| w32.Myzor.FK@yf |  | 
			
			
			
				
					
					
				
			
			
			
			
			
				
				
					
				
				
				
				
					
						| cguentherNewbie 
   | 21. July 2006 @ 07:37 |  Link to this message   | 
					
					
					
						| 
							
							First let me say thanks for all the help.  You guys are amazing.
 Okay... here is the ewido scan and the HijackThis scan.  Just as I was about to post this after running these scans, my comp rebooted itslef... ???
 
 ---------------------------------------------------------
 ewido anti-spyware - Scan Report
 ---------------------------------------------------------
 
 + Created at:	10:18:34 AM 7/21/2006
 
 + Scan result:
 
 
 
 HKLM\SOFTWARE\Clickspring -> Adware.PurityScan : Cleaned with backup (quarantined).
 C:\WINDOWS\Downloaded Program Files\77ce52d4ff035b41facb470912666945_35.exe -> Downloader.Small.bwy : Cleaned with backup (quarantined).
 C:\dfndrad_5.exe -> Hijacker.VB.nh : Cleaned with backup (quarantined).
 C:\WINDOWS\system32\bkflofpe.exe -> Proxy.Wopla.y : Cleaned with backup (quarantined).
 C:\WINDOWS\system32\lcneadik.exe -> Proxy.Wopla.y : Cleaned with backup (quarantined).
 C:\WINDOWS\system32\lfgmmpgc.exe -> Proxy.Wopla.y : Cleaned with backup (quarantined).
 C:\Documents and Settings\User\Cookies\user@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
 C:\WINDOWS\Downloaded Program Files\UDC6_0001_D10M2905NetInstaller.exe -> Trojan.Fakealert : Cleaned with backup (quarantined).
 C:\Program Files\Common Files\{2025D77F-0A6B-1033-1014-051226050001}\Update.exe -> Trojan.Starter.65 : Cleaned with backup (quarantined).
 
 
 ::Report end
 
 Logfile of HijackThis v1.99.1
 Scan saved at 10:22:14 AM, on 7/21/2006
 Platform: Windows XP SP2 (WinNT 5.01.2600)
 MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
 
 Running processes:
 C:\WINDOWS\System32\smss.exe
 C:\WINDOWS\system32\winlogon.exe
 C:\WINDOWS\system32\services.exe
 C:\WINDOWS\system32\lsass.exe
 C:\WINDOWS\system32\svchost.exe
 C:\Program Files\Windows Defender\MsMpEng.exe
 C:\WINDOWS\system32\svchost.exe
 C:\WINDOWS\Explorer.EXE
 C:\Program Files\ewido anti-spyware 4.0\ewido.exe
 C:\Documents and Settings\User\Desktop\Downloads\HijackThis_v1.99.1.exe
 
 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
 O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
 O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
 O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
 O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
 O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
 O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
 O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
 O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
 O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
 O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
 O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
 O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
 O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
 O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
 O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
 O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
 O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
 O4 - HKLM\..\Run: [˙_zskpaype`t]_iqriu^tniwmdksz_] c:\windows\system32\_zskdmwint^uirqi_]t`epyap.exe
 O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
 O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
 O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
 O4 - HKLM\..\RunServices: [˙_zskpaype`t]_iqriu^tniwmdksz_] c:\windows\system32\_zskdmwint^uirqi_]t`epyap.exe
 O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
 O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
 O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
 O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
 O4 - HKCU\..\Run: [˙_zskpaype`t]_iqriu^tniwmdksz_] c:\windows\system32\_zskdmwint^uirqi_]t`epyap.exe
 O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00003.exe"
 O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
 O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
 O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
 O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
 O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
 O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
 O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
 O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
 O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
 O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
 O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
 O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
 O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
 O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
 O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
 O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
 O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
 O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
 O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
 O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
 O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
 O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
 O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
 O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
 O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
 O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
 O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
 | 
				
				
			
				
				
				
					
						| Advertisement   |   | 
					
						|  | 
				
				
				
					
						| Senior Member 
   | 21. July 2006 @ 10:08 |  Link to this message   | 
					
					
					
						| 
							
							do you know what this is ?
 O4 - HKLM\..\Run: [˙_zskpaype`t]_iqriu^tniwmdksz_] c:\windows\system32\_zskdmwint^uirqi_]t`epyap.exe
 
 If not scan it there :
 http://www.virustotal.com/en/indexf.html
 
 Logs are clean
 
 
 | 
				
				
			
				
				
				
				
				
					
						| cguentherNewbie 
   | 21. July 2006 @ 10:56 |  Link to this message   | 
					
					
					
						| 
							
							I can't select that file to scan cause I can't find it in system32... weird.
							
						 | 
				
				
			
				
				
				
				
				
					
						| Senior Member 
   | 21. July 2006 @ 11:31 |  Link to this message   | 
					
					
					
						| 
 | 
				
				
			
				
				
				
				
				
					
						| cguentherNewbie 
   | 21. July 2006 @ 14:26 |  Link to this message   | 
					
					
					
						| 
							
							still can't find it
							
						 | 
				
				
			
				
				
				
				
