PDA

View Full Version : Spybot and other AVs won't run, windows won't open


Paraprosdokian
2008-02-10, 05:50
Hi there,

To help my saviours, I'll summarise my issues into two key points. However, I'd also like to give you as much detail as possible so I've included my history as well. If its too much detail, then just ignore it. I've attached the KAV log down the bottom. (I can;t attach Spybot or HJT logs because neither of them run on my computer).

Unfortunately, I couldn't find the "save as text" function for KAV, so I've copy/pasted the html version in my second post. If that's inadequate, please give instuctions on how to get a text version.

I know you like to know if I've posted elsewhere. I went to techguy.org, but have been waiting for a week without any response.

1) Each time windows opens, there's a cascade of errors and the computer restarts in a never ending cycle.

2) Spybot won't run. I click spybot.exe and nothing happens. However, the fileshredder works. AVG, nor Hijackthis and I can't install Norton. I can still use Adaware however (though scanning finds nothing). I suspect some virus, possibly braviax is blocking them, since they worked before.

History and details of infection
My computer's been freezing for a little while, and when I google something, and click a website it redirects me to some other dodgy website instead. (Only links from google redirect)

I tried to fix the situation by dling spybot, adaware and grisoft's AVG. Each found a few viruses, and fixed them. However, the next time I used google, clicked a link, it not only redirected me, but my computer restarted. Each time I turn on my computer now, there's an error message about msnmessenger.exe then another message about osa.exe then a third message about a third program until the computer restarts. (My computer is in Chinese ,and I can't read Chinese, so I can;'t tell you the exact error). I've found that using msconfig to disable those programs stops the error messages but the computer still restarts. There is the blue "windows is restarting screen".

I found two ways to overcome the auto-restart program. Firstly, is to use safemode (Spybot etc still don't work). The second way is to use ctrl-alt-del just as the windows is booting, then terminate explorer.exe. I suspect that this virus is disabling all my anti-viruses, including Windows Firewall. The computer shuts down shortly before Windows gives me an error message about braviax.exe and googletoolbar ie. (Again, I can't read Chinese- only the english words scattered inside).

Spybot and other anti-viruses won;'t run
Whenever I click the links for S+D on my desktop and in the start menu, nothing happens. If I go to the program files manually and click any of the .exe files, nothing happens either (except for fileshredder which works).

The same thing happens with Grisoft's AVG. I tried reinstalling it, but now there's some sort of error. Part of it is in Chinese, but I'll transcribe the English:

Local machine:installation failed
Installation:
Error: action failed for file avgamsvr.exe: starting service...
[one line of Chinese] [ (1053

Hijackthis doesn't work either. I installed it, seemed ok, but the program won't run. If I ctrl-alt-del, I can't find the program... it seems just not to open at all. Not even for a second.

The AVs won't run in safe mode, nor will they run if I terminate explorer.exe at start-up (as described above). Not sure if their failure is because of my unique way of turning on th4e omputer or because the virus somehow blocks them.

Thanks for your help in advance. The KAV log is in my second post below.
Paraprosdokian
2008-02-10, 05:55
<html>
<head>
<title>KASPERSKY ONLINE SCANNER REPORT</title>
<meta http-equiv='Content-Type' content='text/html; charset=utf-8'>
</head>
<style>
.pagetitle { font-size:20px; color:#FFFFFF; font-family: Arial, Geneva, sans-serif; }
.text { font-size:11px; font-family: Arial, Geneva, sans-serif; }
TD { font-size:11px; font-family: Arial, Geneva, sans-serif; }
</style>

<body><table width='100%' height='110' border='0'>
<tr height='30' align='center' bgcolor='#005447'>
<td colspan='2' height='30' class='pagetitle'>
<b>KASPERSKY ONLINE SCANNER REPORT</b>
</td>
</tr>
<tr height='70'><td colspan='2' height='70'> Sunday, February 10, 2008 12:15:50 PM<br> Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)<br> Kaspersky Online Scanner version: 5.0.98.0<br> Kaspersky Anti-Virus database last update: 10/02/2008<br> Kaspersky Anti-Virus database records: 555893<br></td></tr><tr height='10'><td colspan='2' height='10'></td>
</tr></table><table width='100%' height='145' border='0'><tr height='20' bgcolor='#EFEBDE'><td colspan='2' height='20'><b>Scan Settings</b></td></tr><tr height='15'><td height='15' width='250'>Scan using the following antivirus database</td><td>extended</td></tr><tr height='15'><td height='15'>Scan Archives</td><td>true</td> </tr><tr height='15'><td height='15'>Scan Mail Bases</td><td>true</td></tr><tr height='10'><td colspan='2' height='10'></td></tr><tr height='20' bgcolor='#EFEBDE'><td height='20'><b>Scan Target</b></td><td>My Computer</td></tr><tr height='20'><td colspan='2' height='20'>A:\<br>C:\<br>D:\<br> E:\<br>
F:\
</td>
</tr>
<tr height='10'>
<td colspan='2' height='10'>
</td>
</tr>
<tr height='20' bgcolor='#EFEBDE'>
<td colspan='2' height='20'><b>Scan Statistics</b></td>
</tr>
<tr height='15'>
<td height='15'>Total number of scanned objects</td>
<td>35306</td>
</tr>
<tr height='15'>
<td height='15'>Number of viruses found</td>
<td>12</td>
</tr>
<tr height='15'>
<td height='15'>Number of infected objects</td>
<td>20</td>
</tr>
<tr height='15'>
<td height='15'>Number of suspicious objects</td>
<td>0</td>
</tr>
<tr height='15'>
<td height='15'>Duration of the scan process</td>
<td>00:22:06</td>
</tr>
</table>
<br>
<table width='100%' border='0'>
<tr height='20' bgcolor='#EFEBDE'>
<td height='20'><b>Infected Object Name</b></td>
<td width='200'><b>Virus Name</b></td>
<td width='100'><b>Last Action</b></td>
</tr>
<tr height='20'>
<td height='20'>C:\621e9ee29d7e0684dbd9e6\sp2\update\update.exe </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\Administrator\「開始」功能表\程式集\啟動\Reboot.exe </td>
<td>Infected: not-a-virus:RiskTool.Win32.Reboot.e </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\Administrator.LINUX-3V3JPXBEO\Cookies\index.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\Administrator.LINUX-3V3JPXBEO\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\Administrator.LINUX-3V3JPXBEO\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\Administrator.LINUX-3V3JPXBEO\Local Settings\History\History.IE5\index.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\Administrator.LINUX-3V3JPXBEO\Local Settings\History\History.IE5\MSHist012008021020080211\index.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\Administrator.LINUX-3V3JPXBEO\Local Settings\Temporary Internet Files\Content.IE5\4HIVK96V\profile_pic[1].php </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\Administrator.LINUX-3V3JPXBEO\Local Settings\Temporary Internet Files\Content.IE5\index.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\Administrator.LINUX-3V3JPXBEO\Local Settings\Temporary Internet Files\Content.IE5\KPQRS1EJ\profile_pic[2].php </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\Administrator.LINUX-3V3JPXBEO\Local Settings\Temporary Internet Files\Content.IE5\W1MZCTUV\profile_pic[2].php </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\Administrator.LINUX-3V3JPXBEO\NTUSER.DAT </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\Administrator.LINUX-3V3JPXBEO\ntuser.dat.LOG </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\All Users.WINDOWS\Application Data\Nero\Nero8\Nero BackItUp\Cache\NeroBackItUpScheduler3.log </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\All Users.WINDOWS\「開始」功能表\程式集\啟動\dzfp.exe </td>
<td>Infected: not-a-virus:FraudTool.Win32.UltimateDefender.am </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\LocalService\NTUSER.DAT </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\LocalService\ntuser.dat.LOG </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\NetworkService.NT AUTHORITY\NTUSER.DAT </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\NetworkService.NT AUTHORITY\ntuser.dat.LOG </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Nero\Nero8\Nero BackItUp\BIU1.txt </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\logs\access_log </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\logs\error.log </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\logs\error_log </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\logs\ssl_request_log </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\sysevgu.exe </td>
<td>Infected: Trojan-Downloader.Win32.Tibs.up </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\sysfudk.exe </td>
<td>Infected: Email-Worm.Win32.Zhelatin.uv </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\sysmrxt.exe </td>
<td>Infected: Email-Worm.Win32.Zhelatin.uv </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\sysrqzp.exe </td>
<td>Infected: Email-Worm.Win32.Zhelatin.uv </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\sysuxmz.exe </td>
<td>Infected: Trojan-Downloader.Win32.Tibs.up </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\syswpof.exe </td>
<td>Infected: Trojan-Downloader.Win32.Tibs.up </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\braviax.exe </td>
<td>Infected: not-a-virus:FraudTool.Win32.UltimateDefender.af </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\Debug\PASSWD.LOG </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\pss\venm.exeCommon Startup </td>
<td>Infected: not-a-virus:FraudTool.Win32.UltimateDefender.am </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\SchedLgU.Txt </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\Sti_Trace.log </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\braviax.exe </td>
<td>Infected: not-a-virus:FraudTool.Win32.UltimateDefender.af </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\cmdow.exe </td>
<td>Infected: not-a-virus:RiskTool.Win32.HideWindows </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\config\AppEvent.Evt </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\config\default </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\config\default.LOG </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\config\SAM </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\config\SAM.LOG </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\config\SecEvent.Evt </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\config\SECURITY </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\config\SECURITY.LOG </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\config\software </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\config\software.LOG </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\config\SysEvent.Evt </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\config\system </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\config\system.LOG </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\dllcache\beep.sys </td>
<td>Infected: not-a-virus:FraudTool.Win32.UltimateDefender.af </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\drivers\beep.sys </td>
<td>Infected: not-a-virus:FraudTool.Win32.UltimateDefender.af </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\drivers\sptd.sys </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\h323log.txt </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\L9E0.tmp </td>
<td>Infected: Trojan-PSW.Win32.LdPinch.dis </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\LF8C9.tmp </td>
<td>Infected: Trojan-Spy.Win32.Zbot.nd </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\nmp.log </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\users32.dat </td>
<td>Infected: not-a-virus:AdWare.Win32.Agent.zo </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\_nvidia_xxx_.log </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\TEMP\4.tmp </td>
<td>Infected: Trojan-Spy.Win32.Zbot.ya </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\TEMP\NERO14399\Toolbar.exe </td>
<td>Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\TEMP\~DF6CEA.tmp </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\TEMP\~DFEEE6.tmp </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\wiadebug.log </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\wiaservc.log </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\winonbp.exe </td>
<td>Infected: not-virus:Hoax.Win32.Renos.asa </td>
<td>skipped </td></tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr><tr height='20'> <td colspan='3' height='20'><b>Scan process completed.</b></td></tr>
</table>
</body>
</html>
Paraprosdokian
2008-02-14, 01:29
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, February 13, 2008 11:39:05 PM
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 13/02/2008
Kaspersky Anti-Virus database records: 563353
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 34698
Number of viruses found: 17
Number of infected objects: 33
Number of suspicious objects: 0
Duration of the scan process: 00:19:51

