Hi,
Until recently, a combination of Spybot, Ad-Aware, Grisoft Anti-virus plus a program ( Win Patrol ) that monitors startup behaviour, along with Zone Alarm and a router hardware firewall, had seemed to keep my machine safe.
Recently, I had become a bit more careless ( not downloaded any Microsoft patches since installing SP2, re-started using an unpatched IE 6 occasionally instead of Firefox ) and my laptop had started to play up a bit. Then Grisoft told me recently that I had 3 Trojans, Generic XFV, Clicker & GenericXKS, which it couldn't remove.
I downloaded Ewido and ran it in Safe Mode. This found the above nasty,
'downloader.agent.uj', which seems to be far worse. Ewido couldn't remove it, nor could Blacklight.
I have since run Bit Defender twice( I aborted the first run by accident although it had only found one or two things in the Spybot quarantine archive ) and include the scan result from the second run, plus the HijackThis logfile. In between, I ran Spybot twice in Safe mode. On the second run, Spybot found nothing.



BitDefender Online Scanner







Scan report generated at: Sat, Aug 05, 2006 - 20:58:57









Scan path: C:\;D:\;















Statistics

Time


02:49:48

Files


415384

Folders


6383

Boot Sectors


2

Archives


21584

Packed Files


14474







Results

Identified Viruses


6

Infected Files


11

Suspect Files


0

Warnings


0

Disinfected


0

Deleted Files


11







Engines Info

Virus Definitions


426912

Engine build


AVCORE v1.0 (build 2310) (i386) (Apr 17 2006 16:24:38)

Scan plugins


13

Archive plugins


39

Unpack plugins


5

E-mail plugins


6

System plugins


1







Scan Settings

First Action


Disinfect

Second Action


Delete

Heuristics


Yes

Enable Warnings


Yes

Scanned Extensions


*;

Exclude Extensions




Scan Emails


Yes

Scan Archives


Yes

Scan Packed


Yes

Scan Files


Yes

Scan Boot


Yes








Scanned File


Status

C:\Documents and Settings\Robert Kemp\Local Settings\Temporary Internet Files\Content.IE5\D8OFL5S1\wmp[1].jpeg


Infected with: MemScan:Trojan.Downloader.Agent.ACH

C:\Documents and Settings\Robert Kemp\Local Settings\Temporary Internet Files\Content.IE5\D8OFL5S1\wmp[1].jpeg


Disinfection failed

C:\Documents and Settings\Robert Kemp\Local Settings\Temporary Internet Files\Content.IE5\D8OFL5S1\wmp[1].jpeg


Deleted

C:\System Volume Information\_restore{2080B2CB-1605-4CE2-9CDA-445B4D84B1ED}\RP271\A0128116.exe


Infected with: MemScan:Trojan.Downloader.Agent.ACH

C:\System Volume Information\_restore{2080B2CB-1605-4CE2-9CDA-445B4D84B1ED}\RP271\A0128116.exe


Disinfection failed

C:\System Volume Information\_restore{2080B2CB-1605-4CE2-9CDA-445B4D84B1ED}\RP271\A0128116.exe


Deleted

C:\System Volume Information\_restore{2080B2CB-1605-4CE2-9CDA-445B4D84B1ED}\RP273\A0129023.exe


Infected with: Trojan.Downloader.Mohbpork.A

C:\System Volume Information\_restore{2080B2CB-1605-4CE2-9CDA-445B4D84B1ED}\RP273\A0129023.exe


Disinfection failed

C:\System Volume Information\_restore{2080B2CB-1605-4CE2-9CDA-445B4D84B1ED}\RP273\A0129023.exe


Deleted

C:\System Volume Information\_restore{2080B2CB-1605-4CE2-9CDA-445B4D84B1ED}\RP273\A0129043.exe


Infected with: Trojan.Downloader.Mohbpork.A

C:\System Volume Information\_restore{2080B2CB-1605-4CE2-9CDA-445B4D84B1ED}\RP273\A0129043.exe


