.BIN" has finished running.
2005-12-20, 15:33:16, Running scanner "C:\sysclean\VSCANTM.BIN"...
2005-12-20, 15:37:45, Files Detected:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 12/20/2005 15:33:16
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 115 (116250 Patterns) (2005/12/19) (311500)
Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 F:\*.* /P=C:\sysclean

10941 files have been read.
10941 files have been checked.
7582 files have been scanned.
12552 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 12/20/2005 15:37:45
---------*---------*---------*---------*---------*---------*---------*---------*
2005-12-20, 15:37:45, Files Clean:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 12/20/2005 15:33:16
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 115 (116250 Patterns) (2005/12/19) (311500)
Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 F:\*.* /P=C:\sysclean

10941 files have been read.
10941 files have been checked.
7582 files have been scanned.
12552 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 12/20/2005 15:37:45 4 minutes 27 seconds (267.73 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2005-12-20, 15:37:45, Clean Fail:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 12/20/2005 15:33:16
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 115 (116250 Patterns) (2005/12/19) (311500)
Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 F:\*.* /P=C:\sysclean

10941 files have been read.
10941 files have been checked.
7582 files have been scanned.
12552 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 12/20/2005 15:37:45 4 minutes 27 seconds (267.73 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2005-12-20, 15:37:45, Scanner "C:\sysclean\VSCANTM.BIN" has finished running.

LonnyRJones
2005-12-20, 09:55
Looks good

I expected it to do more though.

Next:

Download smitRem.exe (http://noahdfear.geekstogo.com/click%20counter/click.php?id=1) and save the file to your desktop. (By noahdfear.)
Double click on the file to extract it to it's own folder on the desktop.

Please download the trial version of Ewido Security Suite here:
install then from within the program check for updates BUT dont scan yet
ewido security suite: http://www.ewido.net/en/download/
When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK.
We will fix this in a moment.
From the main ewido screen, click on update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful"), Now close the program.
Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates: Ad-Aware SE Setup (http://rstones12.geekstogo.com/adawareSE_setup.htm)
Don't run it yet!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Next, please reboot your computer in SafeMode by doing the following:
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.



Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.
The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Open Spybot check for and fix any problems found.
Open Ad-aware and do a full scan. Remove all it finds.

Run Ewido:

Click on scanner
Click on Complete System Scan and the scan will begin.
NOTE: During some scans with ewido it is finding cases of false positives.
You will need to step through the process of cleaning files one-by-one.
If ewido detects a file you KNOW to be legitimate, select none as the action.
DO NOT select "Perform action on all infections"
If you are unsure of any entry found select none for now.
When the scan is finished, click the Save report button at the bottom of the screen.
Save the report to your desktop
Close Ewido

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Restart back to a normal windows session

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.


Post a new HijackThis Log, the contents of the smitfiles.txt log and the Ewido Log by using Add Reply.
Let us know if any problems persist

nunzi
2005-12-20, 15:49
ok lonny all done, here are the logs, system looks ok

Logfile of HijackThis v1.99.1
Scan saved at 11:45:30 PM, on 20/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Documents and Settings\Tina\Desktop\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Canon\MultiPASS\mpservic.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSI\Live Update 3\LMonitor.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Canon\MultiPASS\monitr32.exe
C:\Program Files\Canon\MultiPASS\MPTBox.exe
C:\WINDOWS\system32\FxRedir.EXE
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\VIA Technologies, Inc\VIA Audio Driver Setup Program\AudioDeck\AudioDeck.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Tina\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MP_STATUS_MONITOR] "C:\Program Files\Canon\MultiPASS\monitr32.exe" I
O4 - HKLM\..\Run: [MPTBox] "C:\Program Files\Canon\MultiPASS\MPTBox.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: AudioDeck.lnk = C:\Program Files\VIA Technologies, Inc\VIA Audio Driver Setup Program\AudioDeck\AudioDeck.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125B84} (CR64Loader Object) - http://www.arcadetown.com/swf/cosmicbugs/r64loader.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw/autobios/client/iftwclix.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\Tina\Desktop\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: MPService - Canon Information Systems, Inc. - C:\Program Files\Canon\MultiPASS\mpservic.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

nunzi
2005-12-20, 15:52
log 2 smitfiles


smitRem © log file
version 2.8

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: Tue 20/12/2005
The current time is: 21:57:48.35

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!

spyaxe uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~

Install.dat


~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 804 'explorer.exe'
Killing PID 804 'explorer.exe'

Starting registry repairs

Deleting files


Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

CLEAN! :)

nunzi
2005-12-20, 16:00
and lastly ewido log

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 11:40:06 PM, 20/12/2005
+ Report-Checksum: 8BCC051F

+ Scan result:

