Help Plz. Virus Found - Log attached

**andy1984uk** · 10.09.2006 15:24

Ive installed the free edition of AVG onto my dad's computer and its found a virus in C:\WINDOWS\ieredir.exe. Ive tried to fix the file using AVG and norton but the virus continues to plague the system. Ive attached the log file below if someone can help please?

Thanks in advance
Andy

Code:

Logfile of HijackThis v1.99.1
Scan saved at 14:01:58, on 10/09/2006
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\RunDll32.exe
C:\WINDOWS\System32\dslagent.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\WDBtnMgr.exe
C:\WINDOWS\ieredir.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Linksys\Cordless Internet Telephony Kit\cit200.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\WINDOWS\system32\RDSHOST.exe
C:\WINDOWS\system32\sessmgr.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpCtr.exe
C:\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.karoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.karoo.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://as.starware.com/dp/search?x=wKX1ILEOi+UdWpSlz2q9Dzn13Emww/YwZgbp0Dbid84P3Cb/6BpdKQthdFJPuQbL1GbZKpz+cd2Bm7r3mZYr6FLiV6PjdyXckOAUZk/yA2oCc3U70XYxKxLbUPE0S60H
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.karoo.co.uk:8080
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: ScriptInocUI Class -  - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [Microsoft Windows Session Manager Subsystem] C:\WINDOWS\system32\dllcache\smss.exe
O4 - HKLM\..\Run: [Microsoft Windows Logon Process] C:\WINDOWS\system32\dllcache\winlogon.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Linksys Cordless Internet Telephony Kit.lnk = C:\Program Files\Linksys\Cordless Internet Telephony Kit\cit200.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Convert for CLIE - C:\Program Files\Sony\Image Converter\menu.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.karoo.co.uk
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com/PhotoUpload/MsnPUpld.cab?10,0,910,0
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2280C46B-DD13-41A3-8E36-0B83AB34F451}: NameServer = 192.168.100.101
O17 - HKLM\System\CCS\Services\Tcpip\..\{ECB09BD1-70F2-417F-9BE3-0B29B5B4A2ED}: NameServer = 212.50.160.100 213.249.130.100
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O21 - SSODL: System - {27F06ACF-372D-4162-8673-6A298802B438} - (no file)
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Windows Logon Process Service (MSWinLogonProcService) - Unknown owner - C:\WINDOWS\winlogon.exe" -service (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Network Client (nwclntc) - Unknown owner - C:\WINDOWS\system32\netclnc.exe (file missing)
O23 - Service: Network Client-Server (nwclntserv) - Unknown owner - C:\WINDOWS\system32\srvss.exe (file missing)
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\rthlpsvc.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe
O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

**Ruby** · 11.09.2006 14:15

Welcome to HijackThis.eu @ Andy

It's not the only malware on your father's system, but who would wonder about it... The Operation System and the Internet Explorer aren't up-to-date. That means that there are very great vulnerabilities. The best you could do, is to formate and rebuild this system because someone else has access to it. There are some dangerous backdoors on your father's system. Please read our Security Tips.

-----------------------
For the greatest safety, it is recommended that
you may not do online-banking, file-sharing, mailing, messaging,
up and downloads behalve to security sites
until your system is of formatted or cleaned up.
Take a look to "Security Tips" in my signature.
-----------------------

You ought better not run two Antivirus programs with an On-Access-Scanner at the same time. It could crash down the system. Please disable one of them.

As you want to clean up this system you may want to follow these instructions:

Make sure you set windows to see the hidden files and folders.

Please load down the filelist.zip to your desktop.
Unzip this file to your desktop (free Zip-Tools)
Restart your system
Doubleclick onto the filelist.bat to run it
Your editor program will open
Highlight the content, chose copy & paste it to your following posting
Please note: we only need the last 30 days of every directory of this file

Many Thanks to our Moderator Karl83 for creating this new tool.

