CmdService - check my logs

[Blame]

Dear community

Could some check my logs and tell me what to delete, cant get rid of cmdservice
Logfile of HijackThis v1.99.1
Scan saved at 11:48:01, on 27/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe
C:\WINDOWS\system32\PRISMSVR.EXE
C:\Program Files\Lexmark 5200 series\lxbtbmon.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\outlook\outlook.exe
C:\Program Files\Common Files\{8484AEC9-0BF0-1033-1202-03051220002c}\Update.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\AntiSpyware\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R3 - URLSearchHook: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Lexmark 5200 series] "C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe"
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [LXBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [cna949a5] RUNDLL32.EXE w20a86d8.dll,n 003949a20000000a20a86d8
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.brdatahost.com
O16 - DPF: {00000000-0000-0000-0000-000020040000} - http://207.234.185.217/ABoxInst_int6.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {1DB93715-3B60-43EE-93E6-279BB3E1DF76} (OCXDownloadChecker Control) - http://82.3.250.209/cab/OCXChecker_6110.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/...4/mcinsctl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab
O16 - DPF: {D19781C5-2051-44F8-8445-DDC82933C191} - http://advnt01.com/dialer/internazionale_ver11.CAB
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.msngamecentre.co.uk/onlin...ploader_v6.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/driveragent.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINDOWS\System32\lxbtcoms.exe

Thanks

[pskelley]

Welcome to the forum, You have a nasty infection called Alcan worm and it would be wise if you stay ofline as much as possible until you are clean, this junk will attract others. Let me know what program is finding commnd.exe. If it is Spybot it is locating leftovers in the registry left by a poor removal by another program (possibly Ad-aware?), we will deal with that issue before we are finished. It is important that you follow these directions carefully.

Thanks to Metallica and any others who helped with this fix.

1. Please download Ewido Anti-Malware

• Install ewido anti-malware
• Launch ewido, there should be an icon on your desktop, double-click it.
• The program will now open to the main screen.
• When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  
  You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update.
  • Then click on Start Update.
• The update will start and a progress bar will show the updates being installed.
  (the status bar at the bottom will display ("Update successful")
• Exit Ewido, do not run the scan yet!

If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

2. Please download Brute Force Uninstaller to your desktop.

• Right click the BFU folder on your desktop, and choose Extract All
• Click "Next"
• In the box to choose where to extract the files to,
• Click "Browse"
• Click on the + sign next to "My Computer"
• Click on "Local Disk (C: ) or whatever your primary drive is
• Click "Make New Folder"
• Type in BFU
• Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".

3. RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).

Do not do anything with these yet!

Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.

4. Once in Safe Mode, Open Ewido:

• Click on scanner
• Click on Complete System Scan and the scan will begin.
• You will be prompted to clean the first infection.
• Select "Perform action on all infections", then proceed.
• Once the scan has completed, there will be a button located on the bottom of the screen named Save report
• Click Save report.
• Save the report .txt file to your desktop or a location where you can find it easily.

Close ewido anti-malware.

5. Then, please go to Start > My Computer and navigate to the C:\BFU folder.

• Start the Brute Force Uninstaller by doubleclicking BFU.exe
• Behind the scriptline to execute field click the folder icon and select alcanshorty.bfu
• Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.)
• Wait for the complete script execution box to pop up and press OK.
• Press exit to terminate the BFU program.

Reboot into normal windows and post the contents of Ewido text report that you saved and a new HiJackThis log. Please add any comments you think will help.

Thanks

[Blame]

Thanks for the info will try it and get back, here is some background information.

I used Limewire to download a file, and against my basic rule I unzipped the downloaded file - should have heeded my own advice. This resulted in pop up ads galore and bloody limewire would not shut down kept getting restarted by (I think) CmdService. I also think it used limewire and its port settings to download more rubbish. I had to delete limewire stop the Internet connection and then took the following steps.

1)Decided it would be a good time to remove old programs and ruthless went though and removed old games etc.