Infected Object Name / Virus Name / Last Action
C:\621e9ee29d7e0684dbd9e6\sp2\update\update.exe Object is locked skipped
C:\Documents and Settings\Administrator\「開始」功能表\程式集\啟動\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.e skipped
C:\Documents and Settings\Administrator.LINUX-3V3JPXBEO\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator.LINUX-3V3JPXBEO\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator.LINUX-3V3JPXBEO\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator.LINUX-3V3JPXBEO\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator.LINUX-3V3JPXBEO\Local Settings\History\History.IE5\MSHist012008021320080214\index.dat Object is locked skipped
C:\Documents and Settings\Administrator.LINUX-3V3JPXBEO\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator.LINUX-3V3JPXBEO\My Documents\John\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Administrator.LINUX-3V3JPXBEO\My Documents\John\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Administrator.LINUX-3V3JPXBEO\My Documents\John\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\Administrator.LINUX-3V3JPXBEO\My Documents\John\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Administrator.LINUX-3V3JPXBEO\My Documents\John\SmitfraudFix.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Administrator.LINUX-3V3JPXBEO\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator.LINUX-3V3JPXBEO\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator.LINUX-3V3JPXBEO\桌面\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Nero\Nero8\Nero BackItUp\Cache\NeroBackItUpScheduler3.log Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\「開始」功能表\程式集\啟動\dzfp.exe Infected: not-a-virus:FraudTool.Win32.UltimateDefender.am skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Nero\Nero8\Nero BackItUp\BIU1.txt Object is locked skipped
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\logs\access_log Object is locked skipped
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\logs\error.log Object is locked skipped
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\logs\error_log Object is locked skipped
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\logs\ssl_request_log Object is locked skipped
C:\RECYCLER\S-1-5-21-789336058-725345543-839522115-500\Dc85\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\RECYCLER\S-1-5-21-789336058-725345543-839522115-500\Dc86.exe Infected: not-virus:Hoax.Win32.Renos.asa skipped
C:\RECYCLER\S-1-5-21-789336058-725345543-839522115-500\Dc87.exe Infected: Trojan-Downloader.Win32.Tibs.up skipped
C:\RECYCLER\S-1-5-21-789336058-725345543-839522115-500\Dc88.exe Infected: Email-Worm.Win32.Zhelatin.uv skipped
C:\RECYCLER\S-1-5-21-789336058-725345543-839522115-500\Dc89.exe Infected: Email-Worm.Win32.Zhelatin.uv skipped
C:\RECYCLER\S-1-5-21-789336058-725345543-839522115-500\Dc90.exe Infected: Email-Worm.Win32.Zhelatin.uv skipped
C:\RECYCLER\S-1-5-21-789336058-725345543-839522115-500\Dc91.exe Infected: Trojan-Downloader.Win32.Tibs.up skipped
C:\RECYCLER\S-1-5-21-789336058-725345543-839522115-500\Dc92.exe Infected: Trojan-Downloader.Win32.Tibs.up skipped
C:\RECYCLER\S-1-5-21-789336058-725345543-839522115-500\Dc93.exe Infected: not-a-virus:FraudTool.Win32.UltimateDefender.af skipped
C:\WINDOWS\braviax.exe Infected: not-a-virus:FraudTool.Win32.UltimateDefender.af skipped
C:\WINDOWS\cru629.dat Infected: Backdoor.Win32.Small.cum skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\expacc.exe Infected: Trojan-Downloader.Win32.Diehard.ef skipped
C:\WINDOWS\pss\venm.exeCommon Startup Infected: not-a-virus:FraudTool.Win32.UltimateDefender.am skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\braviax.exe Infected: not-a-virus:FraudTool.Win32.UltimateDefender.af skipped
C:\WINDOWS\system32\cmdow.exe Infected: not-a-virus:RiskTool.Win32.HideWindows skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\cru629.dat Infected: Backdoor.Win32.Small.cum skipped
C:\WINDOWS\system32\dllcache\beep.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.af skipped
C:\WINDOWS\system32\drivers\beep.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.af skipped
C:\WINDOWS\system32\drivers\Qjm40.sys Infected: Trojan-Downloader.Win32.Agent.ici skipped
C:\WINDOWS\system32\drivers\secdrv.sys Infected: Trojan-Downloader.Win32.Diehard.dr skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\L9E0.tmp Infected: Trojan-PSW.Win32.LdPinch.dis skipped
C:\WINDOWS\system32\LF8C9.tmp Infected: Trojan-Spy.Win32.Zbot.nd skipped
C:\WINDOWS\system32\LogCrypt.dll Infected: Trojan.Win32.Agent.eub skipped
C:\WINDOWS\system32\nmp.log Object is locked skipped
C:\WINDOWS\system32\users32.dat Infected: not-a-virus:AdWare.Win32.Agent.zo skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\_nvidia_xxx_.log Object is locked skipped
C:\WINDOWS\TEMP\NERO14399\Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
C:\WINDOWS\TEMP\~DF1775.tmp Object is locked skipped
C:\WINDOWS\TEMP\~DF41AF.tmp Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped

Scan process completed.
Paraprosdokian
2008-02-14, 01:35
Here is my HJT file. Only just figured out how to unblock it. Also, the kapersky log is above (as you can easily tell).

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:46:01, on 2008-2-12
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\vsnpstd3.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcIp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcLog.exe
C:\PROGRA~1\Yahoo!\ASSIST~1\YLive.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\progra~1\yahoo!\assistant\yassistse.exe
C:\Program Files\V-Gear LiveShow\LiveShow.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\FaxTalk NetOnHold\Ftnohmgr.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcAppFlt.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\System32\taskmgr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\msnshell\MSNShell.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\LevelOne\Common\RaUI.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\highjakdis\hijakdis.exe

R3 - URLSearchHook: 雅虎助手 - {406F94F0-504F-4a40-8DFD-58B0666ABEBD} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\ntos.exe,C:\WINDOWS\System32\idaw64.exe,
O3 - Toolbar: 收音機(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ALiBaBar - {0A1375E1-56C2-11D6-8E45-8933A0FB5235} - C:\PROGRA~1\ALiBaBar\ALiBaBar.dll
O3 - Toolbar: 雅虎助手 - {406F94F0-504F-4A40-8DFD-58B0666ABEBD} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nTrayFw] C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nTrayFw.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [tsnpstd3] C:\WINDOWS\tsnpstd3.exe
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [YLive.exe] C:\PROGRA~1\Yahoo!\ASSIST~1\YLive.exe
O4 - HKLM\..\Run: [yassistse] c:\progra~1\yahoo!\assistant\yassistse.exe
O4 - HKLM\..\Run: [V-Gear LiveShow] "C:\Program Files\V-Gear LiveShow\LiveShow.exe" -m
O4 - HKLM\..\Run: [NetOnHold] C:\Program Files\FaxTalk NetOnHold\Ftnohmgr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Super Rabbit SRRestore] C:\PROGRA~1\SUPERR~1\magicset\SRRest.exe /autosave
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] D:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Steam] "d:\pat\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MSNShell] C:\Program Files\msnshell\MSNShell.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [Firewall auto setup] C:\WINDOWS\TEMP\winlogon.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')
O4 - Global Startup: dzfp.exe
O4 - Global Startup: Levelone Wireless Utility.lnk = C:\Program Files\LevelOne\Common\RaUI.exe
O4 - Global Startup: Wireless LAN Utility.lnk = ?
O8 - Extra context menu item: 使用影音傳送帶下載 - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: 使用影音傳送帶下載全部連結 - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: 剪貼簿文字: 簡 > 繁 - res://C:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/ClipToTrad
O8 - Extra context menu item: 剪貼簿文字: 繁 > 簡 - res://C:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/ClipToSim
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: 添加到雅虎订阅(&Y) - res://C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yrss.dll/YRSSMENUEXT
O8 - Extra context menu item: 網頁: [簡體] 顯示 - res://C:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/PageToSim
O8 - Extra context menu item: 網頁: [繁體] 顯示 - res://C:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/PageToTrad
O8 - Extra context menu item: 雅虎搜索 - res://C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll/203
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O14 - IERESET.INF: START_PAGE_URL=tw.yahoo.com
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O18 - Protocol: bw+0 - {B9156DC7-C1D3-46E0-8C36-E4C92DF9BE1D} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (file missing)
O18 - Protocol: bw+0s - {B9156DC7-C1D3-46E0-8C36-E4C92DF9BE1D} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (file missing)
O18 - Protocol: bw-0 - {B9156DC7-C1D3-46E0-8C36-E4C92DF9BE1D} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (file missing)
O18 - Protocol: bw-0s - {B9156DC7-C1D3-46E0-8C36-E4C92DF9BE1D} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (file missing)
O18 - Protocol: bw00 - {B9156DC7-C1D3-46E0-8C36-E4C92DF9BE1D} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (file missing)
O18 - Protocol: bw00s - {B9156DC7-C1D3-46E0-8C36-E4C92DF9BE1D} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (file missing)
O18 - Protocol: bw10 - {B9156DC7-C1D3-46E0-8C36-E4C92DF9BE1D} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (file missing)
O18 - Protocol: bw10s - {B9156DC7-C1D3-46E0-8C36-E4C92DF9BE1D} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (file missing)
O18 - Protocol: bw20 - {B9156DC7-C1D3-46E0-8C36-E4C92DF9BE1D} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (file missing)
O18 - Protocol: bw20s - {B9156DC7-C1D3-46E0-8C36-E4C92DF9BE1D} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (file missing)
O18 - Protocol: bw30 - {B9156DC7-C1D3-46E0-8C36-E4C92DF9BE1D} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (file missing)
O18 - Protocol: bw30s - {B9156DC7-C1D3-46E0-8C36-E4C92DF9BE1D} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (file missing)
O18 - Protocol: bw40 - {B9156DC7-C1D3-46E0-8C36-E4C92DF9BE1D} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (file missing)
O18 - Protocol: bw40s - {B9156DC7-C1D3-46E0-8C36-E4C92DF9BE1D} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (file missing)
O18 - Protocol: bw50 - {B9156DC7-C1D3-46E0-8C36-E4C92DF9BE1D} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (file missing)
O18 - Protocol: bw50s - {B9156DC7-C1D3-46E0-8C36-E4C92DF9BE1D} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (file missing)
O18 - Protocol: bw60 - {B9156DC7-C1D3-46E0-8C36-E4C92DF9BE1D} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (file missing)
O18 - Protocol: bw60s - {B9156DC7-C1D3-46E0-8C36-E4C92DF9BE1D} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (file missing)
O18 - Protocol: bw70 - {B9156DC7-C1D3-46E0-8C36-E4C92DF9BE1D} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (file missing)
O18 - Protocol: bw70s - {B9156DC7-C1D3-46E0-8C36-E4C92DF9BE1D} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (file missing)
O18 - Protocol: bw80 - {B9156DC7-C1D3-46E0-8C36-E4C92DF9BE1D} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (file missing)
O18 - Protocol: bw80s - {B9156DC7-C1D3-46E0-8C36-E4C92DF9BE1D} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (file missing)
O18 - Protocol: bw90 - {B9156DC7-C1D3-46E0-8C36-E4C92DF9BE1D} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (file missing)
O18 - Protocol: bw90s - {B9156DC7-C1D3-46E0-8C36-E4C92DF9BE1D} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (file missing)
O18 - Protocol: bwa0 - {B9156DC7-C1D3-46E0-8C36-E4C92DF9BE1D} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (file missing)
O18 - Protocol: bwa0s - {B9156DC7-C1D3-46E0-8C36-E4C92DF9BE1D} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (file missing)
O18 - Protocol: bwb0 - {B9156DC7-C1D3-46E0-8C36-E4C92DF9BE1D} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (file missing)
O18 - Protocol: bwb0s - {B9156DC7-C1D3-46E0-8C36-E4C92DF9BE1D} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (file missing)
O18 - Protocol: bwc0 - {B9156DC7-C1D3-46E0-8C36-E4C92DF9BE1D} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (file missing)
O18 - Protocol: bwc0s - {B9156DC7-C1D3-46E0-8C36-E4C92DF9BE1D} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (file missing)
O18 - Protocol: bwd0 - {B9156DC7-C1D3-46E0-8C36-E4C92DF9BE1D} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (file missing)
O18 - Protocol: bwd0s - {B9156DC7-C1D3-46E0-8C36-E4C92DF9BE1D} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (file missing)
O18 - Protocol: bwe0 - {B9156DC7-C1D3-46E0-8C36-E4C92DF9BE1D} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (file missing)
O18 - Protocol: bwe0s - {B9156DC7-C1D3-46E0-8C36-E4C92DF9BE1D} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (file missing)
O18 - Protocol: bwf0 - {B9156DC7-C1D3-46E0-8C36-E4C92DF9BE1D} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (file missing)
O18 - Protocol: bwf0s - {B9156DC7-C1D3-46E0-8C36-E4C92DF9BE1D} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (file missing)
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll (file missing)
O18 - Protocol: bwg0 - {B9156DC7-C1D3-46E0-8C36-E4C92DF9BE1D} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (file missing)
O18 - Protocol: bwg0s - {B9156DC7-C1D3-46E0-8C36-E4C92DF9BE1D} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (file missing)
O18 - Protocol: bwh0 - {B9156DC7-C1D3-46E0-8C36-E4C92DF9BE1D} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (file missing)
O18 - Protocol: bwh0s - {B9156DC7-C1D3-46E0-8C36-E4C92DF9BE1D} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (file missing)
O18 - Protocol: bwi0 - {B9156DC7-C1D3-46E0-8C36-E4C92DF9BE1D} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (file missing)
O18 - Protocol: bwi0s - {B9156DC7-C1D3-46E0-8C36-E4C92DF9BE1D} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (file missing)
O18 - Protocol: bwj0 - {B9156DC7-C1D3-46E0-8C36-E4C92DF9BE1D} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (file missing)
O18 - Protocol: bwj0s - {B9156DC7-C1D3-46E0-8C36-E4C92DF9BE1D} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (file missing)
O18 - Protocol: bwk0 - {B9156DC7-C1D3-46E0-8C36-E4C92DF9BE1D} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (file missing)
O18 - Protocol: bwk0s - {B9156DC7-C1D3-46E0-8C36-E4C92DF9BE1D} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (file missing)
O18 - Protocol: bwl0 - {B9156DC7-C1D3-46E0-8C36-E4C92DF9BE1D} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (file missing)
O18 - Protocol: bwl0s - {B9156DC7-C1D3-46E0-8C36-E4C92DF9BE1D} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (file missing)
O18 - Protocol: bwm0 - {B9156DC7-C1D3-46E0-8C36-E4C92DF9BE1D} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (file missing)
O18 - Protocol: bwm0s - {B9156DC7-C1D3-46E0-8C36-E4C92DF9BE1D} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (file missing)
O18 - Protocol: bwn0 - {B9156DC7-C1D3-46E0-8C36-E4C92DF9BE1D} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (file missing)
O18 - Protocol: bwn0s - {B9156DC7-C1D3-46E0-8C36-E4C92DF9BE1D} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (file missing)
O18 - Protocol: bwo0 - {B9156DC7-C1D3-46E0-8C36-E4C92DF9BE1D} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (file missing)
O18 - Protocol: bwo0s - {B9156DC7-C1D3-46E0-8C36-E4C92DF9BE1D} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (file missing)
O18 - Protocol: bwp0 - {B9156DC7-C1D3-46E0-8C36-E4C92DF9BE1D} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (file missing)
O18 - Protocol: bwp0s - {B9156DC7-C1D3-46E0-8C36-E4C92DF9BE1D} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (file missing)
O18 - Protocol: bwq0 - {B9156DC7-C1D3-46E0-8C36-E4C92DF9BE1D} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (file missing)
O18 - Protocol: bwq0s - {B9156DC7-C1D3-46E0-8C36-E4C92DF9BE1D} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (file missing)
O18 - Protocol: bwr0 - {B9156DC7-C1D3-46E0-8C36-E4C92DF9BE1D} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (file missing)
O18 - Protocol: bwr0s - {B9156DC7-C1D3-46E0-8C36-E4C92DF9BE1D} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (file missing)
O18 - Protocol: bws0 - {B9156DC7-C1D3-46E0-8C36-E4C92DF9BE1D} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (file missing)
O18 - Protocol: bws0s - {B9156DC7-C1D3-46E0-8C36-E4C92DF9BE1D} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (file missing)
O18 - Protocol: bwt0 - {B9156DC7-C1D3-46E0-8C36-E4C92DF9BE1D} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (file missing)
O18 - Protocol: bwt0s - {B9156DC7-C1D3-46E0-8C36-E4C92DF9BE1D} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (file missing)
O18 - Protocol: bwu0 - {B9156DC7-C1D3-46E0-8C36-E4C92DF9BE1D} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (file missing)
O18 - Protocol: bwu0s - {B9156DC7-C1D3-46E0-8C36-E4C92DF9BE1D} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (file missing)
O18 - Protocol: bwv0 - {B9156DC7-C1D3-46E0-8C36-E4C92DF9BE1D} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (file missing)
O18 - Protocol: bwv0s - {B9156DC7-C1D3-46E0-8C36-E4C92DF9BE1D} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (file missing)
O18 - Protocol: bww0 - {B9156DC7-C1D3-46E0-8C36-E4C92DF9BE1D} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (file missing)
O18 - Protocol: bww0s - {B9156DC7-C1D3-46E0-8C36-E4C92DF9BE1D} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (file missing)
O18 - Protocol: bwx0 - {B9156DC7-C1D3-46E0-8C36-E4C92DF9BE1D} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (file missing)
O18 - Protocol: bwx0s - {B9156DC7-C1D3-46E0-8C36-E4C92DF9BE1D} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (file missing)
Paraprosdokian
2008-02-14, 01:38
O18 - Protocol: bwx0s - {B9156DC7-C1D3-46E0-8C36-E4C92DF9BE1D} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (file missing)
O18 - Protocol: bwy0 - {B9156DC7-C1D3-46E0-8C36-E4C92DF9BE1D} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (file missing)
O18 - Protocol: bwy0s - {B9156DC7-C1D3-46E0-8C36-E4C92DF9BE1D} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (file missing)
O18 - Protocol: bwz0 - {B9156DC7-C1D3-46E0-8C36-E4C92DF9BE1D} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (file missing)
O18 - Protocol: bwz0s - {B9156DC7-C1D3-46E0-8C36-E4C92DF9BE1D} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (file missing)
O18 - Protocol: offline-8876480 - {B9156DC7-C1D3-46E0-8C36-E4C92DF9BE1D} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (file missing)
O20 - AppInit_DLLs: C:\WINDOWS\system32\cru629.dat
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\anti\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\anti\avgupsvc.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