Directory of C:\
Directory of C:\WINDOWS\system32
Directory of C:\WINDOWS
Directory of C:\WINDOWS\Prefetch
Directory of C:\WINDOWS\tasks
Directory of C:\WINDOWS\Temp
Directory of C:\DOCUME~1\Name\LOCALS~1\Temp

**andy1984uk** · 11.09.2006 21:21

Thanks for your assistance ruby. I thought i had left automatic window updates. Ive just taken a look and found his computer isrunning an illegal version of windows xp. He had his system built for him back in 2001/2002. i will email microsoft to see if i can get a free copy of win xp.

Very good advice about not using the computer for banking. The only way i found out about my dad's computer problems when he mentioned the bank closed his online account due to suspicious activity.

i have followered your instructions:

Code:

 Directory of C:\

11/09/2006  20:12                43 filelist.txt
11/09/2006  19:26       805,306,368 pagefile.sys
10/09/2006  13:55               194 boot.ini
10/09/2006  12:44        11,651,953 AVG7QT.DAT
08/08/2006  20:30                 0 CONFIG.SYS
08/08/2006  20:30                 0 AUTOEXEC.BAT

 Directory of C:\WINDOWS\system32

10/09/2006  12:34             2,184 wpa.dbl

 Directory of C:\WINDOWS\Prefetch

11/09/2006  20:12             5,428 FIND.EXE-0EC32F1E.pf
11/09/2006  20:12            14,722 CMD.EXE-087B4001.pf
11/09/2006  20:10            26,240 WINZIP32.EXE-335422C1.pf
11/09/2006  20:06            96,872 IEXPLORE.EXE-27122324.pf
11/09/2006  20:06            16,880 MSNAPPAU.EXE-07139F47.pf
11/09/2006  20:06            22,740 RUNDLL32.EXE-38471A59.pf
11/09/2006  20:05            75,466 SKYPE.EXE-30AE1A60.pf
11/09/2006  20:05            14,184 WDBTNMGR.EXE-31AFAE50.pf
11/09/2006  20:05            10,756 RUNDLL32.EXE-2F41AAED.pf
11/09/2006  20:05            14,962 RUNDLL32.EXE-14C12299.pf
11/09/2006  20:05             6,728 DSLAGENT.EXE-11E24C1A.pf
11/09/2006  20:05            11,580 JUSCHED.EXE-04D31062.pf
11/09/2006  20:05             9,650 E_S4I0F2.EXE-38412DBF.pf
11/09/2006  20:05            11,706 WINLOGON.EXE-39D8E673.pf
11/09/2006  20:04            16,206 WUAUCLT.EXE-399A8E72.pf
11/09/2006  19:46           518,738 Layout.ini
11/09/2006  19:34             9,910 SSMYST.SCR-1CCCF0DC.pf
11/09/2006  19:28         1,122,014 NTOSBOOT-B00DFAAD.pf
11/09/2006  19:23            17,134 LOGONUI.EXE-0AF22957.pf
11/09/2006  19:23           102,720 WMIPRVSE.EXE-28F301A9.pf
11/09/2006  19:17            68,176 UPDATE.EXE-0845AB52.pf
11/09/2006  19:12            67,632 UPDATE.EXE-05F883CC.pf
11/09/2006  18:48             6,338 DUMPREP.EXE-1B46F901.pf
11/09/2006  18:47            22,648 SYMNRT.EXE-05594C6F.pf
11/09/2006  18:46             5,382 ATTRIB.EXE-39EAFB02.pf
11/09/2006  18:43            49,270 MSIEXEC.EXE-2F8A8CAE.pf
11/09/2006  18:42            19,800 LSETUP.EXE-32559C46.pf
11/09/2006  18:41             5,424 VCCLNUP0.EXE-01F3DBF1.pf
11/09/2006  18:41            37,832 VCSETUP.EXE-1F28DAD9.pf
11/09/2006  18:41            11,472 IRALRSHL.EXE-1773AE0D.pf
11/09/2006  18:41            19,176 CCPWDSVC.EXE-0711D107.pf
11/09/2006  18:41            71,930 NMAIN.EXE-2BA406E0.pf
11/09/2006  18:41             9,566 SEVINST.EXE-2A7737B0.pf
11/09/2006  18:40            69,726 LUCOMS~1.EXE-02DB5950.pf
11/09/2006  18:40            10,718 SYMLCSVC.EXE-0775DAC9.pf
11/09/2006  18:40             8,452 MSI17D.TMP-3B9AC87C.pf
11/09/2006  18:40            18,276 MSI145.TMP-36E10647.pf
11/09/2006  18:39            34,870 SBSERV.EXE-32089713.pf
11/09/2006  18:39            58,968 NAVAPSVC.EXE-0156D7E2.pf
11/09/2006  18:39            10,312 SAVSCAN.EXE-2CDAEA23.pf