				
					
						| cguentherNewbie 
   | 21. July 2006 @ 14:30 |  Link to this message   | 
					
					
					
						| 
							
							latest HijackThis logfile
 Logfile of HijackThis v1.99.1
 Scan saved at 5:24:21 PM, on 7/21/2006
 Platform: Windows XP SP2 (WinNT 5.01.2600)
 MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
 
 Running processes:
 C:\WINDOWS\System32\smss.exe
 C:\WINDOWS\system32\winlogon.exe
 C:\WINDOWS\system32\services.exe
 C:\WINDOWS\system32\lsass.exe
 C:\WINDOWS\system32\svchost.exe
 C:\Program Files\Windows Defender\MsMpEng.exe
 C:\WINDOWS\System32\svchost.exe
 C:\WINDOWS\Explorer.EXE
 C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
 C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
 C:\WINDOWS\system32\spoolsv.exe
 C:\Program Files\Common Files\Symantec Shared\ccApp.exe
 C:\PROGRA~1\SYMANT~1\VPTray.exe
 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
 C:\WINDOWS\SOUNDMAN.EXE
 C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
 C:\Program Files\Windows Defender\MSASCui.exe
 C:\WINDOWS\system32\RUNDLL32.EXE
 C:\Program Files\Symantec AntiVirus\DefWatch.exe
 C:\Program Files\ewido anti-spyware 4.0\guard.exe
 C:\Program Files\ewido anti-spyware 4.0\ewido.exe
 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
 C:\WINDOWS\system32\nvsvc32.exe
 C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
 C:\WINDOWS\system32\ctfmon.exe
 C:\WINDOWS\system32\svchost.exe
 C:\Program Files\Symantec AntiVirus\Rtvscan.exe
 C:\WINDOWS\system32\sistray.exe
 C:\WINDOWS\system32\wscntfy.exe
 C:\Program Files\Internet Explorer\iexplore.exe
 C:\Documents and Settings\User\Desktop\Downloads\HijackThis_v1.99.1.exe
 
 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
 O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
 O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
 O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
 O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
 O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
 O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
 O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
 O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
 O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
 O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
 O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
 O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
 O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
 O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
 O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
 O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
 O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
 O4 - HKLM\..\Run: [˙_zskpaype`t]_iqriu^tniwmdksz_] c:\windows\system32\_zskdmwint^uirqi_]t`epyap.exe
 O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
 O4 - HKLM\..\RunServices: [˙_zskpaype`t]_iqriu^tniwmdksz_] c:\windows\system32\_zskdmwint^uirqi_]t`epyap.exe
 O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
 O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
 O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
 O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
 O4 - HKCU\..\Run: [˙_zskpaype`t]_iqriu^tniwmdksz_] c:\windows\system32\_zskdmwint^uirqi_]t`epyap.exe
 O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00003.exe"
 O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
 O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
 O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
 O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
 O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
 O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
 O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
 O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
 O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
 O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
 O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
 O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
 O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
 O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
 O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
 O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
 O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
 O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
 O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
 O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
 O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
 O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
 O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
 O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
 O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
 O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
 O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
 | 
				
				
			
				
				
				
				
				
					
						| Senior Member 
   | 21. July 2006 @ 22:56 |  Link to this message   | 
					
					
					
						| 
 | 
				
				
			
				
				
				
				
				
					
						| cguentherNewbie 
   | 22. July 2006 @ 17:14 |  Link to this message   | 
					
					
					
						| 
							
							K... ActiveScan report first.  The text is a little fragmented but it found adware as well as the two smitfraud tools.
 
 Incident                                                       Status                        Location
 
 Adware:adware/sidesearch                                                        Not disinfected               Windows Registry
 Potentially unwanted tool:Application/Processor                                 Not disinfected               C:\Documents and Settings\User\Desktop\SmitfraudFix\Process.exe
 Potentially unwanted tool:Application/Processor                                 Not disinfected               C:\Documents and Settings\User\Desktop\SmitfraudFix.zip[SmitfraudFix/Process.exe]
 
 
 AND now for the Kaspersky report............................................................
 
 KASPERSKY ONLINE SCANNER REPORT
 Saturday, July 22, 2006 4:09:09 PM
 Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
 Kaspersky Online Scanner version: 5.0.83.0
 Kaspersky Anti-Virus database last update: 22/07/2006
 Kaspersky Anti-Virus database records: 209167
 
 
 Scan Settings
 Scan using the following antivirus database extended
 Scan Archives true
 Scan Mail Bases true
 
 Scan Target My Computer
 A:\
 C:\
 D:\
 
 Scan Statistics
 Total number of scanned objects 42531
 Number of viruses found 19
 Number of infected objects 59 / 0
 Number of suspicious objects 2
 Duration of the scan process 00:48:17
 
 Infected Object Name Virus Name Last Action
 C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\WDLog-05062006-165914.log  Object is locked  skipped
 
 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC.zip/drsmartload849a.exe  Suspicious: Password-protected-EXE  skipped
 
 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC.zip  ZIP: suspicious - 1  skipped
 
 C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat  Object is locked  skipped
 
 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04DC0000\44FF7EB7.VBN  Infected: not-a-virus:Monitor.Win32.FamilyKeyLogger.280  skipped
 
 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AC80000\4EFA8F62.VBN  Infected: Trojan-Proxy.Win32.Agent.km  skipped
 