--
End of file - 21955 bytes
little eagle
2008-02-15, 13:51
Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) or Here (http://subs.geekstogo.com/ComboFix.exe) to your Desktop.

In the event you already have Combofix, this is a new version that I need you to download.
It must be saved directly to your desktop.


1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
Click on this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Remember to re enable the protection again afterwards before connecting to the net



2. Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.

IF you have not already done so Combofix will disconnect your machine from the Internet when it starts.
If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.


3. Now double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review


Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze.
Paraprosdokian
2008-02-15, 15:36
Thank you so very much for your help! This virus is a real doozy, took me an hour or two to figure out how to even turn on my computer, then another two hours to figure out how to access HijackThis.

I was unable to run Combofix. At first when I downloaded it, I didn't rename it. On clicking it, nothing happened. I downloaded it again, renamed it CF and then it opened- very briefly. There was a progress bar, with Combofix on top. Then it turned itself off and nothing happened.

I'm not sure if this is as a result of the virus, or the result of my way of turning on the computer (by terminating explorer, then restarting it by using Ctrl-Alt-Del's browse function). I also tried using Combofix in safe mode. Didn't work. The virus has already disabled all my other AVs so I didn't bother disabling their defences. That may be another possibility for why Combofix didn't work. However, I suspect we have an incredibly wily virus.

Thank you again for your help.
Paraprosdokian
2008-02-15, 15:40
By the way, HJT is still working, so perhaps I could use that to eliminate my virus, or at least as a stopgap measure to wipe enough of the virus so I can use combofix.

Ad-aware is also still working, along with Kapersky online scanner. Spybot won't work, despite me renaming it. Norton won't install because I have to restart the computer before I can use it (and as soon as I turn on the computer it automatically restarts as I described above). If I open the My Computer window, its just blank.
little eagle
2008-02-15, 16:32
Rescan with HiJackThis and post a new log here.
You can remove the 018's before posting. :cool:
Paraprosdokian
2008-02-15, 16:36
thanks :)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:34:01, on 2008-2-15
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\vsnpstd3.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcIp.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcLog.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcAppFlt.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
C:\Program Files\LevelOne\Common\RaUI.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\Yahoo!\ASSIST~1\ylive.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\highjakdis\hijakdis.exe

R3 - URLSearchHook: 雅虎助手 - {406F94F0-504F-4a40-8DFD-58B0666ABEBD} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\ntos.exe,C:\WINDOWS\System32\idaw64.exe,
O3 - Toolbar: 收音機(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: 雅虎助手 - {406F94F0-504F-4A40-8DFD-58B0666ABEBD} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nTrayFw] C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nTrayFw.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [tsnpstd3] C:\WINDOWS\tsnpstd3.exe
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [YLive.exe] C:\PROGRA~1\Yahoo!\ASSIST~1\YLive.exe
O4 - HKLM\..\Run: [yassistse] c:\progra~1\yahoo!\assistant\yassistse.exe
O4 - HKLM\..\Run: [V-Gear LiveShow] "C:\Program Files\V-Gear LiveShow\LiveShow.exe" -m
O4 - HKLM\..\Run: [NetOnHold] C:\Program Files\FaxTalk NetOnHold\Ftnohmgr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Super Rabbit SRRestore] C:\PROGRA~1\SUPERR~1\magicset\SRRest.exe /autosave
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [braviax] braviax.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] D:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Steam] "d:\pat\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MSNShell] C:\Program Files\msnshell\MSNShell.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [braviax] C:\WINDOWS\System32\braviax.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')
O4 - Global Startup: dzfp.exe
O4 - Global Startup: Levelone Wireless Utility.lnk = C:\Program Files\LevelOne\Common\RaUI.exe
O4 - Global Startup: Wireless LAN Utility.lnk = ?
O8 - Extra context menu item: 使用影音傳送帶下載 - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: 使用影音傳送帶下載全部連結 - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: 剪貼簿文字: 簡 > 繁 - res://C:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/ClipToTrad
O8 - Extra context menu item: 剪貼簿文字: 繁 > 簡 - res://C:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/ClipToSim
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: 添加到雅虎订阅(&Y) - res://C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yrss.dll/YRSSMENUEXT
O8 - Extra context menu item: 網頁: [簡體] 顯示 - res://C:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/PageToSim
O8 - Extra context menu item: 網頁: [繁體] 顯示 - res://C:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/PageToTrad
O8 - Extra context menu item: 雅虎搜索 - res://C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll/203
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O14 - IERESET.INF: START_PAGE_URL=tw.yahoo.com
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

[018s relating to Logitech deleted]

O20 - AppInit_DLLs: C:\WINDOWS\System32\cru629.dat
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\anti\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\anti\avgupsvc.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

--
End of file - 21388 bytes
little eagle
2008-02-15, 16:46
Close all programs leaving only HijackThis running. Place a check against each of the following,
R3 - URLSearchHook: ???? - {406F94F0-504F-4a40-8DFD-58B0666ABEBD} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\ntos.exe,C:\WINDOWS\System32\idaw64.exe,
O3 - Toolbar: ???? - {406F94F0-504F-4A40-8DFD-58B0666ABEBD} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll
O4 - HKLM\..\Run: [YLive.exe] C:\PROGRA~1\Yahoo!\ASSIST~1\YLive.exe
O4 - HKLM\..\Run: [braviax] braviax.exe
O4 - HKCU\..\Run: [braviax] C:\WINDOWS\System32\braviax.exe
O4 - Global Startup: dzfp.exe
O20 - AppInit_DLLs: C:\WINDOWS\System32\cru629.dat
Click on Fix Checked when finished and exit HijackThis.


Reboot in safe mode, instructions here. (http://forums.security-central.us/showthread.php?t=1903)
Some of these files my have hidden atributes.
Click Here (http://forums.security-central.us/showthread.php?t=30)Should you need instructions for Showing hidden files and folders in Windows.
Once in safe mode, Click start / then my computer / local disk then follow the process tree.
Or using Windows Explorer, locate the first file right click then select delete.

Delete the following file(s) listed in bold.
dzfp.exe(do a search for this one. It'll probably be in c:\windows or c:\windows\system32.)