11/09/2006  18:38             9,320 NPROTECT.EXE-12B4D3FB.pf
11/09/2006  18:38            10,058 NOPDB.EXE-09B28FA3.pf
11/09/2006  18:38            32,400 {71E7B3F5-CFAF-4C1E-B494-528E-06397DFF.pf
11/09/2006  18:31            47,942 RUNDLL32.EXE-35BB92D4.pf
11/09/2006  18:29            50,934 SPYBOTSD.EXE-1344276B.pf
11/09/2006  18:29            11,708 UPDATE.EXE-131667C7.pf
11/09/2006  18:21            83,898 NAVW32.EXE-286920DF.pf
11/09/2006  18:20            75,412 LUCALLBACKPROXY.EXE-19ED7806.pf
11/09/2006  18:20            40,500 AUPDATE.EXE-2253CB60.pf
11/09/2006  18:19            76,334 HELPCTR.EXE-3862B6F5.pf
11/09/2006  18:19            12,396 RDSADDIN.EXE-36B76CAD.pf
11/09/2006  18:19            93,702 WINLOGON.EXE-32C57D49.pf
11/09/2006  18:19             9,940 USERINIT.EXE-30B18140.pf
11/09/2006  18:19            47,784 CSRSS.EXE-12B63473.pf
11/09/2006  18:18            61,270 OPSCAN.EXE-20B6A0BA.pf
11/09/2006  18:18           114,928 OUTLOOK.EXE-1E64345B.pf
11/09/2006  18:18            16,360 RDSHOST.EXE-38C57D5D.pf
11/09/2006  18:17             9,542 RCIMLBY.EXE-29F11D7B.pf
11/09/2006  18:16           218,710 HELPSVC.EXE-2878DDA2.pf
11/09/2006  18:16            41,276 MSMSGS.EXE-2B6052DE.pf
11/09/2006  18:11            24,704 UPDATE.EXE-278456E6.pf
11/09/2006  18:11            12,294 BITSINST.EXE-2CB4826B.pf
11/09/2006  18:11            70,908 UPDATE.EXE-2726CBE7.pf
11/09/2006  18:07            24,222 REGSVR32.EXE-25EEFE2F.pf
11/09/2006  18:04            69,116 WINWORD.EXE-29F5CB89.pf
11/09/2006  17:21            34,666 DFRGNTFS.EXE-269967DF.pf
11/09/2006  17:21            11,376 DEFRAG.EXE-273F131E.pf
11/09/2006  16:50            26,066 QW.EXE-340E9CC2.pf
11/09/2006  16:44           100,556 OUTLOOK.EXE-27D5965C.pf
11/09/2006  15:30            27,752 WCESMGR.EXE-2FB86E92.pf
10/09/2006  21:17            36,922 YUPDATER.EXE-3946FDDF.pf
10/09/2006  21:16            13,476 WMIAPSRV.EXE-1E2270A5.pf
10/09/2006  21:16            62,060 YPAGER.EXE-31587640.pf
10/09/2006  21:14           111,200 MSNMSGR.EXE-366A1A81.pf
10/09/2006  21:03            58,918 AUTOROUT.EXE-1500E64C.pf
10/09/2006  19:56            21,690 YMSGR_TRAY.EXE-256366BA.pf
10/09/2006  19:05            33,394 VCGPROXYFILEMANAGER.EXE-2CE11B52.pf
10/09/2006  19:05            12,860 CPSHELPRUNNER.EXE-22868065.pf
10/09/2006  19:05            77,672 ROXWIZARDLAUNCHER.EXE-0BFB0399.pf
10/09/2006  18:11            28,160 SESSMGR.EXE-25E7D5E1.pf
10/09/2006  18:10            12,880 CIT200.EXE-3874993E.pf
10/09/2006  18:09            27,600 CCAPP.EXE-1207B2A5.pf
10/09/2006  18:09            10,024 CTFMON.EXE-0E17969B.pf
10/09/2006  18:09             9,974 USRPRMPT.EXE-2F2D32EA.pf
10/09/2006  18:09             6,802 SNDMON.EXE-0A6C21A2.pf
10/09/2006  16:40            53,900 MSMONEY.EXE-002A94C1.pf
10/09/2006  15:44            17,958 WCESCOMM.EXE-062FDF7F.pf
10/09/2006  15:44            18,300 AVGCC.EXE-36A38F59.pf
10/09/2006  15:12            36,474 AD-AWARE.EXE-3262F7A9.pf
10/09/2006  14:28            86,246 NAVW32.EXE-365BADC3.pf
10/09/2006  13:12            62,466 ACRORD32.EXE-0781811F.pf
10/09/2006  12:49            40,950 DRWTSN32.EXE-2B4B52AC.pf
10/09/2006  12:49            54,558 DWWIN.EXE-30875ADC.pf
08/09/2006  16:45            21,940 RASAUTOU.EXE-18B88A68.pf
07/09/2006  21:03             5,878 NET.EXE-01A53C2F.pf
07/09/2006  21:03             8,310 NET1.EXE-029B9DB4.pf
07/09/2006  21:03             4,948 SC.EXE-012262AF.pf
              97 File(s)      5,132,238 bytes
               0 Dir(s)  62,920,204,288 bytes free