 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AC80001\4EFA8F70.VBN  Infected: Trojan-Proxy.Win32.Agent.km  skipped
 
 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DFC0001.VBN/FamilyKeyLogger-setup.exe/stream/data0007  Infected: not-a-virus:Monitor.Win32.FamilyKeyLogger.280  skipped
 
 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DFC0001.VBN/FamilyKeyLogger-setup.exe/stream/data0009  Infected: not-a-virus:Monitor.Win32.FamilyKeyLogger.280  skipped
 
 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DFC0001.VBN/FamilyKeyLogger-setup.exe/stream/data0010  Infected: not-a-virus:Monitor.Win32.FamilyKeyLogger.280  skipped
 
 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DFC0001.VBN/FamilyKeyLogger-setup.exe/stream  Infected: not-a-virus:Monitor.Win32.FamilyKeyLogger.280  skipped
 
 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DFC0001.VBN/FamilyKeyLogger-setup.exe  Infected: not-a-virus:Monitor.Win32.FamilyKeyLogger.280  skipped
 
 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DFC0001.VBN  ZIP: infected - 5  skipped
 
 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DFC0001.VBN  CryptZ: infected - 5  skipped
 
 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DFC0002.VBN/FamilyKeyLogger-setup.exe/stream/data0007  Infected: not-a-virus:Monitor.Win32.FamilyKeyLogger.280  skipped
 
 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DFC0002.VBN/FamilyKeyLogger-setup.exe/stream/data0009  Infected: not-a-virus:Monitor.Win32.FamilyKeyLogger.280  skipped
 
 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DFC0002.VBN/FamilyKeyLogger-setup.exe/stream/data0010  Infected: not-a-virus:Monitor.Win32.FamilyKeyLogger.280  skipped
 
 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DFC0002.VBN/FamilyKeyLogger-setup.exe/stream  Infected: not-a-virus:Monitor.Win32.FamilyKeyLogger.280  skipped
 
 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DFC0002.VBN/FamilyKeyLogger-setup.exe  Infected: not-a-virus:Monitor.Win32.FamilyKeyLogger.280  skipped
 
 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DFC0002.VBN  ZIP: infected - 5  skipped
 
 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DFC0002.VBN  CryptZ: infected - 5  skipped
 
 C:\Documents and Settings\LocalService\Cookies\index.dat  Object is locked  skipped
 
 C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat  Object is locked  skipped
 
 C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG  Object is locked  skipped
 
 C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat  Object is locked  skipped
 
 C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat  Object is locked  skipped
 
 C:\Documents and Settings\LocalService\NTUSER.DAT  Object is locked  skipped
 
 C:\Documents and Settings\LocalService\ntuser.dat.LOG  Object is locked  skipped
 
 C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat  Object is locked  skipped
 
 C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG  Object is locked  skipped
 
 C:\Documents and Settings\NetworkService\NTUSER.DAT  Object is locked  skipped
 
 C:\Documents and Settings\NetworkService\ntuser.dat.LOG  Object is locked  skipped
 
 C:\Documents and Settings\User\Cookies\index.dat  Object is locked  skipped
 
 C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat  Object is locked  skipped
 
 C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG  Object is locked  skipped
 
 C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{429C6877-7F55-43DC-ABB9-412BEEBA88B2}  Object is locked  skipped
 
 C:\Documents and Settings\User\Local Settings\History\History.IE5\index.dat  Object is locked  skipped
 
 C:\Documents and Settings\User\Local Settings\History\History.IE5\MSHist012006072220060723\index.dat  Object is locked  skipped
 
 C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\index.dat  Object is locked  skipped
 
 C:\Documents and Settings\User\NTUSER.DAT  Object is locked  skipped
 
 C:\Documents and Settings\User\NTUSER.DAT.LOG  Object is locked  skipped
 
 C:\Documents and Settings\User\UserData\index.dat  Object is locked  skipped
 
 C:\OiUninstaller.exe/data0003  Infected: not-a-virus:AdWare.Win32.PurityScan.bu  skipped
 
 C:\OiUninstaller.exe  NSIS: infected - 1  skipped
 
 C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log  Object is locked  skipped
 
 C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log  Object is locked  skipped
 
 C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log  Object is locked  skipped
 
 C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log  Object is locked  skipped
 
 C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log  Object is locked  skipped
 
 C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log  Object is locked  skipped
 
 C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log  Object is locked  skipped
 
 C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log  Object is locked  skipped
 
 C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log  Object is locked  skipped
 
 C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log  Object is locked  skipped
 
 C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log  Object is locked  skipped
 
 C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log  Object is locked  skipped
 
 C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log  Object is locked  skipped
 
 C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log  Object is locked  skipped
 
 C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log  Object is locked  skipped
 
 C:\Program Files\Symantec AntiVirus\SAVRT\0171NAV~.TMP  Object is locked  skipped
 
 C:\Program Files\Symantec AntiVirus\SAVRT\0477NAV~.TMP  Object is locked  skipped
 
 C:\System Volume Information\MountPointManagerRemoteDatabase  Object is locked  skipped
 