Disinfection failed

C:\System Volume Information\_restore{2080B2CB-1605-4CE2-9CDA-445B4D84B1ED}\RP273\A0129043.exe


Deleted

C:\System Volume Information\_restore{2080B2CB-1605-4CE2-9CDA-445B4D84B1ED}\RP273\A0129058.exe


Infected with: Trojan.Downloader.Mohbpork.A

C:\System Volume Information\_restore{2080B2CB-1605-4CE2-9CDA-445B4D84B1ED}\RP273\A0129058.exe


Disinfection failed

C:\System Volume Information\_restore{2080B2CB-1605-4CE2-9CDA-445B4D84B1ED}\RP273\A0129058.exe


Deleted

C:\System Volume Information\_restore{2080B2CB-1605-4CE2-9CDA-445B4D84B1ED}\RP273\A0129081.exe


Infected with: Trojan.Downloader.Mohbpork.A

C:\System Volume Information\_restore{2080B2CB-1605-4CE2-9CDA-445B4D84B1ED}\RP273\A0129081.exe


Disinfection failed

C:\System Volume Information\_restore{2080B2CB-1605-4CE2-9CDA-445B4D84B1ED}\RP273\A0129081.exe


Deleted

C:\System Volume Information\_restore{2080B2CB-1605-4CE2-9CDA-445B4D84B1ED}\RP273\A0129094.exe


Infected with: Trojan.Downloader.Mohbpork.A

C:\System Volume Information\_restore{2080B2CB-1605-4CE2-9CDA-445B4D84B1ED}\RP273\A0129094.exe


Disinfection failed

C:\System Volume Information\_restore{2080B2CB-1605-4CE2-9CDA-445B4D84B1ED}\RP273\A0129094.exe