 Directory of C:\WINDOWS

11/09/2006  20:12           430,087 WindowsUpdate.log
11/09/2006  19:26                 0 0.log
11/09/2006  19:26               159 wiadebug.log
11/09/2006  19:26                50 wiaservc.log
11/09/2006  19:26             2,048 bootstat.dat
11/09/2006  19:25            32,444 SchedLgU.Txt
11/09/2006  19:23            50,789 svcpack.log
11/09/2006  19:20            68,516 setupapi.log
11/09/2006  18:41             5,185 SYMEVENT.LOG
11/09/2006  18:12             9,412 WGA.log
11/09/2006  18:11             2,053 comsetup.log
11/09/2006  18:11             1,247 ntdtcsetup.log
11/09/2006  18:11             7,951 iis6.log
11/09/2006  18:11             2,809 tsoc.log
11/09/2006  18:11             1,374 imsins.log
11/09/2006  18:11             5,789 KB842773.log
11/09/2006  18:11               303 msgsocm.log
11/09/2006  18:11               212 ocmsn.log
11/09/2006  18:11             2,480 ocgen.log
11/09/2006  18:11             6,182 FaxSetup.log
11/09/2006  18:11             1,904 msmqinst.log
11/09/2006  18:11             4,395 setupact.log
11/09/2006  18:11                 0 setuperr.log
11/09/2006  18:02             1,840 QUICKEN.INI
11/09/2006  18:02               123 INTUIT.INI
10/09/2006  17:55            78,620 ntbtlog.txt
10/09/2006  13:55               599 win.ini
10/09/2006  13:55               227 system.ini
10/09/2006  13:52            79,360 Thumbs.db
10/09/2006  13:51               116 NeroDigital.ini
03/09/2006  16:19             3,448 urls.dat
03/09/2006  16:19             3,448 htmlcode.dat
23/08/2006  17:15               308 cina.ini


 Directory of C:\WINDOWS\tasks

11/09/2006  19:26                 6 SA.DAT
23/08/2001  13:00                65 desktop.ini