 C:\System Volume Information\_restore{E5ECF857-D615-488A-8FD7-B6990AAD7465}\RP231\A0013332.exe  Infected: Trojan-Downloader.Win32.Adload.cw  skipped
 
 C:\System Volume Information\_restore{E5ECF857-D615-488A-8FD7-B6990AAD7465}\RP232\A0013425.exe  Infected: Trojan-Downloader.Win32.Adload.ca  skipped
 
 C:\System Volume Information\_restore{E5ECF857-D615-488A-8FD7-B6990AAD7465}\RP232\A0013428.exe  Infected: Trojan-Proxy.Win32.Small.bo  skipped
 
 C:\System Volume Information\_restore{E5ECF857-D615-488A-8FD7-B6990AAD7465}\RP232\A0013430.exe  Infected: Trojan-PSW.Win32.Sinowal.v  skipped
 
 C:\System Volume Information\_restore{E5ECF857-D615-488A-8FD7-B6990AAD7465}\RP234\A0013552.exe  Infected: Trojan-Downloader.Win32.Adload.cw  skipped
 
 C:\System Volume Information\_restore{E5ECF857-D615-488A-8FD7-B6990AAD7465}\RP234\A0013560.exe  Infected: Trojan-Downloader.Win32.Zlob.zh  skipped
 
 C:\System Volume Information\_restore{E5ECF857-D615-488A-8FD7-B6990AAD7465}\RP234\A0013561.dll  Infected: Trojan-Downloader.Win32.Zlob.zd  skipped
 
 C:\System Volume Information\_restore{E5ECF857-D615-488A-8FD7-B6990AAD7465}\RP235\A0013593.exe  Infected: Trojan-Downloader.Win32.Zlob.zh  skipped
 
 C:\System Volume Information\_restore{E5ECF857-D615-488A-8FD7-B6990AAD7465}\RP235\A0013594.dll  Infected: Trojan-Downloader.Win32.Zlob.zd  skipped
 
 C:\System Volume Information\_restore{E5ECF857-D615-488A-8FD7-B6990AAD7465}\RP237\A0013619.exe  Infected: Trojan-Downloader.Win32.Zlob.zh  skipped
 
 C:\System Volume Information\_restore{E5ECF857-D615-488A-8FD7-B6990AAD7465}\RP237\A0013620.dll  Infected: Trojan-Downloader.Win32.Zlob.zd  skipped
 
 C:\System Volume Information\_restore{E5ECF857-D615-488A-8FD7-B6990AAD7465}\RP239\A0013686.exe  Infected: Trojan-Downloader.Win32.Zlob.zh  skipped
 
 C:\System Volume Information\_restore{E5ECF857-D615-488A-8FD7-B6990AAD7465}\RP239\A0013687.dll  Infected: Trojan-Downloader.Win32.Zlob.zd  skipped
 
 C:\System Volume Information\_restore{E5ECF857-D615-488A-8FD7-B6990AAD7465}\RP241\A0013702.exe  Infected: Trojan-Downloader.Win32.Zlob.zh  skipped
 
 C:\System Volume Information\_restore{E5ECF857-D615-488A-8FD7-B6990AAD7465}\RP241\A0013703.dll  Infected: Trojan-Downloader.Win32.Zlob.zd  skipped
 
 C:\System Volume Information\_restore{E5ECF857-D615-488A-8FD7-B6990AAD7465}\RP242\A0013707.exe  Infected: Trojan-Downloader.Win32.PurityScan.cq  skipped
 
 C:\System Volume Information\_restore{E5ECF857-D615-488A-8FD7-B6990AAD7465}\RP242\A0013713.dll  Infected: Trojan-Downloader.Win32.Zlob.zd  skipped
 
 C:\System Volume Information\_restore{E5ECF857-D615-488A-8FD7-B6990AAD7465}\RP242\A0013714.exe  Infected: Trojan-Downloader.Win32.Zlob.zh  skipped
 
 C:\System Volume Information\_restore{E5ECF857-D615-488A-8FD7-B6990AAD7465}\RP245\A0013724.exe  Infected: Trojan-Downloader.Win32.Zlob.zd  skipped
 
 C:\System Volume Information\_restore{E5ECF857-D615-488A-8FD7-B6990AAD7465}\RP245\A0013726.dll  Infected: Trojan-Downloader.Win32.Zlob.zd  skipped
 
 C:\System Volume Information\_restore{E5ECF857-D615-488A-8FD7-B6990AAD7465}\RP245\A0013732.exe  Infected: Trojan-Downloader.Win32.Zlob.zh  skipped
 
 C:\System Volume Information\_restore{E5ECF857-D615-488A-8FD7-B6990AAD7465}\RP245\A0013733.dll  Infected: Trojan-Downloader.Win32.Zlob.zi  skipped
 
 C:\System Volume Information\_restore{E5ECF857-D615-488A-8FD7-B6990AAD7465}\RP246\A0013736.dll  Infected: Trojan-Downloader.Win32.Zlob.zi  skipped
 
 C:\System Volume Information\_restore{E5ECF857-D615-488A-8FD7-B6990AAD7465}\RP246\A0013742.exe  Infected: Trojan-Downloader.Win32.Zlob.zh  skipped
 