Deleted

C:\WINDOWS\system32\drivers\etc\hosts.20050423-125457.backup


Infected with: Generic.Qhost.8640E25C

C:\WINDOWS\system32\drivers\etc\hosts.20050423-125457.backup


Disinfection failed

C:\WINDOWS\system32\drivers\etc\hosts.20050423-125457.backup


Deleted

C:\WINDOWS\system32\drivers\etc\hosts.20050502-103221.backup


Infected with: Generic.Qhost.38F1442A

C:\WINDOWS\system32\drivers\etc\hosts.20050502-103221.backup


Disinfection failed

C:\WINDOWS\system32\drivers\etc\hosts.20050502-103221.backup


Deleted

C:\WINDOWS\system32\drivers\etc\hosts.20050502-103222.backup


Infected with: Generic.Qhost.0AEF46AA

C:\WINDOWS\system32\drivers\etc\hosts.20050502-103222.backup


Disinfection failed

C:\WINDOWS\system32\drivers\etc\hosts.20050502-103222.backup


Deleted

C:\x.htm


Infected with: Exploit.Html.Codebase.Exec.Gen

C:\x.htm


Disinfection failed

C:\x.htm

Deleted

Next the HijackThis log

Logfile of HijackThis v1.99.1
Scan saved at 12:52:20, on 06/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\SLEE401.exe
C:\WINDOWS\System32\SLEE81.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\Program Files\Inventel\Gateway\wlancfg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\STDSB.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Exif Launcher\QuickDCF.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\system32\RaConfig2500.exe
C:\Program Files\Wacom\TabUserW.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocpe.dll/asst.htm
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [STDSB] C:\WINDOWS\System32\STDSB.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [InstantTray] C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
O4 - HKCU\..\Run: [IW_Drop_Icon] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe /DropDisc
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: RaConfig2500.lnk = C:\WINDOWS\system32\RaConfig2500.exe
O4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1148720257500
O17 - HKLM\System\CCS\Services\Tcpip\..\{0CEE4303-89FB-4B6B-97CF-24808978080C}: NameServer = 85.255.116.150,85.255.112.70
O17 - HKLM\System\CCS\Services\Tcpip\..\{1157F732-7938-4FB0-8AED-0B83765DAC00}: NameServer = 85.255.116.150,85.255.112.70
O17 - HKLM\System\CCS\Services\Tcpip\..\{359C36F1-6AD0-4892-A296-703C852869DD}: NameServer = 85.255.116.150,85.255.112.70
O17 - HKLM\System\CCS\Services\Tcpip\..\{4A15FB00-91A2-48E0-A81E-385C0D8AD0D5}: NameServer = 85.255.116.150,85.255.112.70
O17 - HKLM\System\CCS\Services\Tcpip\..\{5AA24174-054B-4A52-8625-B3CD3D62A53B}: NameServer = 85.255.116.150,85.255.112.70
O17 - HKLM\System\CCS\Services\Tcpip\..\{867C526E-0D77-4E42-A4DB-4CBAD2399BD8}: NameServer = 85.255.116.150,85.255.112.70
O17 - HKLM\System\CCS\Services\Tcpip\..\{AD5EF824-A7D0-496F-B741-C19BAA7982C2}: NameServer = 85.255.116.150,85.255.112.70
O17 - HKLM\System\CCS\Services\Tcpip\..\{ECB0E611-5556-46E5-A20E-84C103CA3304}: NameServer = 85.255.116.150,85.255.112.70
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.150 85.255.112.70
O17 - HKLM\System\CS1\Services\Tcpip\..\{0CEE4303-89FB-4B6B-97CF-24808978080C}: NameServer = 85.255.116.150,85.255.112.70
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.150 85.255.112.70
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - Unknown owner - C:\Program Files\Spyware Doctor\sdhelp.exe (file missing)
O23 - Service: Steganos Live Encryption Engine (Version 401) [Service] (SLEE_401_SERVICE) - Unknown owner - C:\WINDOWS\System32\SLEE401.exe
O23 - Service: Steganos Live Encryption Engine 8.1 [Service] (SLEE_81_SERVICE) - Unknown owner - C:\WINDOWS\System32\SLEE81.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Service de lancement de WlanCfg (Wlancfg) - Inventel - C:\Program Files\Inventel\Gateway\wlancfg.exe

Hope someone can make sense of all this. Any help would be appreciated.

Welcome to the forum ..

Scan with hijackthis and fix this item
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocpe.dll/asst.htm
======================
Close Hijackthis
Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.
Once the desktop loads post the text that will open (report.txt) and a new Hijackthis log in the forum please.

Since you mention blacklite scan with it and post a log if any files are found.

Hi,
Thanks for picking up on my post.
(1) I scanned with HijackThis and got it to fix the item you mention above.
(2) Downloaded Fixwareout and ran it as you instructed. Report follows. Incidentally, WinPatrol told me my HOSTS file had changed, but this turned out to be resetting my Homepage to Microsoft, which I accepted on the assumption that Fixwareout must have reset it.

Fixwareout ver 1.003
Last edited 07/1/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\swen
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eerht
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\evif
...

Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
"dmlau.exe"=-
...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is legitimate

»»»»» Search by size and names...
* csr.exe C:\WINDOWS\System32\CSGWK.EXE

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool

»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSGWK.EXE 51,262 2006-07-16
Other suspects
Directory of C:\WINDOWS\system32