HKU\S-1-5-21-1275210071-583907252-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -> Spyware.WinFavorites : Cleaned with backup
HKU\S-1-5-21-1275210071-583907252-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -> Spyware.PopularScreensavers : Cleaned with backup
HKU\S-1-5-21-1275210071-583907252-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{386A771C-E96A-421F-8BA7-32F1B706892F} -> Spyware.ISTBar : Cleaned with backup
HKU\S-1-5-21-1275210071-583907252-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{511F9316-771B-4953-A268-1C36DA667FE9} -> Dialer.Generic : Cleaned with backup
HKU\S-1-5-21-1275210071-583907252-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{79849612-A98F-45B8-95E9-4D13C7B6B35C} -> Spyware.Crazywinnings : Cleaned with backup
HKU\S-1-5-21-1275210071-583907252-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7C559105-9ECF-42B8-B3F7-832E75EDD959} -> Spyware.ISTBar : Cleaned with backup
HKU\S-1-5-21-1275210071-583907252-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DDFFA75A-E81D-4454-89FC-B9FD0631E726} -> Spyware.VX2 : Cleaned with backup
C:\Documents and Settings\Guest\Cookies\guest@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Guest\Cookies\guest@burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Guest\Cookies\guest@e-2dj6wgkicocjkkp.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Guest\Cookies\guest@e-2dj6wjkocod5ghp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Guest\Cookies\guest@paypopup[1].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
C:\Documents and Settings\Guest\Cookies\guest@serving-sys[2].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Tina\Cookies\tina@112.2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Tina\Cookies\tina@ad.adocean[1].txt -> Spyware.Cookie.Adocean : Cleaned with backup
C:\Documents and Settings\Tina\Cookies\tina@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Tina\Cookies\tina@ad1.clickhype[1].txt -> Spyware.Cookie.Clickhype : Cleaned with backup
C:\Documents and Settings\Tina\Cookies\tina@adbrite[1].txt -> Spyware.Cookie.Adbrite : Cleaned with backup
C:\Documents and Settings\Tina\Cookies\tina@adopt.euroclick[2].txt -> Spyware.Cookie.Euroclick : Cleaned with backup
C:\Documents and Settings\Tina\Cookies\tina@ads.pointroll[2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Tina\Cookies\tina@ads19.bpath[1].txt -> Spyware.Cookie.Bpath : Cleaned with backup
C:\Documents and Settings\Tina\Cookies\tina@affiliates.x10[1].txt -> Spyware.Cookie.X10 : Cleaned with backup
C:\Documents and Settings\Tina\Cookies\tina@bigpond.122.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Tina\Cookies\tina@burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Tina\Cookies\tina@cj[2].txt -> Spyware.Cookie.Cj : Cleaned with backup
C:\Documents and Settings\Tina\Cookies\tina@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Tina\Cookies\tina@e-2dj6wfkiemcjkfq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Tina\Cookies\tina@e-2dj6wfkokpcjidp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Tina\Cookies\tina@e-2dj6wflicmc5ohp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Tina\Cookies\tina@e-2dj6wfmiwnazgao.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Tina\Cookies\tina@e-2dj6wfmyqldjgao.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Tina\Cookies\tina@e-2dj6wjkosgazcho.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Tina\Cookies\tina@e-2dj6wjkycidpslp.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Tina\Cookies\tina@e-2dj6wjl4okcjoao.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Tina\Cookies\tina@e-2dj6wjlislc5glo.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Tina\Cookies\tina@e-2dj6wjlispczwgo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Tina\Cookies\tina@e-2dj6wjmisjdzagp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Tina\Cookies\tina@e-2dj6wjmysgd5wco.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Tina\Cookies\tina@e-2dj6wjnyeoazaco.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Tina\Cookies\tina@e-2dj6wjnyqoc5mao.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Tina\Cookies\tina@e-2dj6wjnywldjoap.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Tina\Cookies\tina@estat[1].txt -> Spyware.Cookie.Estat : Cleaned with backup
C:\Documents and Settings\Tina\Cookies\tina@free.wegcash[2].txt -> Spyware.Cookie.Wegcash : Cleaned with backup
C:\Documents and Settings\Tina\Cookies\tina@image.masterstats[1].txt -> Spyware.Cookie.Masterstats : Cleaned with backup
C:\Documents and Settings\Tina\Cookies\tina@microsofteup.112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Tina\Cookies\tina@microsoftwga.112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Tina\Cookies\tina@msnportal.112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Tina\Cookies\tina@paypopup[2].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
C:\Documents and Settings\Tina\Cookies\tina@perf.overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Tina\Cookies\tina@serving-sys[2].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Tina\Cookies\tina@spinbox[2].txt -> Spyware.Cookie.Spinbox : Cleaned with backup
C:\Documents and Settings\Tina\Cookies\tina@stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Tina\Cookies\tina@worldvisionaustralia.122.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Tina\Cookies\tina@www.burstbeacon[1].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Tina\Cookies\tina@www.epilot[1].txt -> Spyware.Cookie.Epilot : Cleaned with backup
C:\Documents and Settings\Tina\Cookies\tina@www.etracker[1].txt -> Spyware.Cookie.Etracker : Cleaned with backup
C:\Documents and Settings\Tina\Cookies\tina@y-1shz2prbmdj6wvny-1sez2pra2dj6wfkowocjceogmdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Tina\Cookies\tina@y-1shz2prbmdj6wvny-1sez2pra2dj6wjloekc5ahoaydj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Tina\fdsf -> Hijacker.Spywad.n : Cleaned with backup
C:\Program Files\Symantec\pcAnywhere\WinNTAuth.dll -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\system32\z11.exe -> Hijacker.Spywad.n : Cleaned with backup


::Report End

again thanks for all your help, you have made this process very easy to follow which is greatly appreciated as i am a bit of a novice when it comes to repair and my husband was very gungho to f disc it, which i didn't think sounded to thrilling.

LonnyRJones
2005-12-20, 20:55
Hi
Have ewido put back this item
C:\Program Files\Symantec\pcAnywhere\WinNTAuth.dll -> Dialer.Generic : Cleaned with backup

The java plugin and acrobat reader need to be updated. keep all programs that use the internet up to date. media players, chat programs, etc etc.

Are there any problems now ?

tashi
2005-12-23, 19:17
nunzi, everything going ok?