 C:\System Volume Information\_restore{E5ECF857-D615-488A-8FD7-B6990AAD7465}\RP247\A0013749.exe  Infected: Trojan-Downloader.Win32.Zlob.zh  skipped
 
 C:\System Volume Information\_restore{E5ECF857-D615-488A-8FD7-B6990AAD7465}\RP249\A0013759.exe  Infected: Trojan-Downloader.Win32.Zlob.zh  skipped
 
 C:\System Volume Information\_restore{E5ECF857-D615-488A-8FD7-B6990AAD7465}\RP251\A0013777.exe  Infected: Trojan-Downloader.Win32.Zlob.zh  skipped
 
 C:\System Volume Information\_restore{E5ECF857-D615-488A-8FD7-B6990AAD7465}\RP252\A0013780.exe  Infected: Trojan-Downloader.Win32.Zlob.to  skipped
 
 C:\System Volume Information\_restore{E5ECF857-D615-488A-8FD7-B6990AAD7465}\RP253\A0013790.exe  Infected: Trojan-Downloader.Win32.Zlob.zh  skipped
 
 C:\System Volume Information\_restore{E5ECF857-D615-488A-8FD7-B6990AAD7465}\RP255\A0013829.exe  Infected: Trojan-Downloader.Win32.Zlob.zh  skipped
 
 C:\System Volume Information\_restore{E5ECF857-D615-488A-8FD7-B6990AAD7465}\RP255\A0013831.exe  Infected: Trojan-Downloader.Win32.Zlob.xp  skipped
 
 C:\System Volume Information\_restore{E5ECF857-D615-488A-8FD7-B6990AAD7465}\RP255\A0013834.dll  Infected: not-virus:Hoax.Win32.Renos.dw  skipped
 
 C:\System Volume Information\_restore{E5ECF857-D615-488A-8FD7-B6990AAD7465}\RP261\A0014869.dll  Infected: not-a-virus:AdWare.Win32.PurityScan.en  skipped
 
 C:\System Volume Information\_restore{E5ECF857-D615-488A-8FD7-B6990AAD7465}\RP261\A0014870.dll  Infected: Packed.Win32.Klone.g  skipped
 
 C:\System Volume Information\_restore{E5ECF857-D615-488A-8FD7-B6990AAD7465}\RP263\A0014887.exe  Infected: Trojan-Clicker.Win32.VB.nh  skipped
 
 C:\System Volume Information\_restore{E5ECF857-D615-488A-8FD7-B6990AAD7465}\RP263\A0014889.exe  Infected: Trojan-Proxy.Win32.Wopla.y  skipped
 
 C:\System Volume Information\_restore{E5ECF857-D615-488A-8FD7-B6990AAD7465}\RP263\A0014890.exe  Infected: Trojan-Proxy.Win32.Wopla.y  skipped
 
 C:\System Volume Information\_restore{E5ECF857-D615-488A-8FD7-B6990AAD7465}\RP263\A0014891.exe  Infected: Trojan-Proxy.Win32.Wopla.y  skipped
 
 C:\System Volume Information\_restore{E5ECF857-D615-488A-8FD7-B6990AAD7465}\RP273\change.log  Object is locked  skipped
 
 C:\WINDOWS\Debug\PASSWD.LOG  Object is locked  skipped
 
 C:\WINDOWS\SchedLgU.Txt  Object is locked  skipped
 
 C:\WINDOWS\SoftwareDistribution\ReportingEvents.log  Object is locked  skipped
 
 C:\WINDOWS\Sti_Trace.log  Object is locked  skipped
 
 C:\WINDOWS\system32\CatRoot2\edb.log  Object is locked  skipped
 
 C:\WINDOWS\system32\CatRoot2\tmp.edb  Object is locked  skipped
 
 C:\WINDOWS\system32\config\AppEvent.Evt  Object is locked  skipped
 
 C:\WINDOWS\system32\config\default  Object is locked  skipped
 
 C:\WINDOWS\system32\config\default.LOG  Object is locked  skipped
 
 C:\WINDOWS\system32\config\SAM  Object is locked  skipped
 
 C:\WINDOWS\system32\config\SAM.LOG  Object is locked  skipped
 
 C:\WINDOWS\system32\config\SecEvent.Evt  Object is locked  skipped
 
 C:\WINDOWS\system32\config\SECURITY  Object is locked  skipped
 
 C:\WINDOWS\system32\config\SECURITY.LOG  Object is locked  skipped
 
 C:\WINDOWS\system32\config\software  Object is locked  skipped
 
 C:\WINDOWS\system32\config\software.LOG  Object is locked  skipped
 
 C:\WINDOWS\system32\config\SysEvent.Evt  Object is locked  skipped
 
 C:\WINDOWS\system32\config\system  Object is locked  skipped
 
 C:\WINDOWS\system32\config\system.LOG  Object is locked  skipped
 
 C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR  Object is locked  skipped
 
 C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP  Object is locked  skipped
 
 C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER  Object is locked  skipped
 
 C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP  Object is locked  skipped
 
 C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP  Object is locked  skipped
 
 C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA  Object is locked  skipped
 
 C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP  Object is locked  skipped
 
 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\4VU5SHWB\OiUninstaller[1].exe/data0003  Infected: not-a-virus:AdWare.Win32.PurityScan.bu  skipped
 
 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\4VU5SHWB\OiUninstaller[1].exe  NSIS: infected - 1  skipped
 
 C:\WINDOWS\wiadebug.log  Object is locked  skipped
 
 C:\WINDOWS\wiaservc.log  Object is locked  skipped
 
 C:\WINDOWS\WindowsUpdate.log  Object is locked  skipped
 
 Scan process completed.
 