(3) I then ran HijackThis. Log follows :-

Logfile of HijackThis v1.99.1
Scan saved at 10:52:17, on 12/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\SLEE401.exe
C:\WINDOWS\System32\SLEE81.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\Program Files\Inventel\Gateway\wlancfg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\STDSB.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Exif Launcher\QuickDCF.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\system32\RaConfig2500.exe
C:\Program Files\Wacom\TabUserW.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HijackThis\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [STDSB] C:\WINDOWS\System32\STDSB.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [InstantTray] C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
O4 - HKCU\..\Run: [IW_Drop_Icon] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe /DropDisc
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: RaConfig2500.lnk = C:\WINDOWS\system32\RaConfig2500.exe
O4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1148720257500
O17 - HKLM\System\CCS\Services\Tcpip\..\{0CEE4303-89FB-4B6B-97CF-24808978080C}: NameServer = 85.255.116.150,85.255.112.70
O17 - HKLM\System\CCS\Services\Tcpip\..\{1157F732-7938-4FB0-8AED-0B83765DAC00}: NameServer = 85.255.116.150,85.255.112.70
O17 - HKLM\System\CCS\Services\Tcpip\..\{359C36F1-6AD0-4892-A296-703C852869DD}: NameServer = 85.255.116.150,85.255.112.70
O17 - HKLM\System\CCS\Services\Tcpip\..\{4A15FB00-91A2-48E0-A81E-385C0D8AD0D5}: NameServer = 85.255.116.150,85.255.112.70
O17 - HKLM\System\CCS\Services\Tcpip\..\{5AA24174-054B-4A52-8625-B3CD3D62A53B}: NameServer = 85.255.116.150,85.255.112.70
O17 - HKLM\System\CCS\Services\Tcpip\..\{867C526E-0D77-4E42-A4DB-4CBAD2399BD8}: NameServer = 85.255.116.150,85.255.112.70
O17 - HKLM\System\CCS\Services\Tcpip\..\{AD5EF824-A7D0-496F-B741-C19BAA7982C2}: NameServer = 85.255.116.150,85.255.112.70
O17 - HKLM\System\CCS\Services\Tcpip\..\{ECB0E611-5556-46E5-A20E-84C103CA3304}: NameServer = 85.255.116.150,85.255.112.70
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.150 85.255.112.70
O17 - HKLM\System\CS1\Services\Tcpip\..\{0CEE4303-89FB-4B6B-97CF-24808978080C}: NameServer = 85.255.116.150,85.255.112.70
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.150 85.255.112.70
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - Unknown owner - C:\Program Files\Spyware Doctor\sdhelp.exe (file missing)
O23 - Service: Steganos Live Encryption Engine (Version 401) [Service] (SLEE_401_SERVICE) - Unknown owner - C:\WINDOWS\System32\SLEE401.exe
O23 - Service: Steganos Live Encryption Engine 8.1 [Service] (SLEE_81_SERVICE) - Unknown owner - C:\WINDOWS\System32\SLEE81.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Service de lancement de WlanCfg (Wlancfg) - Inventel - C:\Program Files\Inventel\Gateway\wlancfg.exe

(4)Finally I ran Blacklight. This time, it found nothing. Can I assume that my machine is clean ?
Many thanks.

Perhaps you can help,send me this file if it exicts
C:\WINDOWS\System32\dmlau.exe
Then delete it and this file >
C:\WINDOWS\System32\CSGWK.EXE
Send it to submitlonny AT subratam.org
Replace AT with @ and remove spaces, then include a link back to this thread.
Or you could attach it here
http://www.thespykiller.co.uk/forum/index.php?board=1.0

This address was part of the infection 85.255.116.150,85.255.112.70
Start Hijackthis and place a check next to these items If there.
O17 - HKLM\System\CCS\Services\Tcpip\..\{0CEE4303-89FB-4B6B-97CF-24808978080C}: NameServer = 85.255.116.150,85.255.112.70
O17 - HKLM\System\CCS\Services\Tcpip\..\{1157F732-7938-4FB0-8AED-0B83765DAC00}: NameServer = 85.255.116.150,85.255.112.70
O17 - HKLM\System\CCS\Services\Tcpip\..\{359C36F1-6AD0-4892-A296-703C852869DD}: NameServer = 85.255.116.150,85.255.112.70
O17 - HKLM\System\CCS\Services\Tcpip\..\{4A15FB00-91A2-48E0-A81E-385C0D8AD0D5}: NameServer = 85.255.116.150,85.255.112.70
O17 - HKLM\System\CCS\Services\Tcpip\..\{5AA24174-054B-4A52-8625-B3CD3D62A53B}: NameServer = 85.255.116.150,85.255.112.70
O17 - HKLM\System\CCS\Services\Tcpip\..\{867C526E-0D77-4E42-A4DB-4CBAD2399BD8}: NameServer = 85.255.116.150,85.255.112.70
O17 - HKLM\System\CCS\Services\Tcpip\..\{AD5EF824-A7D0-496F-B741-C19BAA7982C2}: NameServer = 85.255.116.150,85.255.112.70
O17 - HKLM\System\CCS\Services\Tcpip\..\{ECB0E611-5556-46E5-A20E-84C103CA3304}: NameServer = 85.255.116.150,85.255.112.70
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.150 85.255.112.70
O17 - HKLM\System\CS1\Services\Tcpip\..\{0CEE4303-89FB-4B6B-97CF-24808978080C}: NameServer = 85.255.116.150,85.255.112.70
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.150 85.255.112.70
====================================
Hit fix checked and close Hijackthis.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Note:
If You have connection problems or those 017's ~ 85.255.116.150,85.255.112.70, return >
Before doing this write down all the settings, Note that not all system/setups even have these settings, While some connection service's will require them.
In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
Press OK twice to get out of the properties screen and reboot if it asks.
Do that for every conntection listed.