 Directory of C:\DOCUME~1\temp\LOCALS~1\Temp

11/09/2006  20:06               408 WCESCOMM.LOG
11/09/2006  20:06             1,110 jusched.log
11/09/2006  19:23         3,784,053 SymNRT 9-11-2006 18h47m9s.log
11/09/2006  18:47                 0 SPR2AC.tmp
11/09/2006  18:47                 0 SPR2AB.tmp
11/09/2006  18:42            36,668 symcprop.dat
11/09/2006  18:42               291 SNDunin.log
11/09/2006  18:42         3,926,608 Norton SystemWorks 2005 9-11-2006 18h38m33s.log
11/09/2006  18:41             3,192 LSInstall.log
11/09/2006  18:39               124 SSALiveUpdate.dat
11/09/2006  18:39               124 AVRES_OPTRF_LiveUpdate.dat
11/09/2006  18:24            14,525 wcesmgr.log
11/09/2006  18:19            80,856 dat1A.tmp
11/09/2006  18:16            11,300 MPC19.tmp
11/09/2006  18:16               280 MSIf732.LOG
11/09/2006  18:16               483 outstore.log
11/09/2006  18:15               280 MSIf731.LOG
11/09/2006  18:06               280 MSIaf447.LOG
11/09/2006  18:06               280 MSIaf446.LOG
11/09/2006  18:05               280 MSI90661.LOG
11/09/2006  18:05               280 MSI90660.LOG
11/09/2006  16:44               280 MSI127a.LOG
11/09/2006  16:44               280 MSI1279.LOG
11/09/2006  16:37               280 MSI97712.LOG
11/09/2006  16:37               280 MSI97711.LOG
11/09/2006  15:24               280 MSI641b0.LOG
11/09/2006  15:24               280 MSI641af.LOG
11/09/2006  15:19               280 MSI1121c.LOG
11/09/2006  15:19               280 MSI1121b.LOG
10/09/2006  21:17               280 MSI9247d.LOG
10/09/2006  21:17               280 MSI9247c.LOG
10/09/2006  21:17            16,384 ~DFFDCC.tmp
10/09/2006  21:06               280 MSIe96b4.LOG
10/09/2006  21:06               280 MSIe96b3.LOG
10/09/2006  19:47            21,176 ukwm22.bmp
10/09/2006  19:47            21,176 ukpink.bmp
10/09/2006  19:47            14,136 ukcars.bmp
10/09/2006  19:47            21,176 ukjt.bmp
10/09/2006  19:47             7,428 peanuts.bmp
10/09/2006  19:47             8,120 doodle.bmp
10/09/2006  19:47             7,556 dilbert.bmp
10/09/2006  19:47             8,120 hearts.bmp
10/09/2006  18:11               280 MSIe5c94.LOG
10/09/2006  18:11               280 MSIe5c93.LOG
10/09/2006  18:10               280 MSId490f.LOG
10/09/2006  16:41               280 MSIe401b.LOG
10/09/2006  16:41               280 MSIe401a.LOG
10/09/2006  15:45               280 MSIa01d7.LOG
10/09/2006  15:45               280 MSIa01d6.LOG
10/09/2006  14:20               280 MSI22407.LOG
10/09/2006  14:20               280 MSI22406.LOG
10/09/2006  14:20               520 WcesView.log
10/09/2006  13:16            80,856 datC0.tmp
10/09/2006  13:05               280 MSId53ff.LOG
10/09/2006  13:05               280 MSId53fe.LOG
10/09/2006  12:34            32,768 ~DF8977.tmp
10/09/2006  12:34            16,384 ~DF5D75.tmp
02/02/2006  21:23         2,422,984 Patch_MSN_Messenger.exe

i have also spent some time removing a trojan and have removed norton. the new hi jack this log is below.