C:\WINDOWS\System32\braviax.exe
C:\WINDOWS\System32\cru629.dat

Reboot and rescan with HiJackThis and post a new log here.
Also please describe how your computer behaves at the moment.
Paraprosdokian
2008-02-15, 17:52
I'm sorry for the wait, there was a problem with my network, so I had no connection to the internet. I'll post my new HJT log first then a description of my circumstances.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 0:15:59, on 2008-2-16
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcIp.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcLog.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcAppFlt.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nTrayFw.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\progra~1\yahoo!\assistant\yassistse.exe
C:\Program Files\V-Gear LiveShow\LiveShow.exe
C:\Program Files\FaxTalk NetOnHold\Ftnohmgr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\msnshell\MSNShell.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\LevelOne\Common\RaUI.exe
C:\Program Files\LevelOne WNC-0301\RtWLan.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\WINDOWS\System32\conime.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\highjakdis\hijakdis.exe

O3 - Toolbar: 收音機(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nTrayFw] C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nTrayFw.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [tsnpstd3] C:\WINDOWS\tsnpstd3.exe
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [yassistse] c:\progra~1\yahoo!\assistant\yassistse.exe
O4 - HKLM\..\Run: [V-Gear LiveShow] "C:\Program Files\V-Gear LiveShow\LiveShow.exe" -m
O4 - HKLM\..\Run: [NetOnHold] C:\Program Files\FaxTalk NetOnHold\Ftnohmgr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [YLive.exe] C:\PROGRA~1\Yahoo!\ASSIST~1\YLive.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] D:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Steam] "d:\pat\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MSNShell] C:\Program Files\msnshell\MSNShell.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [Firewall auto setup] C:\WINDOWS\TEMP\winlogon.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')
O4 - Global Startup: Levelone Wireless Utility.lnk = C:\Program Files\LevelOne\Common\RaUI.exe
O4 - Global Startup: Wireless LAN Utility.lnk = ?
O8 - Extra context menu item: 使用影音傳送帶下載 - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: 使用影音傳送帶下載全部連結 - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: 剪貼簿文字: 簡 > 繁 - res://C:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/ClipToTrad
O8 - Extra context menu item: 剪貼簿文字: 繁 > 簡 - res://C:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/ClipToSim
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: 添加到雅虎订阅(&Y) - res://C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yrss.dll/YRSSMENUEXT
O8 - Extra context menu item: 網頁: [簡體] 顯示 - res://C:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/PageToSim
O8 - Extra context menu item: 網頁: [繁體] 顯示 - res://C:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/PageToTrad
O8 - Extra context menu item: 雅虎搜索 - res://C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll/203
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O14 - IERESET.INF: START_PAGE_URL=tw.yahoo.com
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

[018s deleted]

O20 - AppInit_DLLs: C:\WINDOWS\System32\cru629.dat
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\anti\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\anti\avgupsvc.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

--
End of file - 21579 bytes
Paraprosdokian
2008-02-15, 17:58
Thanks for your quick reply btw. It's much appreciated.

I should also mention that my computer's XP is in Chinese, and I can't read Chinese (I'm at my aunt's place in Hong Kong... I really want to fix this up before she comes back from Canada. I think the virus was already there, but I activated it by downloading Spybot.) This means that simple stuff like revealing hidden files becomes a mite bit more difficult (I figured out how to do it, cause I've done it before in English). Sometimes I may have to ask you for screenshots though.

Brief description of what happened:
I rebooted in safe mode, did as you said- except I couldn't find dzfp.exe. The search function doesn't seem to be working properly. The first time I searched it only found one braviax, the second time it found 3. Scrolling down in windows explorer was laggy, but not too laggy. otherwise, all seemed well.

Rebooted in normal mode. It didn't automatically reboot (hurray), but the little pop-up window informing me I still had spyware was still on. There was a period where the computer was loading something (you could see the hourglass thing). Took about 30-60 secs and I couldn't do anything aside from move the cursor. Then Spybot S+D informed me of several registry changes. I denied them all. They may be from when I was fiddling with msconfig earlier, the change I made never got processed cause I always terminated explorer asap.



Category: System Startup User Entry
Change: Value deleted
Entry: firewall auto setup
Old: C:/windows/temp/winlogon.exe




Category: System Startup Global Entry
Change: Value added
Entry: Super Rabbit Magic Set
Old: [location of file]





Category: System Startup Global Entry
Change: Value deleted
Entry: ylive.exe
Old: [location of file]


I went to my computer and discovered braviax had returned to the windows folder (I'd deleted it) along with cru629. My network program is meant to have a small icon in the start menu... it wasn't there so I tried opening it, but it gave me an error message! Took me a while to figure out that it was actually open, but not showing so I terminated it with ctrl-alt-del and restarted it and everything was ok again.
little eagle
2008-02-15, 18:18
We will need to disable TeaTimer
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
5) Restart your computer.

----------------------------------------

Close all programs leaving only HijackThis running. Place a check against each of the following,

O4 - HKCU\..\Run: [Firewall auto setup] C:\WINDOWS\TEMP\winlogon.exe
O20 - AppInit_DLLs: C:\WINDOWS\System32\cru629.dat

Click on Fix Checked when finished and exit HijackThis.

-------------------------------------

I see that you are running msconfig in /auto mode which means that you may have selectively removed some items in the past from the startup procedure.
This can be bad if they are malware, so we would like you to re-enable those startup entries by doing the following:

Please click on start, then run, and type msconfig and then press enter.
When the window opens click on the startup tab and make sure there are checkmarks in every entry.
Then press ok until you are out of the program. If it asks to reboot, do not reboot.

Now please create a new Hijackthis Log and post it as a reply.
Paraprosdokian
2008-02-15, 18:28
I can't open the main S+D console (still blocked), but about 20 mins ago I right-clicked the system tray icon and disabled something. I can't remember what- it was probably the resident teatimer.

However, I have rechecked all things in msconfig.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:23:52, on 2008-2-16
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcIp.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcLog.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcAppFlt.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nTrayFw.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\progra~1\yahoo!\assistant\yassistse.exe
C:\Program Files\V-Gear LiveShow\LiveShow.exe
C:\Program Files\FaxTalk NetOnHold\Ftnohmgr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\msnshell\MSNShell.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\LevelOne WNC-0301\RtWLan.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\WINDOWS\System32\conime.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\LevelOne\Common\RaUI.exe
C:\Program Files\highjakdis\hijakdis.exe

O3 - Toolbar: 收音機(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nTrayFw] C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nTrayFw.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [tsnpstd3] C:\WINDOWS\tsnpstd3.exe
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [yassistse] c:\progra~1\yahoo!\assistant\yassistse.exe
O4 - HKLM\..\Run: [V-Gear LiveShow] "C:\Program Files\V-Gear LiveShow\LiveShow.exe" -m
O4 - HKLM\..\Run: [NetOnHold] C:\Program Files\FaxTalk NetOnHold\Ftnohmgr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [YLive.exe] C:\PROGRA~1\Yahoo!\ASSIST~1\YLive.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [braviax] braviax.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] D:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Steam] "d:\pat\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MSNShell] C:\Program Files\msnshell\MSNShell.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')
O4 - Global Startup: Levelone Wireless Utility.lnk = C:\Program Files\LevelOne\Common\RaUI.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: venm.exe
O4 - Global Startup: Wireless LAN Utility.lnk = ?
O8 - Extra context menu item: 使用影音傳送帶下載 - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: 使用影音傳送帶下載全部連結 - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: 剪貼簿文字: 簡 > 繁 - res://C:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/ClipToTrad
O8 - Extra context menu item: 剪貼簿文字: 繁 > 簡 - res://C:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/ClipToSim
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: 添加到雅虎订阅(&Y) - res://C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yrss.dll/YRSSMENUEXT
O8 - Extra context menu item: 網頁: [簡體] 顯示 - res://C:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/PageToSim
O8 - Extra context menu item: 網頁: [繁體] 顯示 - res://C:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/PageToTrad
O8 - Extra context menu item: 雅虎搜索 - res://C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll/203
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O14 - IERESET.INF: START_PAGE_URL=tw.yahoo.com
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

O20 - AppInit_DLLs: C:\WINDOWS\System32\cru629.dat
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\anti\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\anti\avgupsvc.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

--
End of file - 21768 bytes
little eagle
2008-02-15, 18:40
Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) or Here (http://subs.geekstogo.com/ComboFix.exe) to your Desktop.
Now double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review


Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze.
Paraprosdokian
2008-02-15, 18:43
Nope, combofix still isn't working (same symptoms as last time). Original name won't open at all, renamed only opens a progress bar which quickly closes.
Paraprosdokian
2008-02-15, 19:01
My computer just froze again (it does that a lot... it's done it ever since I started using it two months ago), so I had to restart my computer.

It automatically restarted again. :( Things were looking better and now they're worse again.
little eagle
2008-02-15, 21:47
You can try safe mode with networking.

Run this online scan from ESET (http://www.eset.eu/online-scanner)

You will need to use Internet explorer for this scan!
First, accept the Terms of Use
Click: Start
When asked, allow the ActiveX control to install
Click: Start
Make sure the options:
Remove found threats, and Scan unwanted applications
are both checked!
Click: Scan


When the scan finishes, use Notepad to open the ESET report.
It will be located here C:\Program Files\EsetOnlineScanner\log.txt
Paraprosdokian
2008-02-16, 04:36
I entered safe mode with networking, my wireless application will open, but once I click on the network I want to join nothing happens (usually a box pops up asking for a password).

The following ESET scan was done in normal mode:
# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2880 (20080215)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=3c210b434ad10e4d9e2406a18ed59849
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-02-16 03:29:08
# local_time=2008-02-16 11:29:08 (+0800, )
# country="People's Republic of China"
# osver=5.1.2600 NT Service Pack 1
# scanned=156976
# found=19
# scan_time=800
C:\Documents and Settings\All Users.WINDOWS\「開始」功能表\程式集\啟動\venm.exe a variant of Win32/Adware.UltimateDefender application (unable to clean - deleted) 00000000000000000000000000000000
C:\Program Files\highjakdis\backups\backup-20080216-000227-824-dzfp.exe a variant of Win32/Adware.UltimateDefender application (unable to clean - deleted) 00000000000000000000000000000000
C:\Program Files\msnshell\msnshell.exe probably unknown NewHeur_PE virus (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-789336058-725345543-839522115-500\Dc101.exe a variant of Win32/Adware.UltimateDefender application (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-789336058-725345543-839522115-500\Dc102.exe a variant of Win32/Adware.UltimateDefender application (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-789336058-725345543-839522115-500\Dc86.exe probably a variant of Win32/Genetik trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-789336058-725345543-839522115-500\Dc93.exe a variant of Win32/Adware.UltimateDefender application (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-789336058-725345543-839522115-500\Dc94.exe a variant of Win32/Adware.UltimateDefender application (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-789336058-725345543-839522115-500\Dc96.exe a variant of Win32/Adware.UltimateDefender application (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\braviax.exe a variant of Win32/Adware.UltimateDefender application (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\expacc.exe Win32/TrojanDownloader.Wigon.C trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\braviax.exe a variant of Win32/Adware.UltimateDefender application (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\L9E0.tmp a variant of Win32/Injector.M trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\LogCrypt.dll a variant of Win32/Wigon trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\users32.dat Win32/TrojanDownloader.Small.NZN trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\dllcache\beep.sys a variant of Win32/Adware.UltimateDefender application (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\drivers\beep.sys a variant of Win32/Adware.UltimateDefender application (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\drivers\Qjm40.sys Win32/Wigon.AV trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\drivers\secdrv.sys Win32/Rootkit.Agent.DP trojan (unable to clean - deleted) 000000000000000000000
little eagle
2008-02-16, 06:16
Download Malwarebytes' Anti-Malware (http://www.malwarebytes.org/mbam.php) to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Paraprosdokian
2008-02-16, 07:18
Upon installing, error 701(0) was encountered.
Paraprosdokian
2008-02-16, 07:23
Sorry, I guess I should clarify (just woke up and still a bit woozy).