Think Prevention: Put in place a good hosts file
http://www.mvps.org/winhelp2002/hosts.htm
How To Download and Extract the HOSTS file:
http://www.mvps.org/winhelp2002/hosts2.htm
Repeat that proccess about once or twice a month

Post a fresh hijackthis log please, be sure to mention any current problems.

Hi again,
I couldn't find dmlau.exe in the System32 folder at all, nothing between dmintf.dll and dmloader.dll, so ther was nothing to send. I've deleted C:\WINDOWS\System32\CSGWK.exe
I'm about to run HijackThis, in the sincere hope that I don't get connection problems. Will get back a.s.a.p.
Thanks

Okay, I ran HijackThis, it found and fixed the Registry items you mentioned. I've since logged off and on, re-connected to the Internet, all without problem or return of those Registry items.
I've just re-run HijackThis. File follows:-

Logfile of HijackThis v1.99.1
Scan saved at 01:11:41, on 13/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\SLEE401.exe
C:\WINDOWS\System32\SLEE81.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\Program Files\Inventel\Gateway\wlancfg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\STDSB.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Exif Launcher\QuickDCF.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\system32\RaConfig2500.exe
C:\Program Files\Wacom\TabUserW.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\HijackThis\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [STDSB] C:\WINDOWS\System32\STDSB.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [InstantTray] C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
O4 - HKCU\..\Run: [IW_Drop_Icon] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe /DropDisc
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: RaConfig2500.lnk = C:\WINDOWS\system32\RaConfig2500.exe
O4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1148720257500
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - Unknown owner - C:\Program Files\Spyware Doctor\sdhelp.exe (file missing)
O23 - Service: Steganos Live Encryption Engine (Version 401) [Service] (SLEE_401_SERVICE) - Unknown owner - C:\WINDOWS\System32\SLEE401.exe
O23 - Service: Steganos Live Encryption Engine 8.1 [Service] (SLEE_81_SERVICE) - Unknown owner - C:\WINDOWS\System32\SLEE81.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Service de lancement de WlanCfg (Wlancfg) - Inventel - C:\Program Files\Inventel\Gateway\wlancfg.exe

Thanks for the tip about the HOSTS file ( I'll find out what one is ).

Rob

Looks good )

To help avoid reinfection see "So how did I get infected in the first place?"
http://forums.spybot.info/showthread.php?t=279

It's now nearly 3 days since my machine was given the okay and it's been behaving pretty well. The net address '85.255.116.150,85.255.112.70' has not returned & I've had no problems connecting to the Internet.
The only unusual thing I've had was a one-off message from Zone Alarm on Sunday morning :-
"The firewall has blocked Internet access to ???.???.?.? (DNS ) from your computer.
Program: Generic Host Process for Win 32 Services"
It's very unusual to see that. In any case, C:\WINDOWS\system32\svchost.exe, which I think is the process being referred to, has automatic access to the Internet, so it seemed strange for Zone Alarm to block it. That apart, everthing else seems fine.