Code:

Logfile of HijackThis v1.99.1
Scan saved at 20:18:09, on 11/09/2006
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\sessmgr.exe
C:\WINDOWS\System32\RunDll32.exe
C:\WINDOWS\System32\dslagent.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\WINDOWS\System32\WDBtnMgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Linksys\Cordless Internet Telephony Kit\cit200.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.karoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.karoo.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://as.starware.com/dp/search?x=wKX1ILEOi+UdWpSlz2q9Dzn13Emww/YwZgbp0Dbid84P3Cb/6BpdKQthdFJPuQbL1GbZKpz+cd2Bm7r3mZYr6FLiV6PjdyXckOAUZk/yA2oCc3U70XYxKxLbUPE0S60H
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.karoo.co.uk:8080
R3 - URLSearchHook: (no name) -  - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [Microsoft Windows Session Manager Subsystem] C:\WINDOWS\system32\dllcache\smss.exe
O4 - HKLM\..\Run: [Microsoft Windows Logon Process] C:\WINDOWS\system32\dllcache\winlogon.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Linksys Cordless Internet Telephony Kit.lnk = C:\Program Files\Linksys\Cordless Internet Telephony Kit\cit200.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Convert for CLIE - C:\Program Files\Sony\Image Converter\menu.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.karoo.co.uk
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com/PhotoUpload/MsnPUpld.cab?10,0,910,0
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1157994385670
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2280C46B-DD13-41A3-8E36-0B83AB34F451}: NameServer = 192.168.100.101
O17 - HKLM\System\CCS\Services\Tcpip\..\{ECB09BD1-70F2-417F-9BE3-0B29B5B4A2ED}: NameServer = 212.50.160.100 213.249.130.100
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Network Client (nwclntc) - Unknown owner - C:\WINDOWS\system32\netclnc.exe (file missing)
O23 - Service: Network Client-Server (nwclntserv) - Unknown owner - C:\WINDOWS\system32\srvss.exe (file missing)
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\rthlpsvc.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe
O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe

really appreciate the help

Regards
Andy

**Ruby** · 12.09.2006 01:14

Hello Andy

I need more information about this system.
Please disconnect to the Internet while not cleaning up this machine.

Please download Combofix:

http://download.bleepingcomputer.com/sUBs/combofix.exe
http://www.techsupportforum.com/sectools/combofix.exe

Save it to the desktop.
Close down all applications while running the fix.
Since an infection will be found, Combofix will restart your system automatically.
Don't shut down the Fixbox Window, otherwise a blanc desktop will remain.

1. Double click on combo.exe & follow the prompts, type "Y" to continue or "N" to stop the Fix.

2. When finished, it will produce a logfile located at C:\ComboFix.txt.
3. Post the contents of that log in your next reply with a new hijackthis log.

Note:

Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.
The Fix will last about 10 minutes.
Do not proceed with cleaning anything else if you fail to run combofix
Disable script blocking if you have NAV installed so it will not interfere with the fix.

Reboot your system.

**andy1984uk** · 13.09.2006 20:42

Combo box log file:

Code:

temp - 06-09-13 19:39:48.85
ComboFix 06.09.11B - Running from: C:\Documents and Settings\temp\Desktop 

Microsoft Windows XP [Version 5.1.2600]

(((((((((((((((((((((((((((((((   Files Created from 2006-08-13 to 2006-09-13  ))))))))))))))))))))))))))))))))))
 

2006-09-11	18:10	7,680	---------	C:\WINDOWS\system32\bitsprx2.dll
2006-09-11	18:10	7,168	---------	C:\WINDOWS\system32\bitsprx3.dll
2006-09-11	18:10	331,776	--a------	C:\WINDOWS\system32\winhttp.dll
2006-09-11	18:10	17,408	--a------	C:\WINDOWS\system32\qmgrprxy.dll
2006-09-11	18:10	158,720	---------	C:\WINDOWS\system32\xpob2res.dll
2006-09-11	18:07	465,176	--a------	C:\WINDOWS\system32\wuapi.dll
2006-09-11	18:07	41,240	--a------	C:\WINDOWS\system32\wups.dll
2006-09-11	18:07	194,328	--a------	C:\WINDOWS\system32\wuaueng1.dll
2006-09-11	18:07	18,200	--a------	C:\WINDOWS\system32\wups2.dll
2006-09-11	18:07	172,312	--a------	C:\WINDOWS\system32\wuauclt1.exe
2006-09-11	18:07	127,256	--a------	C:\WINDOWS\system32\wucltui.dll
 