I installed it, clicked update and launch, it seemed to update ok but then upon launching the error 701 (0) occured.
little eagle
2008-02-16, 13:37
Rescan with HiJackThis and post a new log here.
Paraprosdokian
2008-02-16, 14:59
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:58:25, on 2008-2-16
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\progra~1\yahoo!\assistant\yassistse.exe
C:\Program Files\V-Gear LiveShow\LiveShow.exe
C:\Program Files\FaxTalk NetOnHold\Ftnohmgr.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcIp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcLog.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\DNA\btdna.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcAppFlt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\LevelOne WNC-0301\RtWLan.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\LevelOne\Common\RaUI.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\highjakdis\hijakdis.exe

O3 - Toolbar: 收音機(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nTrayFw] C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nTrayFw.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [tsnpstd3] C:\WINDOWS\tsnpstd3.exe
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [yassistse] c:\progra~1\yahoo!\assistant\yassistse.exe
O4 - HKLM\..\Run: [V-Gear LiveShow] "C:\Program Files\V-Gear LiveShow\LiveShow.exe" -m
O4 - HKLM\..\Run: [NetOnHold] C:\Program Files\FaxTalk NetOnHold\Ftnohmgr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [YLive.exe] C:\PROGRA~1\Yahoo!\ASSIST~1\YLive.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] D:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Steam] "d:\pat\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MSNShell] C:\Program Files\msnshell\MSNShell.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [Firewall auto setup] C:\WINDOWS\TEMP\winlogon.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')
O4 - Global Startup: Levelone Wireless Utility.lnk = C:\Program Files\LevelOne\Common\RaUI.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wireless LAN Utility.lnk = ?
O8 - Extra context menu item: 使用影音傳送帶下載 - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: 使用影音傳送帶下載全部連結 - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: 剪貼簿文字: 簡 > 繁 - res://C:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/ClipToTrad
O8 - Extra context menu item: 剪貼簿文字: 繁 > 簡 - res://C:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/ClipToSim
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: 添加到雅虎订阅(&Y) - res://C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yrss.dll/YRSSMENUEXT
O8 - Extra context menu item: 網頁: [簡體] 顯示 - res://C:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/PageToSim
O8 - Extra context menu item: 網頁: [繁體] 顯示 - res://C:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/PageToTrad
O8 - Extra context menu item: 雅虎搜索 - res://C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll/203
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O14 - IERESET.INF: START_PAGE_URL=tw.yahoo.com
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

O20 - AppInit_DLLs: C:\WINDOWS\System32\cru629.dat
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\anti\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\anti\avgupsvc.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

--
End of file - 21780 bytes
Paraprosdokian
2008-02-16, 15:28
I'm not sure what happened but braviax.exe is gone. cru629.dat is still there but I can now open Spybot Search and Destroy.

A scan found 3 bugs Win32.agent.bid, Win32.agent.pz, win32.tiny.abk

I erased them, but halfway through erasing S+D detected a registry change:

Category: System Startup User Entry
Change: Value Deleted
Entry: Firewall autosetup
old data:C:/windows/temp/winlogon.exe

So clearly, there's still some residual viruses left but I seem to be in the clear. Just in case, I won't restart my computer (since that seems to reboot the virus).
little eagle
2008-02-17, 01:30
On restarting if teatimer ask to allow the changes let it.


Download The Avenger (http://swandog46.geekstogo.com/avenger.zip) Copyright © Swandog46
You must extract avenger.exe to your desktop, before you run it.
The Avenger must be run from a user account with administrator privileges,
and ONLY works on Windows 2000 and XP, and only on 32-bit versions!

Copy all the text contained in the code box below to your Clipboard.

Files to delete:
C:\WINDOWS\TEMP\winlogon.exe
C:\WINDOWS\System32\cru629.dat
Registry values to delete:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run | Firewall auto setup


The above script is for this user only, if you need help please start your own thread.

Start the Avenger.
Under "Script file to execute" choose "Input Script Manually".
Click on the Magnifying Glass icon which will open a new window titled "View/edit script".
Paste the entire text in into this window.
Click done, now click on the Green Light
Answer "Yes" twice when prompted.
Your computer shoud reboot, and briefly open a black command window on your desktop, this is normal.

After the restart, it will create a log file that should open.
This log file will be located at C:\avenger.txt
Paste the contents of the file into your reply along with a fresh HJT log.

Also: Avenger has made backups of all the files, etc., that you asked it to delete, located at C:\avenger\backup.zip.
Paraprosdokian
2008-02-17, 03:43
The automatic-restart error whenever I turn on the computer appears to have gone away, as well as the redirecting of links from Google.

Running Avenger was a bit problematic. After clicking the first yes, there were a series of error messages about not finding some file (as you can see in the log).

When the computer restarted, as windows started loading, the computer shut itself off (no "windows is restarting blue screen") then turned itself back on again. I didn't see a command prompt window, only the log attached below.

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.
Error code: 0
Line: HKCU\Software\Microsoft\Windows\CurrentVersion\Run | Firewall auto setup


//////////////////////////////////////////


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\tnowvfua

*******************

Script file located at: \??\C:\Program Files\twwwbioa.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\WINDOWS\TEMP\winlogon.exe not found!
Deletion of file C:\WINDOWS\TEMP\winlogon.exe failed!

Could not process line:
C:\WINDOWS\TEMP\winlogon.exe
Status: 0xc0000034

File C:\WINDOWS\System32\cru629.dat deleted successfully.

Completed script processing.

*******************

Finished! Terminate.//////////////////////////////////////////


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\tnowvfua

*******************

Script file located at: \??\C:\Program Files\twwwbioa.txt

Script file not found! Error

Could not open script file! Status: 0xc0000034 Abort!


















Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:42:41, on 2008-2-17
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nTrayFw.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\progra~1\yahoo!\assistant\yassistse.exe
C:\Program Files\V-Gear LiveShow\LiveShow.exe
C:\Program Files\FaxTalk NetOnHold\Ftnohmgr.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
C:\PROGRA~1\Yahoo!\ASSIST~1\YLive.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcIp.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcLog.exe
C:\WINDOWS\System32\conime.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\DNA\btdna.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcAppFlt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\LevelOne\Common\RaUI.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\LevelOne WNC-0301\RtWLan.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\highjakdis\hijakdis.exe

O3 - Toolbar: 收音機(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nTrayFw] C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nTrayFw.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [tsnpstd3] C:\WINDOWS\tsnpstd3.exe
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [yassistse] c:\progra~1\yahoo!\assistant\yassistse.exe
O4 - HKLM\..\Run: [V-Gear LiveShow] "C:\Program Files\V-Gear LiveShow\LiveShow.exe" -m
O4 - HKLM\..\Run: [NetOnHold] C:\Program Files\FaxTalk NetOnHold\Ftnohmgr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [YLive.exe] C:\PROGRA~1\Yahoo!\ASSIST~1\YLive.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] D:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Steam] "d:\pat\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MSNShell] C:\Program Files\msnshell\MSNShell.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [Firewall auto setup] C:\WINDOWS\TEMP\winlogon.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')
O4 - Global Startup: Levelone Wireless Utility.lnk = C:\Program Files\LevelOne\Common\RaUI.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wireless LAN Utility.lnk = ?
O8 - Extra context menu item: 使用影音傳送帶下載 - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: 使用影音傳送帶下載全部連結 - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: 剪貼簿文字: 簡 > 繁 - res://C:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/ClipToTrad
O8 - Extra context menu item: 剪貼簿文字: 繁 > 簡 - res://C:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/ClipToSim
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: 添加到雅虎订阅(&Y) - res://C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yrss.dll/YRSSMENUEXT
O8 - Extra context menu item: 網頁: [簡體] 顯示 - res://C:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/PageToSim
O8 - Extra context menu item: 網頁: [繁體] 顯示 - res://C:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/PageToTrad
O8 - Extra context menu item: 雅虎搜索 - res://C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll/203
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O14 - IERESET.INF: START_PAGE_URL=tw.yahoo.com
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

O20 - AppInit_DLLs: C:\WINDOWS\System32\cru629.dat
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

--
End of file - 22198 bytes
little eagle
2008-02-17, 05:28
In Add/Remove programs click on these and press *remove* if listed:
Ad-Aware 2007
J2SE Runtime Environment 5.0 - 97.99Mb
J2SE Runtime Environment 5.0 Update 2 - 143.00Mb
J2SE Runtime Environment 5.0 Update 4 - 144.00Mb
J2SE Runtime Environment 5.0 Update 5- 151.00Mb
Java 2 Runtime Environment, SE v1.4.2_04 - 130.00Mb
Or any other outdated J2SE

---------------------------------

We will need to disable TeaTimer
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
5) Restart your computer.

---------------------------------

Close all programs leaving only HijackThis running. Place a check against each of the following,

O4 - HKCU\..\Run: [Firewall auto setup] C:\WINDOWS\TEMP\winlogon.exe
O20 - AppInit_DLLs: C:\WINDOWS\System32\cru629.dat

Click on Fix Checked when finished and exit HijackThis.
Paraprosdokian
2008-02-17, 15:22
Done.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:21:39, on 2008-2-17
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nTrayFw.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\progra~1\yahoo!\assistant\yassistse.exe
C:\Program Files\V-Gear LiveShow\LiveShow.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
C:\Program Files\FaxTalk NetOnHold\Ftnohmgr.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcIp.exe
C:\PROGRA~1\Yahoo!\ASSIST~1\YLive.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcLog.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\DNA\btdna.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcAppFlt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\LevelOne\Common\RaUI.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\LevelOne WNC-0301\RtWLan.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\highjakdis\hijakdis.exe

O3 - Toolbar: 收音機(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nTrayFw] C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nTrayFw.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [tsnpstd3] C:\WINDOWS\tsnpstd3.exe
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [yassistse] c:\progra~1\yahoo!\assistant\yassistse.exe
O4 - HKLM\..\Run: [V-Gear LiveShow] "C:\Program Files\V-Gear LiveShow\LiveShow.exe" -m
O4 - HKLM\..\Run: [NetOnHold] C:\Program Files\FaxTalk NetOnHold\Ftnohmgr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [YLive.exe] C:\PROGRA~1\Yahoo!\ASSIST~1\YLive.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] D:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Steam] "d:\pat\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MSNShell] C:\Program Files\msnshell\MSNShell.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')
O4 - Global Startup: Levelone Wireless Utility.lnk = C:\Program Files\LevelOne\Common\RaUI.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wireless LAN Utility.lnk = ?
O8 - Extra context menu item: 使用影音傳送帶下載 - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: 使用影音傳送帶下載全部連結 - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: 剪貼簿文字: 簡 > 繁 - res://C:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/ClipToTrad
O8 - Extra context menu item: 剪貼簿文字: 繁 > 簡 - res://C:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/ClipToSim
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: 添加到雅虎订阅(&Y) - res://C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yrss.dll/YRSSMENUEXT
O8 - Extra context menu item: 網頁: [簡體] 顯示 - res://C:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/PageToSim
O8 - Extra context menu item: 網頁: [繁體] 顯示 - res://C:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/PageToTrad
O8 - Extra context menu item: 雅虎搜索 - res://C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll/203
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O14 - IERESET.INF: START_PAGE_URL=tw.yahoo.com
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

--
End of file - 21645 bytes
little eagle
2008-02-17, 15:30
Remove spybot in add and remove programs.

---------------------------

Click on start, then run, and type msconfig and then press enter.
When the window opens click on the startup tab and make sure there are checkmarks in every entry.
Then press ok until you are out of the program. If it asks to reboot, do not reboot.