Hi

Check here
http://forums.zonelabs.com/zonelabs/search?q=Generic+Host+Process+for+Win+32+Services

On the left side, click program control, then the tabs across the top click the program list tab. In the list of programs find the entry for Generic Host Process for Win 32 Services. Then in the access columns, and the trusted zone server columns, click on the icon if its anything other than a green check, and select allow.

On another subject:
Be sure to update suns java then uninstall the oder versons
Sun Java "Java Runtime Environment (JRE) 5.0 Update 7(or 8)" is Available:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
Afterwards it's important to uninstall the old version's via addremove programs.

Hi again,
For some reason, Zone Alarm's 'Internet Server' setting on 'Generic Host Process for Win32 Services' had been reset to 'Block'. It's now set to 'Allow' ( green tick ).
I've updated the JRE with the latest version ( uninstalling the old ). I was expecting to have to re-boot my machine, but it didn't ask me to. I got WinPatrol to disable/remove the Java Update Scheduler as I couldn't see the point in having yet another process running in the background, using up more CPU, when I could manually check for updates.
For this reason, in working through "So how did I get infected in the first place ?", I haven't installed SpywareGuard. It's the same reason as I don't have an Internet Security Package running in the background. I run one or two 3-D programs and they need all the CPU they can get. So, unless you say that I simply must have this or that real-time spyware program, I'm simply sticking with programs that can be fired up at intervals.
I have had one or two connection problems in the last day or two, so I perhaps will have to follow your suggestion of a few days ago, re. re-setting my Internet connections. Why do I need to write down all my settings before beginning ? As a fallback in case things go wrong ?
Many thanks.

As a fallback in case things go wrong ?
Yes but it Looks as if you were able to come back and after fixing those 017's
so manual adjusting Network Connections, shouldn't be nessesary

WinPatrol to disable/remove the Java Update Scheduler
I disable it to but its best to do so from within java's options

I have a hardware firewall in the form of a router and a software firewall ( Zone Alarm )on the laptop. When the connection software dials out from the laptop after I've switched on the laptop, I get a message
"WLANCfg is trying to access the Internet........Destination IP: 123.321.1.1" ( not the true number ). Occasionally Zone Alarm Flashes up the message "Protected: The firewall has blocked Internet access to your computer from 123.321.1.1" That means that the site I was originally trying to connect to is trying to connect with my machine. Since this is the only attempt that the router firewall allows through, should I change my permissions for WLANCfg in Zone Alarm to be the same as svchost.exe, i.e.allow everything ?
I'm sorry that so many days pass before I contact you again. I'm very busy at the moment and some nights I don't even get to switch on the machine.
Thanks for your patience.

Im not sure what your saying, you need to set za to alow any legit windows files such as svchost.exe.

ZA has a help forum so you could post there if needed.

This topic has been closed to prevent others with similar issues posting in it.
If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread.

Applies only to the original topic starter.

Originally Posted by kratinus
I think my post 'downloader.agent.uj' ( http://forums.spybot.info/showthread.php?t=6394 (http://forums.spybot.info/showthread.php?t=6394) )is about to drop off the current list, so it seems the right time to thank you for helping me out of the mess I'd managed to get into a few weeks ago, by being careless enough to let a rootkit and a few associated nasties onto my laptop.
Restoring my machine to health seemed a bit of a drawn-out process but that was because I was so busy at the time that I didn't have enough time to check out the state of my machine as the 'medicine' was being progressively applied.
Anyway, it all seems fine now, so thanks for your time and expertise.
Hopefully, I've learnt my lesson, but if I do have any more problems in the future, let me reassure you that I'll apply for help via the forum, not by contacting you personally.
Finally, your help prompted me to do what I've been intending to do for 2 or 3 years - make a donation to Spybot. Let's just say it was more than the $50 that Spyware Doctor wanted from me before it would remove the assorted malware that it claimed to have found.

Robert Kemp ( aka kratinus )