2) Use windows defender under its Tools section to check what services were running and remove a lot of historical items e.g Nokia phone connections etc. This also would help reduce run times when I used the tools below.

3) Ran windows defender (full scan ), it identified a number of items and removed them

2) Ran Ad-adware from lavasoft and removed some more items.

3) By far the best ran spybot and it removed a large number of items but could not get rid of cmdService. Tired rebooting as recommended and still could not be deleted.

Spent the last few days reading through the forums logs and someone mentioned Ccleaner, which I downloaded last night, and it removed CmdService.

However I am still getting popup ads and my gamming sessions keeps getting minimised. So there appears to be some other infection. So will follow your instructions to resolve this malware, adware?

Will get back to you. Thanks

[pskelley]

Thanks for the feedback, here is a little information about Alcan, it does indeed spread via file sharing:

http://vil.nai.com/vil/content/v_133690.htm
http://www.google.com/search?sourcei...n&q=Alcan+worm

http://pcpitstop.com/spycheck/p2p.asp
http://pcpitstop.com/spycheck/badtorrent.asp

Thanks

[Blame]

pskelly

Ran Ewido and other applications as directed, there still is a problem.

Once Ewido had completed its scan (2.5 hrs) it listed some 10,854 items. It infomed me that it could not isolate a game.zip file and asked me if I wanted to quarantine it and its folder which I said yes.

When all steps taken rebooted pc and went back into PC to run hijackthis log. I noticed that the response times were very poor. Did Alt,Ctrl and delete to check if any processess were running but none were running . Yet the PC was sluggish and it was doing sometihing. I suspect someting was being replicated.

Anyway did the hijack log, but also decided to try Ewido quick registery scan and it found another item. Did quick system scan and it found 5 itmes. So something is amiss.

Went back into safe mode and could not run ewido, it failed to display its main menu. When I shut down the PC it ended the ewido prgramme.

I did notice that someone at home dowloaded limewire and have deleted it again.

regards
********************************************************
Logfile of HijackThis v1.99.1
Scan saved at 06:24:43, on 31/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe
C:\Program Files\Lexmark 5200 series\lxbtbmon.exe
C:\WINDOWS\system32\PRISMSVR.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\wuauclt.exe
C:\AntiSpyware\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Lexmark 5200 series] "C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe"
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [LXBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [cna949a5] RUNDLL32.EXE w20a86d8.dll,n 003949a20000000a20a86d8
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.brdatahost.com
O16 - DPF: {00000000-0000-0000-0000-000020040000} - http://207.234.185.217/ABoxInst_int6.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {1DB93715-3B60-43EE-93E6-279BB3E1DF76} (OCXDownloadChecker Control) - http://82.3.250.209/cab/OCXChecker_6110.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/...4/mcinsctl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab
O16 - DPF: {D19781C5-2051-44F8-8445-DDC82933C191} - http://advnt01.com/dialer/internazionale_ver11.CAB
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.msngamecentre.co.uk/onlin...ploader_v6.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/driveragent.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINDOWS\System32\lxbtcoms.exe

[pskelley]

Looking over your feedback first, then I will continue with the cleanup. Show the user who thinks LimeWire is cool this information:
http://www3.ca.com/securityadvisor/p...x?id=453088059 I would not have the junk on any computer I own.

Once Ewido had completed its scan (2.5 hrs) it listed some 10,854 items

Not only did you have a badly infected computer, seems it is loaded up with junk also. I will have to assume a vast majority of those items are cookies that you do not need to store on the computer. I do need to see that ewido scan result??? You may edit out all cookies, just be sure you deleted tham. You may also edit out any reference to System Restore or System Information, we will be cleaning that area before we are done. Post the balance of the ewido report even if you need to split it.

It infomed me that it could not isolate a game.zip file and asked me if I wanted to quarantine it and its folder which I said yes.

That is fine, if for some reason the file was valid and needed for a valid game you can restore it from quarantine. This happens rarely.