 
 Now what?
 | 
				
				
			
				
				
				
				
				
					
						| Senior Member 
   | 23. July 2006 @ 00:28 |  Link to this message   | 
					
					
					
						| 
							
							As you can read, Panda finds only smithfraudfixes tool : Process.exe. So its okei.
 Kaspersky finds mainly in quaratined or backups for removed lurks. Also Kaspersky finds lurks in your system restore, lets clean it.
 
 Disable system restore :
 
 http://www.pchell.com/virus/systemrestore.shtml
 
 Scan hijack and check:
 
 O4 - HKLM\..\Run: [˙_zskpaype`t]_iqriu^tniwmdksz_] c:\windows\system32\_zskdmwint^uirqi_]t`epyap.exe
 O4 - HKLM\..\RunServices: [˙_zskpaype`t]_iqriu^tniwmdksz_] c:\windows\system32\_zskdmwint^uirqi_]t`epyap.exe
 O4 - HKCU\..\Run: [˙_zskpaype`t]_iqriu^tniwmdksz_] c:\windows\system32\_zskdmwint^uirqi_]t`epyap.exe
 
 Close all programs exept hijack and click fix checked.
 
 Boot comp and put system restore on.
 
 Send a fresh hijack log
 
 
 | 
				
				
			
				
				
				
				
				
					
						| cguentherNewbie 
   | 23. July 2006 @ 04:20 |  Link to this message   | 
					
					
					
						| 
							
							K.... here's the log... It clean now?
 Logfile of HijackThis v1.99.1
 Scan saved at 7:17:00 AM, on 7/23/2006
 Platform: Windows XP SP2 (WinNT 5.01.2600)
 MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
 
 Running processes:
 C:\WINDOWS\System32\smss.exe
 C:\WINDOWS\system32\winlogon.exe
 C:\WINDOWS\system32\services.exe
 C:\WINDOWS\system32\lsass.exe
 C:\WINDOWS\system32\svchost.exe
 C:\Program Files\Windows Defender\MsMpEng.exe
 C:\WINDOWS\System32\svchost.exe
 C:\WINDOWS\Explorer.EXE
 C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
 C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
 C:\WINDOWS\system32\spoolsv.exe
 C:\Program Files\Common Files\Symantec Shared\ccApp.exe
 C:\PROGRA~1\SYMANT~1\VPTray.exe
 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
 C:\WINDOWS\SOUNDMAN.EXE
 C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
 C:\Program Files\Windows Defender\MSASCui.exe
 C:\WINDOWS\system32\RUNDLL32.EXE
 C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
 C:\WINDOWS\system32\ctfmon.exe
 C:\Program Files\Symantec AntiVirus\DefWatch.exe
 C:\Program Files\ewido anti-spyware 4.0\guard.exe
 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
 C:\WINDOWS\system32\nvsvc32.exe
 C:\WINDOWS\system32\svchost.exe
 C:\Program Files\Symantec AntiVirus\Rtvscan.exe
 C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
 C:\WINDOWS\system32\sistray.exe
 C:\Program Files\Internet Explorer\iexplore.exe
 C:\WINDOWS\system32\wuauclt.exe
 C:\WINDOWS\system32\wscntfy.exe
 C:\Documents and Settings\User\Desktop\Downloads\HijackThis_v1.99.1.exe
 
 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
 
 http://securityresponse.symantec.com/avcenter/fix_homepage/
 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
 
 C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
 O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} -
 
 C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
 
 - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
 O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program
 
 Files\Spybot - Search & Destroy\SDHelper.dll
 O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} -
 
 C:\Program Files\Yahoo!\Common\yiesrvc.dll
 O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program
 
 Files\Java\jre1.5.0_06\bin\ssv.dll
 O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program
 
 Files\Yahoo!\Companion\Installs\cpn\yt.dll
 O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
 O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
 O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
 O4 - HKLM\..\Run: [RemoteControl] "C:\Program
 
 Files\CyberLink\PowerDVD\PDVDServ.exe"
 O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
 O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
 O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
 
 Files\Java\jre1.5.0_06\bin\jusched.exe
 O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
 
 Files\Real\Update_OB\realsched.exe"  -osboot
 O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
 
 C:\WINDOWS\system32\NvCpl.dll,NvStartup
 O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
 O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe"
 
 -hide
 O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE
 
 C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
 O4 - HKLM\..\Run: [˙_zskpaype`t]_iqriu^tniwmdksz_]
 
 c:\windows\system32\_zskdmwint^uirqi_]t`epyap.exe
 O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
 O4 - HKLM\..\RunServices: [˙_zskpaype`t]_iqriu^tniwmdksz_]
 
 c:\windows\system32\_zskdmwint^uirqi_]t`epyap.exe
 O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program
 