Now please create a new Hijackthis Log and post it as a reply.
Paraprosdokian
2008-02-17, 15:39
Hmm that's odd. I'm sure I went and ticked everything in msconfig before... now there were about 5 which weren't ticked.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:36:54, on 2008-2-17
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nTrayFw.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcIp.exe
C:\progra~1\yahoo!\assistant\yassistse.exe
C:\Program Files\V-Gear LiveShow\LiveShow.exe
C:\Program Files\FaxTalk NetOnHold\Ftnohmgr.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcLog.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Yahoo!\ASSIST~1\YLive.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcAppFlt.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\LevelOne\Common\RaUI.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\LevelOne WNC-0301\RtWLan.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\highjakdis\hijakdis.exe

O3 - Toolbar: 收音機(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nTrayFw] C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nTrayFw.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [tsnpstd3] C:\WINDOWS\tsnpstd3.exe
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [yassistse] c:\progra~1\yahoo!\assistant\yassistse.exe
O4 - HKLM\..\Run: [V-Gear LiveShow] "C:\Program Files\V-Gear LiveShow\LiveShow.exe" -m
O4 - HKLM\..\Run: [NetOnHold] C:\Program Files\FaxTalk NetOnHold\Ftnohmgr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [YLive.exe] C:\PROGRA~1\Yahoo!\ASSIST~1\YLive.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [braviax] braviax.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] D:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [Steam] "d:\pat\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MSNShell] C:\Program Files\msnshell\MSNShell.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')
O4 - Global Startup: Levelone Wireless Utility.lnk = C:\Program Files\LevelOne\Common\RaUI.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wireless LAN Utility.lnk = ?
O8 - Extra context menu item: 使用影音傳送帶下載 - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: 使用影音傳送帶下載全部連結 - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: 剪貼簿文字: 簡 > 繁 - res://C:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/ClipToTrad
O8 - Extra context menu item: 剪貼簿文字: 繁 > 簡 - res://C:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/ClipToSim
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: 添加到雅虎订阅(&Y) - res://C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yrss.dll/YRSSMENUEXT
O8 - Extra context menu item: 網頁: [簡體] 顯示 - res://C:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/PageToSim
O8 - Extra context menu item: 網頁: [繁體] 顯示 - res://C:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/PageToTrad
O8 - Extra context menu item: 雅虎搜索 - res://C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll/203
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O14 - IERESET.INF: START_PAGE_URL=tw.yahoo.com
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

--
End of file - 21340 bytes
little eagle
2008-02-17, 16:06
Download ATF Cleaner instructions here. (http://forums.security-central.us/showthread.php?t=1925)

Download AVG Anti-Spyware Instructions and download link can be found here (http://forums.security-central.us/showthread.php?t=3165).
Update it but DO NOT run a scan just yet, we will run the scan later.

Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

http://siri.urz.free.fr/Fix/Bitmaps/Folder.png

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter

http://siri.urz.free.fr/Fix/Bitmaps/Fix01b.png

This program will scan large amounts of files on your computer for known patterns so please be patient while it works.
It will create a file named: c:\rapport.txt
Please post the C:\rapport.txt in your next reply

IMPORTANT: Do NOT run any other options until you are asked to do so!

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
Paraprosdokian
2008-02-17, 16:21
I already installed AVG (I did it once braviax mysteriously disappeared).

I had previously used smitfraud (before you began helping me and I was trying to fix the problem myself). I uninstalled it all, then used your version.

SmitFraudFix v2.290

Scan done at 23:19:12.17, 2008-02-17 星期日
Run from C:\Documents and Settings\Administrator.LINUX-3V3JPXBEO\桌面\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

换换换换换换换换换换换换 Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcIp.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcLog.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcAppFlt.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nTrayFw.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\progra~1\yahoo!\assistant\yassistse.exe
C:\Program Files\V-Gear LiveShow\LiveShow.exe
C:\Program Files\FaxTalk NetOnHold\Ftnohmgr.exe
C:\PROGRA~1\Yahoo!\ASSIST~1\YLive.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\LevelOne\Common\RaUI.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\LevelOne WNC-0301\RtWLan.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\System32\conime.exe

换换换换换换换换换换换换 hosts


换换换换换换换换换换换换 C:\


换换换换换换换换换换换换 C:\WINDOWS


换换换换换换换换换换换换 C:\WINDOWS\system


换换换换换换换换换换换换 C:\WINDOWS\Web


换换换换换换换换换换换换 C:\WINDOWS\system32


换换换换换换换换换换换换 C:\Documents and Settings\Administrator.LINUX-3V3JPXBEO


换换换换换换换换换换换换 C:\Documents and Settings\Administrator.LINUX-3V3JPXBEO\Application Data


换换换换换换换换换换换换 Start Menu


换换换换换换换换换换换换


换换换换换换换换换换换换 Desktop


换换换换换换换换换换换换 C:\Program Files


换换换换换换换换换换换换 Corrupted keys


换换换换换换换换换换换换 Desktop Components



换换换换换换换换换换换换 IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


换换换换换换换换换换换换 VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


换换换换换换换换换换换换 Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


换换换换换换换换换换换换 AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


换换换换换换换换换换换换 Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


换换换换换换换换换换换换 Rustock



换换换换换换换换换换换换 DNS

Description: LevelOne WNC-0301 11g Wireless PCI Adapter - Packet Scheduler Miniport
DNS Server Search Order: 218.102.48.77
DNS Server Search Order: 205.252.144.126

HKLM\SYSTEM\CCS\Services\Tcpip\..\{13BC82FB-DD2C-4876-95D6-F119414CBCC6}: DhcpNameServer=218.102.48.77 205.252.144.126
HKLM\SYSTEM\CS1\Services\Tcpip\..\{13BC82FB-DD2C-4876-95D6-F119414CBCC6}: DhcpNameServer=218.102.48.77 205.252.144.126
HKLM\SYSTEM\CS2\Services\Tcpip\..\{13BC82FB-DD2C-4876-95D6-F119414CBCC6}: DhcpNameServer=218.102.48.77 205.252.144.126
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=218.102.48.77 205.252.144.126
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=218.102.48.77 205.252.144.126
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=218.102.48.77 205.252.144.126


换换换换换换换换换换换换 Scanning for wininet.dll infection


换换换换换换换换换换换换 End
little eagle
2008-02-17, 16:28
Download ComboFix again as it is update almost daily from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) or Here (http://subs.geekstogo.com/ComboFix.exe) to your Desktop.

Reboot in safe mode to try to scan.

Now double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Post the "C:\ComboFix.txt" if you get it to run.
Paraprosdokian
2008-02-17, 16:58
combofix was in Chinese :S. Must have detected my XP's default language. The tutorial on combofix I used didn't mention the computer restarting... but my computer did. Also, it didn't create the file as C:/combofix.txt but it created an entire new folder called combofix with lots of files, plus a file called combofix.txt. Attached below.

ComboFix 08-02-17.2 - Administrator 2008-02-17 23:45:33.1 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.1.936.1.1028.18.1798 [GMT 8:00]
執行位置: C:\Documents and Settings\Administrator.LINUX-3V3JPXBEO\My Documents\John\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
little eagle
2008-02-17, 17:00
Rescan with HiJackThis and post a new log here.
Also please describe how your computer behaves at the moment.
Paraprosdokian
2008-02-17, 17:13
My computer is acting perfectly normally. No errors whatsoever.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:12, on 2008-02-18
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcIp.exe
C:\WINDOWS\System32\conime.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcLog.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcAppFlt.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nTrayFw.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\V-Gear LiveShow\LiveShow.exe
C:\Program Files\FaxTalk NetOnHold\Ftnohmgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\LevelOne\Common\RaUI.exe
C:\Program Files\LevelOne WNC-0301\RtWLan.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\highjakdis\hijakdis.exe

O3 - Toolbar: 收音機(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nTrayFw] C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nTrayFw.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [tsnpstd3] C:\WINDOWS\tsnpstd3.exe
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [V-Gear LiveShow] "C:\Program Files\V-Gear LiveShow\LiveShow.exe" -m
O4 - HKLM\..\Run: [NetOnHold] C:\Program Files\FaxTalk NetOnHold\Ftnohmgr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [braviax] braviax.exe
O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\kmd.exe /c C:\ComboFix\Combobatch.bat
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] D:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [Steam] "d:\pat\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MSNShell] C:\Program Files\msnshell\MSNShell.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')
O4 - Global Startup: Levelone Wireless Utility.lnk = C:\Program Files\LevelOne\Common\RaUI.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wireless LAN Utility.lnk = ?
O8 - Extra context menu item: 使用影音傳送帶下載 - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: 使用影音傳送帶下載全部連結 - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: 剪貼簿文字: 簡 > 繁 - res://C:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/ClipToTrad
O8 - Extra context menu item: 剪貼簿文字: 繁 > 簡 - res://C:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/ClipToSim
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: 網頁: [簡體] 顯示 - res://C:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/PageToSim
O8 - Extra context menu item: 網頁: [繁體] 顯示 - res://C:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/PageToTrad
O8 - Extra context menu item: 雅虎搜索 - res://C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll/203
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O14 - IERESET.INF: START_PAGE_URL=tw.yahoo.com
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

--
End of file - 21191 bytes
little eagle
2008-02-17, 17:26
Open notepad and copy/paste the text in the codebox below into it:



File::
C:\WINDOWS\braviax.exe


Save this as Save this as "CFScript"


http://nutnworks.com/CFix/CFScript.gif

Refering to the picture above, drag CFScript.txt into ComboFix.exe

Then post the results log .
Paraprosdokian
2008-02-17, 17:49
Oh yes, I forgot to mention. Every time my computer turns on, there's a box that says something about msconfig. If I press yes, msconfig reopens.

Initially I couldn't run combofix, it said "you cannot rename combofix.exe as combofix." So I renamed it "cf" and that seemed to work:

ComboFix 08-02-17.2 - Administrator 2008-02-18 0:41:56.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.936.1.1028.18.1532 [GMT 8:00]
執行位置: C:\Documents and Settings\Administrator.LINUX-3V3JPXBEO\桌面\cf.exe
Command switches used :: C:\Documents and Settings\Administrator.LINUX-3V3JPXBEO\桌面\CFScript.txt
* 已建立新的還原點

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\braviax.exe
.




and because I know you like HJT:




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:48, on 2008-02-18
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcIp.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcLog.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcAppFlt.exe
C:\WINDOWS\System32\conime.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nTrayFw.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\V-Gear LiveShow\LiveShow.exe
C:\Program Files\FaxTalk NetOnHold\Ftnohmgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\LevelOne\Common\RaUI.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\LevelOne WNC-0301\RtWLan.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\highjakdis\hijakdis.exe

O3 - Toolbar: 收音機(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nTrayFw] C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nTrayFw.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [tsnpstd3] C:\WINDOWS\tsnpstd3.exe
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [V-Gear LiveShow] "C:\Program Files\V-Gear LiveShow\LiveShow.exe" -m
O4 - HKLM\..\Run: [NetOnHold] C:\Program Files\FaxTalk NetOnHold\Ftnohmgr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [braviax] braviax.exe
O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\kmd.exe /c C:\cf\Combobatch.bat
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] D:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [Steam] "d:\pat\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MSNShell] C:\Program Files\msnshell\MSNShell.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')
O4 - Global Startup: Levelone Wireless Utility.lnk = C:\Program Files\LevelOne\Common\RaUI.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wireless LAN Utility.lnk = ?
O8 - Extra context menu item: 使用影音傳送帶下載 - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: 使用影音傳送帶下載全部連結 - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: 剪貼簿文字: 簡 > 繁 - res://C:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/ClipToTrad
O8 - Extra context menu item: 剪貼簿文字: 繁 > 簡 - res://C:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/ClipToSim
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: 網頁: [簡體] 顯示 - res://C:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/PageToSim
O8 - Extra context menu item: 網頁: [繁體] 顯示 - res://C:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/PageToTrad
O8 - Extra context menu item: 雅虎搜索 - res://C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll/203
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O14 - IERESET.INF: START_PAGE_URL=tw.yahoo.com
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

--
End of file - 21169 bytes
little eagle
2008-02-17, 17:51
Now double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt"

It may reboot your PC :cool:
Paraprosdokian
2008-02-17, 18:04
I assume you mean my renamed cf.exe

It ran ok, except after it rebooted the computer froze whilst showing the kmd screen. When I pressed the reset button, it began to reset but then froze again whilst booting (before the windows screen came up) so I had to reboot a second time.