((((((((((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-09-13 13:25	--------	d--------	C:\Documents and Settings\temp\Application Data\Skype
2006-09-11 20:38	--------	d--------	C:\Program Files\Pinnacle
2006-09-11 20:38	--------	d--------	C:\Program Files\House_Booking_Application
2006-09-11 20:37	--------	d--------	C:\Program Files\Microsoft AntiSpyware
2006-09-11 19:26	--------	d--------	C:\Program Files\Norton SystemWorks
2006-09-11 19:26	--------	d--------	C:\Program Files\Common Files\Symantec Shared
2006-09-11 18:40	--------	d--------	C:\Program Files\Common Files
2006-09-11 18:07	--------	d--h-----	C:\Program Files\WindowsUpdate
2006-09-10 19:07	--------	d--------	C:\Documents and Settings\temp\Application Data\Roxio
2006-09-10 13:09	--------	d---s----	C:\Documents and Settings\temp\Application Data\Microsoft
2006-09-10 12:51	--------	d--------	C:\Program Files\CCleaner
2006-09-10 12:42	777472	--a------	C:\WINDOWS\system32\drivers\avg7core.sys
2006-09-10 12:42	4288	--a------	C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-09-10 12:42	27904	--a------	C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-09-10 12:42	23424	--a------	C:\WINDOWS\system32\drivers\avgmfrs.sys
2006-09-10 12:42	--------	d--------	C:\Program Files\Grisoft
2006-09-10 12:42	--------	d--------	C:\Documents and Settings\temp\Application Data\AVG7
2006-09-08 20:54	--------	d--------	C:\Program Files\AVPersonal
2006-09-07 20:30	--------	d--------	C:\Program Files\ewido anti-spyware 4.0
2006-08-08 20:30	0	--a------	C:\CONFIG.SYS
2006-08-08 20:30	0	--a------	C:\AUTOEXEC.BAT
2006-08-08 20:30	--------	d--------	C:\Program Files\SuperLetter
 

((((((((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))
 