The PC is going to be a little sluggish until we get all of this junk off it. The stuff does not come off as easily as it gets on.

1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

2) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

3) Spyware programs will block the changes we must make, turn them off until you are done:
We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.
Open Windows Defender, Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.
After all of the fixes are complete it is very important that you enable Real-time Protection again.

First disable Ewido, as it might be trying to interfere...
Under 'Your security status', if the real time protection is active, deactivate it by clicking 'real time protection' until the status says 'inactive'

4) You are running a rouge spyware product, see this list:
http://www.spywarewarrior.com/rogue_anti-spyware.htm

5) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R3 - Default URLSearchHook is missing
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [cna949a5] RUNDLL32.EXE w20a86d8.dll,n 003949a20000000a20a86d8
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
rouge product
O15 - Trusted Zone: *.brdatahost.com
(above? if you know it is safe you can leave it)
O16 - DPF: {00000000-0000-0000-0000-000020040000} - http://207.234.185.217/ABoxInst_int6.exe
Dialer.Trafficadvance
O16 - DPF: {D19781C5-2051-44F8-8445-DDC82933C191} - http://advnt01.com/dialer/internazionale_ver11.CAB
7AdPower Dialer
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.msngamecentre.co.uk/onlin...ploader_v6.cab
ADW_POP.A

Close all programs but HJT and all browser windows, then click on "Fix Checked"

6) RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\Program Files\SpywareBot\ <<< delete that folder

7) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart the computer and post the ewido scan results missed earlier and a new HJT log. Include any comments you think will help.

Thanks

[Blame]

Here are the logs unable to find file Spywatrbot to delete as requested. Followed instructions and did all the rest

Ewido scan too long have shorten could not attach it.

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 19:36:38 01/09/2006

+ Scan result:
.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virgin Radio 1.1.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\VirtFire 1.2.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\VirtGuard 2.02.04.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virticon Millennium 1.05.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtins Pocket Instrument 1.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtins Pocket Oscilloscope 1.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtins Pocket Signal Generator 1.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtins Pocket Spectrum Analyzer 1.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtins Sound Card Instrument 2.1.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtins Sound Card Oscilloscope 2.1.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtins Sound Card Signal Generator 2.1.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtins Sound Card Spectrum Analyzer 2.1.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtos Noise Wizard 1.1.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtua Fighter 2 demo .zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtua Fighter PC demo .zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtua Squad 2 demo .zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtua Tennis demo .zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtua Tennis rar.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\VirtuaDisk 1.5.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\VirtuaRAID Manager 2.3.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\VirtuaReminder 1.060.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Administrator 2.1.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Album - Photo Album Software 3.0.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Album Maker Standard 1.31.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Art Gallery USA Vol.1 1.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Audio Cable 3.10.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Ball Fighter SE 1.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Battle Field 1 Desert Wars Demo 1.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Bingo and Random Number Generator 4.0.2223.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Body Guards 1.1.1.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual C.R.O. 2.0.3.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual CD 8.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual CD Manager 1.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Cigarette 1.0.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Cover Creator 2.1.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual DJ 3.4.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual DJ Studio 4.4.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual DVD Shelf 1.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Desk 1.2.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Desktop Toolbox 2.72.4.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Domain Name Services 2.0.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Drive Creator 2.0.2.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Drum 1.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Dumpster Diver Pro 2.0.23.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Earth - Bus Tracker 1.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Edit 1.25.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Encrypted Disk 1.1.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Engine Calculator 2.20.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Fader Master 1.1.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Fashion MakeUp 1.0.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Fashion Professional 1.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Figure Drawing Studio 2.0.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual FireworX Screensaver 1.0.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Flash Drive 2.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual FlashCards 2.0.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Gallery Sandra Bullock v1.1.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Grand Prix 2 1.5.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Horse Racing Game 2.14.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Hymnal 2.01.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Image Printer 2000 1.0.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Impact 1.15.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Intelligence Matrix 1.0.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Juggler 3d Gold 2.5.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Keyboard 1.2.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Keyboard Assistant 1.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Layout Artist 1.1.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Library 1.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Marbles 1.2.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Messenger 2.0.2.1.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Midi Controller 1.0.1.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Modem 1.5.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Morse Key 2.5.39.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Music 1.0.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Music Jukebox 7.2.4.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Network Computing 3.3.7.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Null Modem 2.0.1 Build 5.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Organizer 2.0.1.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Original CD Drive Emulator 2.2.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual PDF Printer 1.01.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Painter 5.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Pool 3 demo 3.2.1.7.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Pool Windows 95 demo .zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Port Monitor 4.0x.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Print Engine Professional Edition 3.20.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Printer Driver for Windows 2000 1.0.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual RC Racing demo 3.2.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.