 Files\Common Files\Ahead\lib\NMBgMonitor.exe"
 O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
 O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe"
 
 /background
 O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program
 
 Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
 O4 - HKCU\..\Run: [˙_zskpaype`t]_iqriu^tniwmdksz_]
 
 c:\windows\system32\_zskdmwint^uirqi_]t`epyap.exe
 O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web
 
 Folders\ibm00003.exe"
 O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat
 
 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
 O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat
 
 7.0\Reader\reader_sl.exe
 O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
 O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program
 
 Files\Yahoo!\Common/ycsrch.htm
 O8 - Extra context menu item: E&xport to Microsoft Excel -
 
 res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
 O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program
 
 Files\Yahoo!\Common/ycdict.htm
 O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program
 
 Files\Yahoo!\Common/ycmap.htm
 O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program
 
 Files\Yahoo!\Common/ycsms.htm
 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
 
 Files\Java\jre1.5.0_06\bin\ssv.dll
 O9 - Extra 'Tools' menuitem: Sun Java Console -
 
 {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
 
 Files\Java\jre1.5.0_06\bin\ssv.dll
 O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} -
 
 C:\Program Files\Yahoo!\Common\yiesrvc.dll
 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
 
 C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
 O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} -
 
 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
 O9 - Extra 'Tools' menuitem: Yahoo! Messenger -
 
 {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program
 
 Files\Yahoo!\Messenger\YahooMessenger.exe
 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
 
 Files\Messenger\msmsgs.exe
 O9 - Extra 'Tools' menuitem: Windows Messenger -
 
 {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
 O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -
 
 http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unico...
 O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage
 
 Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
 O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program
 
 Files\Yahoo!\Common\yinsthelper.dll
 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
 
 http://acs.pandasoftware.com/activescan/as5free/asinst.cab
 O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} -
 
 "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
 O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
 O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program
 
 Files\Common Files\Symantec Shared\ccEvtMgr.exe
 O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation -
 
 C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
 O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program
 
 Files\Common Files\Symantec Shared\ccSetMgr.exe
 O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation -
 
 C:\Program Files\Symantec AntiVirus\DefWatch.exe
 O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program
 
 Files\ewido anti-spyware 4.0\guard.exe
 O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -
 
 C:\WINDOWS\system32\nvsvc32.exe
 O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec
 
 AntiVirus\SavRoam.exe
 O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation -
 
 C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
 O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program
 
 Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
 O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec
 
 AntiVirus\Rtvscan.exe
 | 
				
				
			
				
				
				
				
				
					
						| Senior Member 
   | 24. July 2006 @ 23:08 |  Link to this message   | 
					
					
					
						| 
							
							Those come back: 
 Scan hijack and check
 
 O4 - HKLM\..\Run: [˙_zskpaype`t]_iqriu^tniwmdksz_]c:\windows\system32\_zskdmwint^uirqi_]t`epyap.exe
 O4 - HKLM\..\RunServices: [˙_zskpaype`t]_iqriu^tniwmdksz_]c:\windows\system32\_zskdmwint^uirqi_]t`epyap.exe
 O4 - HKCU\..\Run: [˙_zskpaype`t]_iqriu^tniwmdksz_]c:\windows\system32\_zskdmwint^uirqi_]t`epyap.exe
 
 Close all programs exept HijackThis and click fix checked.
 
 Boot comp.
 
 
 
 
 | 
				
				
			
				
				
				
				
				
					
						| gamicalXJunior Member 
   | 25. July 2006 @ 08:28 |  Link to this message   | 
					
					
					
						| 
							
							Hey everyone. I've cleaned my computer with help from guys in this forum and was having some computer slowdown lately and decided to make a smitfraudfix andhijackthis log and have u guys check it if u please could and tell me if anything is infecting my computer. 
 heres Smit log :
 
 SmitFraudFix v2.75b
 
 Scan done at 12:24:18.67, Tue 07/25/2006
 Run from C:\Documents and Settings\Corneliu Rablau\My Documents\SmitfraudFix
 OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
 Fix ran in normal mode
 
 »»»»»»»»»»»»»»»»»»»»»»»» C:\
 
 
 »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
 
 
 »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
 
 
 »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
 
 
 »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
 
 
 »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Corneliu Rablau\Application Data
 
 
 »»»»»»»»»»»»»»»»»»»»»»»» Start Menu
 
 
 »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\CORNEL~1\FAVORI~1
 
 
 »»»»»»»»»»»»»»»»»»»»»»»» Desktop
 
 
 »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
 
 
 »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
 
 
 »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
 
 
 
 »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
 !!!Attention, following keys are not inevitably infected!!!
 