ComboFix 08-02-17.2 - Administrator 2008-02-18 0:54:46.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.936.1.1028.18.1552 [GMT 8:00]
執行位置: C:\Documents and Settings\Administrator.LINUX-3V3JPXBEO\桌面\cf.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:04, on 2008-02-18
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcIp.exe
C:\WINDOWS\System32\conime.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcLog.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcAppFlt.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nTrayFw.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\V-Gear LiveShow\LiveShow.exe
C:\Program Files\FaxTalk NetOnHold\Ftnohmgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\LevelOne\Common\RaUI.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\LevelOne WNC-0301\RtWLan.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\highjakdis\hijakdis.exe

O3 - Toolbar: 收音機(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nTrayFw] C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nTrayFw.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [tsnpstd3] C:\WINDOWS\tsnpstd3.exe
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [V-Gear LiveShow] "C:\Program Files\V-Gear LiveShow\LiveShow.exe" -m
O4 - HKLM\..\Run: [NetOnHold] C:\Program Files\FaxTalk NetOnHold\Ftnohmgr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [braviax] braviax.exe
O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\kmd.exe /c C:\cf\Combobatch.bat
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] D:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [Steam] "d:\pat\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MSNShell] C:\Program Files\msnshell\MSNShell.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')
O4 - Global Startup: Levelone Wireless Utility.lnk = C:\Program Files\LevelOne\Common\RaUI.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wireless LAN Utility.lnk = ?
O8 - Extra context menu item: 使用影音傳送帶下載 - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: 使用影音傳送帶下載全部連結 - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: 剪貼簿文字: 簡 > 繁 - res://C:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/ClipToTrad
O8 - Extra context menu item: 剪貼簿文字: 繁 > 簡 - res://C:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/ClipToSim
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: 網頁: [簡體] 顯示 - res://C:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/PageToSim
O8 - Extra context menu item: 網頁: [繁體] 顯示 - res://C:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/PageToTrad
O8 - Extra context menu item: 雅虎搜索 - res://C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll/203
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O14 - IERESET.INF: START_PAGE_URL=tw.yahoo.com
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

--
End of file - 21169 bytes
Paraprosdokian
2008-02-17, 18:11
If the remaining issue is the O4 - HKLM\..\Run: [braviax] braviax.exe line, wouldn't opening up regedit then deleting that line be sufficient?

It's just HKey_Local_machine/software/microsoft/windows/currentversion/run/braviax right?
little eagle
2008-02-17, 18:12
Download the OTMoveIt (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe).

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.

Press cleanup & it will search for and delete/uninstall all the tools we have used
to fix your problems and all their backup folders and then delete itself when you next reboot.

----------------------
little eagle
2008-02-17, 18:17
Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Try to run it without renaming it.


Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
Paraprosdokian
2008-02-17, 18:35
When I tried to run it, it started up but encountered an "integer overflow" and shut itself down. The only thing left on the screen was the safe mode background (black with "safe mode in all four corners") and no start menu. I restarted the computer using ctrl+alt+del, and it finished running the scan.


Rebooting...


Checking Files:

No Trojan Files Found






Removing Temp Files...

ADS Check:



Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-18 01:30:22
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions]
"\x9b50\xe669s^L?\x60c0c\x90ec?????"=str(7):"1\0"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:835a95e3
"s2"=dword:68a0ebb8
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:3f,31,96,b9,23,d6,41,58,f4,bd,10,03,39,a8,1f,79,97,04,19,94,a6,..
"p0"="D:\Pat\DAEMON Tools\"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,50,01,ad,8e,41,c4,18,80,c8,52,57,03,04,2d,ab,07,86,..
"khjeh"=hex:5a,10,14,3d,ea,a9,77,23,e7,ff,48,4e,88,31,6b,ef,c0,67,c7,42,c5,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:b9,d3,59,76,1a,22,2f,82,a4,51,e4,60,b2,12,c9,90,54,13,28,a4,f2,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions]
"\x9b50\xe669s^L?\x60c0c\x90ec?????"=str(7):"1\0"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:3f,31,96,b9,23,d6,41,58,f4,bd,10,03,39,a8,1f,79,97,04,19,94,a6,..
"p0"="D:\Pat\DAEMON Tools\"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,50,01,ad,8e,41,c4,18,80,c8,52,57,03,04,2d,ab,07,86,..
"khjeh"=hex:5a,10,14,3d,ea,a9,77,23,e7,ff,48,4e,88,31,6b,ef,c0,67,c7,42,c5,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:b9,d3,59,76,1a,22,2f,82,a4,51,e4,60,b2,12,c9,90,54,13,28,a4,f2,..

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\\x53a4\32}TQP[T\x6d7el-\x59ce[]
"SlowInfoCache"=hex:28,02,00,00,01,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,1c,b5,fd,f8,e6,..
"Changed"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\\x825dN?]
"SlowInfoCache"=hex:28,02,00,00,01,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,..
"Changed"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cursors\Schemes]
"\x85cc\x8a7a}vr???"=""C:\WINDOWS\Cursors\3dwarro.cur,,C:\WINDOWS\Cursors\appstar3.ani,C:\WINDOWS\Cursors\hourgla3.ani,C:\WINDOWS\Cursors\cross.cur,,,C:\WINDOWS\Cursors\3dwno.cur,C:\WINDOWS\Cursors\3dwns.cur,C:\WINDOWS\Cursors\3dwwe.cur,C:\WINDOWS\Cursors\3dwnwse.cur,C:\WINDOWS\Cursors\3dwnesw.cur,C:\WINDOWS\Cursors\3dwmove.cur,""
"Kb\x91f8 ?1??"=""C:\WINDOWS\Cursors\harrow.cur,,C:\WINDOWS\Cursors\handapst.ani,C:\WINDOWS\Cursors\hand.ani,C:\WINDOWS\Cursors\hcross.cur,C:\WINDOWS\Cursors\hibeam.cur,,C:\WINDOWS\Cursors\hnodrop.cur,C:\WINDOWS\Cursors\hns.cur,C:\WINDOWS\Cursors\hwe.cur,C:\WINDOWS\Cursors\hnwse.cur,C:\WINDOWS\Cursors\hnesw.cur,C:\WINDOWS\Cursors\hmove.cur,""
"Kb\x91f8 ?2??"=""C:\WINDOWS\Cursors\harrow.cur,,C:\WINDOWS\Cursors\handapst.ani,C:\WINDOWS\Cursors\handwait.ani,C:\WINDOWS\Cursors\hcross.cur,C:\WINDOWS\Cursors\hibeam.cur,,C:\WINDOWS\Cursors\handno.ani,C:\WINDOWS\Cursors\handns.ani,C:\WINDOWS\Cursors\handwe.ani,C:\WINDOWS\Cursors\handnwse.ani,C:\WINDOWS\Cursors\handnesw.ani,C:\WINDOWS\Cursors\hmove.cur,""
"P`\x5d2f?"=""C:\WINDOWS\Cursors\3dgarro.cur,,C:\WINDOWS\Cursors\dinosaur.ani,C:\WINDOWS\Cursors\dinosau2.ani,C:\WINDOWS\Cursors\cross.cur,,,C:\WINDOWS\Cursors\banana.ani,C:\WINDOWS\Cursors\3dsns.cur,C:\WINDOWS\Cursors\3dgwe.cur,C:\WINDOWS\Cursors\3dsnwse.cur,C:\WINDOWS\Cursors\3dgnesw.cur,C:\WINDOWS\Cursors\3dsmove.cur,""
"\x9c5d\n?_??"=""C:\WINDOWS\Cursors\harrow.cur,,C:\WINDOWS\Cursors\horse.ani,C:\WINDOWS\Cursors\barber.ani,C:\WINDOWS\Cursors\hcross.cur,C:\WINDOWS\Cursors\hibeam.cur,,C:\WINDOWS\Cursors\coin.ani,C:\WINDOWS\Cursors\3dgns.cur,C:\WINDOWS\Cursors\3dgwe.cur,C:\WINDOWS\Cursors\3dgnwse.cur,C:\WINDOWS\Cursors\3dgnesw.cur,C:\WINDOWS\Cursors\3dgmove.cur,""
"\ac\x9832\x79b0??"=""C:\WINDOWS\Cursors\harrow.cur,,C:\WINDOWS\Cursors\drum.ani,C:\WINDOWS\Cursors\metronom.ani,C:\WINDOWS\Cursors\hcross.cur,C:\WINDOWS\Cursors\hibeam.cur,,C:\WINDOWS\Cursors\piano.ani,C:\WINDOWS\Cursors\hns.cur,C:\WINDOWS\Cursors\hwe.cur,C:\WINDOWS\Cursors\hnwse.cur,C:\WINDOWS\Cursors\hnesw.cur,C:\WINDOWS\Cursors\hmove.cur,""
">e'Y"=""C:\WINDOWS\Cursors\larrow.cur,,C:\WINDOWS\Cursors\lappstrt.cur,C:\WINDOWS\Cursors\lwait.cur,C:\WINDOWS\Cursors\lcross.cur,C:\WINDOWS\Cursors\libeam.cur,,C:\WINDOWS\Cursors\lnodrop.cur,C:\WINDOWS\Cursors\lns.cur,C:\WINDOWS\Cursors\lwe.cur,C:\WINDOWS\Cursors\lnwse.cur,C:\WINDOWS\Cursors\lnesw.cur,C:\WINDOWS\Cursors\lmove.cur,""
"\x59baOY?"=""C:\WINDOWS\Cursors\fillitup.ani,,C:\WINDOWS\Cursors\raindrop.ani,C:\WINDOWS\Cursors\counter.ani,C:\WINDOWS\Cursors\cross.cur,,,C:\WINDOWS\Cursors\wagtail.ani,C:\WINDOWS\Cursors\sizens.ani,C:\WINDOWS\Cursors\sizewe.ani,C:\WINDOWS\Cursors\sizenwse.ani,C:\WINDOWS\Cursors\sizenesw.ani,""
"\x85cc\x8a7a\x53adr????"=""C:\WINDOWS\Cursors\3dgarro.cur,,C:\WINDOWS\Cursors\appstar2.ani,C:\WINDOWS\Cursors\hourgla2.ani,C:\WINDOWS\Cursors\cross.cur,,,C:\WINDOWS\Cursors\3dgno.cur,C:\WINDOWS\Cursors\3dgns.cur,C:\WINDOWS\Cursors\3dgwe.cur,C:\WINDOWS\Cursors\3dgnwse.cur,C:\WINDOWS\Cursors\3dgnesw.cur,C:\WINDOWS\Cursors\3dgmove.cur,""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\\x9290d\x6786[\x8f2c\x6a6e\x9f46q_\x87be]
@="{67cf8cbd-e5c0-44f7-9de5-e1d599d626d8}"
"Description"="\x5982\x679c\x60a8\x8981\x89e3\x9664\x5b89\x88dd\x9019\x4e00\x7248 Windows\xff0c\x4e26\x56de\x5230\x60a8\x4e4b\x524d\x7684\x4f5c\x696d\x7cfb\x7d71\x7684\x8a71\xff0c\x60a8\x5c07\x9700\x8981\x9019\x4e9b\x6a94\x6848\x3002"
"Display"="\x4e4b\x524d\x4f5c\x696d\x7cfb\x7d71\x7684\x5099\x4efd\x6a94\x6848"
"IconPath"=str(2):"%SystemRoot%\system32\osuninst.EXE,0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\\x53a4\32}TQP[T\x6d7el-\x59ce[]
"DisplayName"="\x8d85\x7d1a\x5154\x5b50\x9b54\x6cd5\x8a2d\x5b9a"
"UninstallString"="C:\PROGRA~1\SUPERR~1\magicset\UNWISE.EXE C:\PROGRA~1\SUPERR~1\magicset\INSTALL.LOG"
"DisplayIcon"="C:\PROGRA~1\SUPERR~1\magicset\MagicSet.exe,-0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\\x825dN?]
"DisplayName"="\x96c5\x864e\x901a"
"UninstallString"="C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG"
"DisplayIcon"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe,-0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontMapper]
"0}\16f\x8a7a?"=dword:00008088
"\x76730}\16f\x8a7a??"=dword:00000088
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts]
"\31jwi\x8a7a ?(?T?r?u?e?T?y?p?e?)??"="KAIU.TTF"
"0}\16f\x8a7a ?&? ?\x76730}\16f\x8a7a ?(?T?r?u?e?T?y?p?e?)????"="MINGLIU.TTC"
"\x98ea\x7a457Q\x5a85 ?&? ?\x98ea\x7a457Q\x5a85(?P?)? ?(?T?r?u?e?T?y?p?e?)???????"="DFFN_N3.TTC"
"\x98ea\x7a45P?O?P?1?\x8a7aW?7? ?&? ?\x98ea\x7a45P?O?P?1?\x8a7aW?7?(?P?)? ?(?T?r?u?e?T?y?p?e?)???????"="DFFN_P7.TTC"
"\x98ea\x7a45-N\x8933\x8a7a ?&? ?\x98ea\x7a45-N\x8933\x8a7a(?P?)? ?(?T?r?u?e?T?y?p?e?)?????????"="DFFN_B5.TTC"
"\x98ea\x7a45!|wi ?&? ?\x98ea\x7a45!|wi(?P?)? ?(?T?r?u?e?T?y?p?e?)?????"="DTCN_K6.TTC"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\#\x602d}]
"Order"=hex:08,00,00,00,02,00,00,00,0c,00,00,00,01,00,00,00,00,00,00,00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\_U\x8a96]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\\x53a4\32}TQP[T\x6d7el-\x59ce[]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\\x8922^t\37g'\x5cce]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\\x8922^t\37g'\x5cce]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\D\x6754\\x84a9(u\vz\17_]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\D\x6754\\x84a9(u\vz\17_\TS\x33d1\x9327wQ]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\D\x6754\\x84a9(u\vz\17_\\eZ\2j]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\D\x6754\\x84a9(u\vz\17_\\x9e7cq}\x9327wQ]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\D\x6754\\x84a9(u\vz\17_\\32?]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\\x825dN\x556fRKb]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\\x825dN?]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\GrpConv\MapGroups]
"J?j4X?"="\x9644\x5c6c\x61c9\x7528\x7a0b\x5f0f\\x904a\x6a02\x5834"
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Network\\x5a72\x9bea\xe550\x6786hV]
"SaveSettings"="1"
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Network\:O\rghV\xe501\6t\x917a]
"SaveSettings"="1"
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Network\O(u\5\x20ac\xe501\6t\x917a]
"SaveSettings"="1"
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Network\\x77b9\x9045O(u\5\x20ac\xe501\6t\x917a]
"SaveSettings"="1"