PArt of the scan results system is still replicating. Help

[pskelley]

Copy and paste your logs as in the pinned (sticky) instructions. Do not attach them. I need to see that HJT log.

Read all instructions before you start, you have optional things to think about.
Now let's talk about ewido. Look at the scan results, you have infected files here:
C:\Documents and Settings\Lobo\Complete\Virgin Radio 1.1.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
and on down through all of those scan results files.

You will have to do this, I have no tool that will do it for you. ewido can't as you can see.

The only thing I can think of is to go here and manually delete the infected files:
C:\Documents and Settings\ <<< Leave this alone
Lobo\ <<< this is probably yours, look to see what is in it.
Complete\ <<< same, you will probably be deleting all files in these folders
Virgin Radio 1.1.zip/ <<< I would delete this
Setup.exe <<< and this.

What it appears to me is that something has infected these files and ewido is calls it: Worm.VB.dw
You will have to clean out the junk, once it is gone then you should be able to run ewido. If you believe this is an error that ewido is making and the files are not bad, then edit that stuff out of the log before posting it.
If you want to check files to make sure they are infected, here are free online tools:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html

Once you get rid of that infected junk, then post a ewido scan results and HJT log that is copy/pasted.

Thanks

[Blame]

Pskelley

Think the problem is solved, ran ewido a few times and it got rid of Worms.VB.dw See attached logs. There is one problem left. When I start the PC it seems to be doing someting and all actions are delayed and response is sluggish. Could it the virus/adwar checkers running on start up? As I write I have clicked on ewido to start but no response. It kicks in some 45minutes later. Have looked in Defender under tools to see what autostart prog kick in but can't see anything. As I write ewido has come up and pc seems faster (45minutes) Any ideas?

***************************************************
Logfile of HijackThis v1.99.1
Scan saved at 11:14:37, on 03/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe
C:\WINDOWS\system32\PRISMSVR.EXE
C:\Program Files\Lexmark 5200 series\lxbtbmon.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\AntiSpyware\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Lexmark 5200 series] "C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe"
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [LXBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {1DB93715-3B60-43EE-93E6-279BB3E1DF76} (OCXDownloadChecker Control) - http://82.3.250.209/cab/OCXChecker_6110.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/...4/mcinsctl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/driveragent.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINDOWS\System32\lxbtcoms.exe

********************************************************
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:45:54 03/09/2006

+ Scan result:



Nothing found.



::Report end

****************************************************

[pskelley]

Thanks for the feedback, the HJT log looks to be clean, as was ewido. Do you know what this is?
O16 - DPF: {1DB93715-3B60-43EE-93E6-279BB3E1DF76} (OCXDownloadChecker Control) - http:///cab/OCXChecker_6110.cab
I just checked and it tracks back to this:
http://whois.domaintools.com/82.3.250.209
so it is probably not a problem.

During the trial, ewido gives you realtime protection and it might slow you a little, but it should be nothing like that. Let's look at a couple of possiblilities.

1) Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.

2) Let's check for a rootkit infections, download BlackLight from here:
https://europe.f-secure.com/blacklight/try.shtml
run the scan only and post it for me.

3) Any error messages at all?

Thanks