 SrchSTS.exe by S!Ri
 Search SharedTaskScheduler's .dll
 
 »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection
 
 
 »»»»»»»»»»»»»»»»»»»»»»»» End
 
 
 
 
 and heres the hijack log:
 
 
 
 
 Logfile of HijackThis v1.99.1
 Scan saved at 12:19:11 PM, on 7/25/2006
 Platform: Windows XP SP2 (WinNT 5.01.2600)
 MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
 
 Running processes:
 C:\WINDOWS\System32\smss.exe
 C:\WINDOWS\system32\winlogon.exe
 C:\WINDOWS\system32\services.exe
 C:\WINDOWS\system32\lsass.exe
 C:\WINDOWS\system32\svchost.exe
 C:\Program Files\Windows Defender\MsMpEng.exe
 C:\WINDOWS\System32\svchost.exe
 C:\Program Files\Ahead\InCD\InCDsrv.exe
 C:\WINDOWS\system32\spoolsv.exe
 C:\WINDOWS\Explorer.EXE
 C:\Program Files\BitTorrent\bittorrent.exe
 C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
 C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
 C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
 C:\Program Files\CA\eTrust Antivirus\InoRT.exe
 C:\Program Files\CA\eTrust Antivirus\InoTask.exe
 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
 C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
 C:\WINDOWS\system32\nvsvc32.exe
 C:\Program Files\AlienAutopsy\TEKS_Service.exe
 C:\WINDOWS\system32\slserv.exe
 C:\WINDOWS\system32\svchost.exe
 C:\WINDOWS\system32\wuauclt.exe
 C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
 C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
 C:\Program Files\HijackThis_v1.99.1.exe
 C:\WINDOWS\system32\userinit.exe
 
 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.kettering.edu/scripts/proxy.pac
 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
 O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
 O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
 O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBarBHO.dll
 O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
 O2 - BHO: (no name) - {f7d40011-29bb-43eb-9c97-875ce89e9e36} - C:\WINDOWS\system32\hp100.tmp (file missing)
 O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll
 O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
 O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
 O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
 O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
 O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
 O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
 O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
 O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
 O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
 O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
 O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
 O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
 O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
 O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
 O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
 O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
 O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
 O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
 O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
 O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1152131366\ee\AOLSoftware.exe
 O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
 O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
 O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
 O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
 O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
 O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
 O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
 O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
 O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
 O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
 O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
 O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
 O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
 O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
 O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
 O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
 O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
 O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
 O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
 O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
 O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
 O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
 O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.1.87.cab
 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/cl...
 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/...
 O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
 O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ku.kettering.edu
 O17 - HKLM\Software\..\Telephony: DomainName = kettering.edu
 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ku.kettering.edu
 O20 - Winlogon Notify: WB - C:\Program Files\AlienGUIse\fastload.dll
 O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
 O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
 O23 - Service: Adobe Version Cue CS2 - Unknown owner - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service (file missing)
 O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
 O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
 O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
 O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
 O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
 O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
 O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
 O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
 O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
 O23 - Service: ProductivIT Service (ProductivITService) - DynTek, Inc. - C:\Program Files\AlienAutopsy\TEKS_Service.exe
 O23 - Service: SmartLinkService (SLService) -   - C:\WINDOWS\SYSTEM32\slserv.exe
 
 
 
 
 Lets rock | 
				
				
			
				
				
				
				
				
					
						| Senior Member 
   | 25. July 2006 @ 11:57 |  Link to this message   | 
					
					
					
						| 
							
							Hi gamicalX
 You have lot off unnecessary programs in starting:
 
 You can check need you those: Fix those what you dont need in startup:
 
 O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
 O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
 O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
 O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
 O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
 O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
 O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
 O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
 O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
 O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
 O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
 O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
 O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
 O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
 O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
 O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
 O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
 O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
 O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
 O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
 O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
 O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
 
 Boot then comp and test if it's enough.
 
 
 | 
				
				
			
				
				
				
					
						| Advertisement   |   | 
					
						| 
 | 
				
				
				
					
						| Tommy89Account closed as per user's own request 
   | 29. July 2006 @ 19:28 |  Link to this message   | 
					
					
					
						| 
							
							hi, i am also suffering from this spyware and i do not know hot to get rid of it. i really really someone can please teach me how to do it .
 i uses Ewido Anti-Spyware and scan my computer in safe mode and this is the resule that i get:
 
 ---------------------------------------------------------
 ewido anti-spyware - Scan Report
 ---------------------------------------------------------
 
 + Created at:	11:15:23 AM 7/30/2006
 
 + Scan result:
 
 
 
 HKLM\SOFTWARE\Classes\CLSID\{5753791b-f607-48ca-814e-91c14d081f9e} -> Adware.Generic : Cleaned with backup (quarantined).
 HKLM\SOFTWARE\Classes\CLSID\{ee2975b6-e8d5-405e-8448-8fe9590f6cfb} -> Adware.Generic : Cleaned with backup (quarantined).
 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5753791b-f607-48ca-814e-91c14d081f9e} -> Adware.Generic : Cleaned with backup (quarantined).
 HKU\S-1-5-21-3288849639-908741370-3392225204-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5753791B-F607-48CA-814E-91C14D081F9E} -> Adware.Generic : Cleaned with backup (quarantined).
 C:\Program Files\SpyHeal -> Adware.SpyHeal : Cleaned with backup (quarantined).
 C:\Program Files\SpyHeal\sq.ini -> Adware.SpyHeal : Cleaned with backup (quarantined).
 C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\tmp77.tmp -> Not-A-Virus.Hoax.Win32.Renos.dw : Cleaned with backup (quarantined).
 C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
 C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
 
 
 ::Report end
 
 so what should i do next ? am i on the right threat ? please enlight me. a big thank you for you .
 |