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:



Files with Hidden Attributes:

Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Documents and Settings\Administrator.LINUX-3V3JPXBEO\My Documents\John\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Documents and Settings\Administrator.LINUX-3V3JPXBEO\My Documents\John\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Documents and Settings\Administrator.LINUX-3V3JPXBEO\My Documents\John\Spybot - Search & Destroy\TeaTimer.exe"

Finished!




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:34, on 2008-02-18
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\System32\conime.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcIp.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcLog.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcAppFlt.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nTrayFw.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\V-Gear LiveShow\LiveShow.exe
C:\Program Files\FaxTalk NetOnHold\Ftnohmgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\LevelOne\Common\RaUI.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\LevelOne WNC-0301\RtWLan.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\highjakdis\hijakdis.exe

O3 - Toolbar: 收音機(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nTrayFw] C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nTrayFw.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [tsnpstd3] C:\WINDOWS\tsnpstd3.exe
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [V-Gear LiveShow] "C:\Program Files\V-Gear LiveShow\LiveShow.exe" -m
O4 - HKLM\..\Run: [NetOnHold] C:\Program Files\FaxTalk NetOnHold\Ftnohmgr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\kmd.exe /c C:\cf\Combobatch.bat
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] D:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [Steam] "d:\pat\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MSNShell] C:\Program Files\msnshell\MSNShell.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')
O4 - Global Startup: Levelone Wireless Utility.lnk = C:\Program Files\LevelOne\Common\RaUI.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wireless LAN Utility.lnk = ?
O8 - Extra context menu item: 使用影音傳送帶下載 - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: 使用影音傳送帶下載全部連結 - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: 剪貼簿文字: 簡 > 繁 - res://C:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/ClipToTrad
O8 - Extra context menu item: 剪貼簿文字: 繁 > 簡 - res://C:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/ClipToSim
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: 網頁: [簡體] 顯示 - res://C:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/PageToSim
O8 - Extra context menu item: 網頁: [繁體] 顯示 - res://C:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/PageToTrad
O8 - Extra context menu item: 雅虎搜索 - res://C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll/203
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O14 - IERESET.INF: START_PAGE_URL=tw.yahoo.com
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

--
End of file - 21009 bytes
little eagle
2008-02-17, 18:47
Close all programs leaving only HijackThis running. Place a check against each of the following,

O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\kmd.exe /c C:\cf\Combobatch.bat

Click on Fix Checked when finished and exit HijackThis.


------------------------------------

Run this online scan from ESET (http://www.eset.eu/online-scanner)

You will need to use Internet explorer for this scan!
First, accept the Terms of Use
Click: Start
When asked, allow the ActiveX control to install
Click: Start
Make sure the options:
Remove found threats, and Scan unwanted applications
are both checked!
Click: Scan


When the scan finishes, use Notepad to open the ESET report.
It will be located here C:\Program Files\EsetOnlineScanner\log.txt

-------------------------------

It will be a few hours before I return.
Paraprosdokian
2008-02-17, 19:18
Looks like I'm in the clear. Thanks so very much for all your help. This must be the best service I've ever recieved... and you're not even being paid! When I get back home, I'll be sure to find a way to donate.

But one more question, if I install Spybot and Adaware, and AVG will that cause any problematic clashes?

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2881 (20080217)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=3c210b434ad10e4d9e2406a18ed59849
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-02-17 06:08:40
# local_time=2008-02-18 02:08:40 (+0800, )
# country="People's Republic of China"
# osver=5.1.2600 NT Service Pack 1
# scanned=127411
# found=0
# scan_time=652


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:14, on 2008-02-18
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\System32\conime.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcIp.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcLog.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcAppFlt.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nTrayFw.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\V-Gear LiveShow\LiveShow.exe
C:\Program Files\FaxTalk NetOnHold\Ftnohmgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\LevelOne\Common\RaUI.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\LevelOne WNC-0301\RtWLan.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\highjakdis\hijakdis.exe

O3 - Toolbar: 收音機(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nTrayFw] C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nTrayFw.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [tsnpstd3] C:\WINDOWS\tsnpstd3.exe
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [V-Gear LiveShow] "C:\Program Files\V-Gear LiveShow\LiveShow.exe" -m
O4 - HKLM\..\Run: [NetOnHold] C:\Program Files\FaxTalk NetOnHold\Ftnohmgr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] D:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [Steam] "d:\pat\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MSNShell] C:\Program Files\msnshell\MSNShell.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')
O4 - Global Startup: Levelone Wireless Utility.lnk = C:\Program Files\LevelOne\Common\RaUI.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wireless LAN Utility.lnk = ?
O8 - Extra context menu item: 使用影音傳送帶下載 - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: 使用影音傳送帶下載全部連結 - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: 剪貼簿文字: 簡 > 繁 - res://C:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/ClipToTrad
O8 - Extra context menu item: 剪貼簿文字: 繁 > 簡 - res://C:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/ClipToSim
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: 網頁: [簡體] 顯示 - res://C:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/PageToSim
O8 - Extra context menu item: 網頁: [繁體] 顯示 - res://C:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/PageToTrad
O8 - Extra context menu item: 雅虎搜索 - res://C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll/203
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O14 - IERESET.INF: START_PAGE_URL=tw.yahoo.com
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

--
End of file - 20976 bytes
little eagle
2008-02-18, 01:00
and you're not even being paid! :oops: well I for got about that. :laugh:

Uninstall (Start, Control Panel, Add/Remove
Program) the broken Logitech Desktop Messenger.

Then run HJT, scan only, and check any of these that remain then Fix Checked.

O18 - Protocol: bw+0 - ... -8876480.dll

If this is something you really use (tho I never met anyone who did)
you can download a new version from the Logitech.com site. (http://www.logitech.com/index.cfm?countryid=19&languageid=1&page=downloads/software&CRID=1810&contentid=6182)
Paraprosdokian
2008-02-18, 03:18
I've got a new error now. When I first tried to turn on the computer today, it froze during start-up before Windows started, then it froze in the same way when I restarted again (ok on third restart). That's never happened before, but it happened yesterday whilst doing some scan.

Also, there was some mild error in the middle of uninstalling, but then it continued and at least removed itself from my add/remove programs list. There were still a lot of entries in HJT, but I've removed them.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:15, on 2008-02-18
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcIp.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcLog.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcAppFlt.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nTrayFw.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\V-Gear LiveShow\LiveShow.exe
C:\Program Files\FaxTalk NetOnHold\Ftnohmgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\LevelOne\Common\RaUI.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\LevelOne WNC-0301\RtWLan.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\highjakdis\hijakdis.exe

O3 - Toolbar: 收音機(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nTrayFw] C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nTrayFw.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [tsnpstd3] C:\WINDOWS\tsnpstd3.exe
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [V-Gear LiveShow] "C:\Program Files\V-Gear LiveShow\LiveShow.exe" -m
O4 - HKLM\..\Run: [NetOnHold] C:\Program Files\FaxTalk NetOnHold\Ftnohmgr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [Steam] "d:\pat\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MSNShell] C:\Program Files\msnshell\MSNShell.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')
O4 - Global Startup: Levelone Wireless Utility.lnk = C:\Program Files\LevelOne\Common\RaUI.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wireless LAN Utility.lnk = ?
O8 - Extra context menu item: 使用影音傳送帶下載 - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: 使用影音傳送帶下載全部連結 - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: 剪貼簿文字: 簡 > 繁 - res://C:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/ClipToTrad
O8 - Extra context menu item: 剪貼簿文字: 繁 > 簡 - res://C:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/ClipToSim
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: 網頁: [簡體] 顯示 - res://C:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/PageToSim
O8 - Extra context menu item: 網頁: [繁體] 顯示 - res://C:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/PageToTrad
O8 - Extra context menu item: 雅虎搜索 - res://C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll/203
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O14 - IERESET.INF: START_PAGE_URL=tw.yahoo.com
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: cdl - {3DD53D40-7B8B-11D0-B013-00AA0059CE02} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\System32\msvidctl.dll
O18 - Protocol: file - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ftp - {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: gopher - {79EAC9E4-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: https - {79EAC9E5-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ipp - (no CLSID) - (no file)
O18 - Protocol: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\System32\itss.dll
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: local - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: mailto - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: mhtml - {05300401-BCBC-11D0-85E3-00C04FD85AB4} - C:\WINDOWS\System32\inetcomm.dll
O18 - Protocol: mk - {79EAC9E6-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\System32\itss.dll
O18 - Protocol: msdaipp - (no CLSID) - (no file)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
O18 - Protocol: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\System32\msvidctl.dll
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: vnd.ms.radio - {3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} - C:\WINDOWS\System32\msdxm.ocx
O18 - Protocol: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\System32\wiascr.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

--
End of file - 10387 bytes
little eagle
2008-02-18, 03:24
Can you update to SP2
http://www.update.microsoft.com/windowsupdate
Paraprosdokian
2008-02-18, 03:35
I'm not sure. This isn't my computer, and this is China so I'm not sure if its even possible to get a real copy of Windows. I don't really want to update to SP2, just in case it disables my Windows and causes my aunt/uncle a lot of bother.
little eagle
2008-02-18, 03:42
With out SP2 you wont be able to keep it clean.:lip:
Paraprosdokian
2008-02-18, 03:47
I'll ask them when they get back from Canada.

I've already installed Spybot and AVG, so that should be adequate protection. Should I also install Adaware or will that clash with Spybot?

Well, thanks so much for your help. Aside from those programs is there anything else I can do to block viruses (aside from avoiding dodgy sites and p2ps?)
little eagle
2008-02-18, 05:21
I don't think adaware will clash with spybot.
just don't activate there real time protection.

Just some tips to remain malware free (http://www.nutnworks.com/forums/showthread.php?t=98).