*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\System32\\ctfmon.exe"
"H/PC Connection Agent"="\"C:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE\""
"Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"EPSON Stylus Photo R300 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I0F2.EXE /P30 \"EPSON Stylus Photo R300 Series\" /O6 \"USB001\" /M \"Stylus Photo R300\""
"DSLAGENTEXE"="dslagent.exe USB"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_06\\bin\\jusched.exe"
"Tweak UI"="RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp"
"WD Button Manager"="WDBtnMgr.exe"
"Microsoft Windows Session Manager Subsystem"="C:\\WINDOWS\\system32\\dllcache\\smss.exe"
"Microsoft Windows Logon Process"="C:\\WINDOWS\\system32\\dllcache\\winlogon.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
  00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
  ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
  00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\ctfmon.exe"
"EM_EXeEL"="jjb.exe"
"Microsoft Update"="wuagmsd.exe"
"Symantec NetDriver Warning"="C:\\PROGRA~1\\SYMNET~1\\SNDWarn.exe"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\ctfmon.exe"
"EM_EXeEL"="jjb.exe"
"Microsoft Update"="wuagmsd.exe"
"Symantec NetDriver Warning"="C:\\PROGRA~1\\SYMNET~1\\SNDWarn.exe"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=hex:5f,00,00,00
"NoSaveSettings"=hex:00,00,00,00
"NoStartBanner"=hex:00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]
"ie.exe"="C:\\WINDOWS\\ie.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
@=""
"NoDriveTypeAutoRun"=hex:5f,00,00,00
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"CDBurn"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Gamma Loader.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Gamma Loader.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Adobe\\CALIBR~1\\ADOBEG~1.EXE "
"item"="Adobe Gamma Loader"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Billminder.lnk"
"backup"="C:\\WINDOWS\\pss\\Billminder.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\quickenw\\BILLMIND.EXE "
"item"="Billminder"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DataViz Messenger.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\DataViz Messenger.lnk"
"backup"="C:\\WINDOWS\\pss\\DataViz Messenger.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\WINDOWS\\DVZCOM~1\\DvzMsgr.exe "
"item"="DataViz Messenger"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\HotSync Manager.lnk"
"backup"="C:\\WINDOWS\\pss\\HotSync Manager.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\SONYHA~1\\HOTSYNC.EXE "
"item"="HotSync Manager"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~2\\Office10\\OSA.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkvMon.exe.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\NkvMon.exe.lnk"
"backup"="C:\\WINDOWS\\pss\\NkvMon.exe.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Nikon\\NkView6\\NkvMon.exe "
"item"="NkvMon.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^temp^Start Menu^Programs^Startup^svchost.exe]
"path"="C:\\Documents and Settings\\temp\\Start Menu\\Programs\\Startup\\svchost.exe"
"backup"="C:\\WINDOWS\\pss\\svchost.exeStartup"
"location"="Startup"
"command"="C:\\Documents and Settings\\temp\\Start Menu\\Programs\\Startup\\svchost.exe"
"item"="svchost"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\AdaptecDirectCD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DirectCD"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Adaptec\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\CTFMON.EXE]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctfmon"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\System32\\ctfmon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\EM_EXeEL]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jjb"
"hkey"="HKCU"
"command"="jjb.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\EssSpkPhone]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="essspk"
"hkey"="HKLM"
"command"="essspk.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\gcasServ]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="gcasServ"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\GSICONEXE]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="GSICON"
"hkey"="HKLM"
"command"="GSICON.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Microsoft Update]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wuagmsd"
"hkey"="HKCU"
"command"="wuagmsd.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MoneyAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Money Express"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Microsoft Money\\System\\Money Express.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\msnappau]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msnappau"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\MSN Apps\\Updater\\01.03.0000.1005\\en-gb\\msnappau.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NeroCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NvClipRsv]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="svchost"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\svchost.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NvCplDaemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvCpl"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /install"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\RoxioEngineUtility]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="EngUtil"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Roxio Shared\\System\\EngUtil.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SoundMan]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SOUNDMAN"
"hkey"="HKLM"
"command"="SOUNDMAN.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Windows Update]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="bwhnlev"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\bwhnlev.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ypager"
"hkey"="HKCU"
"command"="C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"
"inimapping"="0"


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ  msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll

 
Completion time: 13/09/2006 19:40:09.06 
ComboFix.txt

Latest HiJack log:

Code:

Logfile of HijackThis v1.99.1
Scan saved at 19:42:02, on 13/09/2006
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\WINDOWS\System32\RunDll32.exe
C:\WINDOWS\System32\dslagent.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
C:\WINDOWS\System32\WDBtnMgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Linksys\Cordless Internet Telephony Kit\cit200.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\sessmgr.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.karoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.karoo.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://as.starware.com/dp/search?x=wKX1ILEOi+UdWpSlz2q9Dzn13Emww/YwZgbp0Dbid84P3Cb/6BpdKQthdFJPuQbL1GbZKpz+cd2Bm7r3mZYr6FLiV6PjdyXckOAUZk/yA2oCc3U70XYxKxLbUPE0S60H
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.karoo.co.uk:8080
R3 - URLSearchHook: (no name) -  - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [Microsoft Windows Session Manager Subsystem] C:\WINDOWS\system32\dllcache\smss.exe
O4 - HKLM\..\Run: [Microsoft Windows Logon Process] C:\WINDOWS\system32\dllcache\winlogon.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Linksys Cordless Internet Telephony Kit.lnk = C:\Program Files\Linksys\Cordless Internet Telephony Kit\cit200.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Convert for CLIE - C:\Program Files\Sony\Image Converter\menu.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.karoo.co.uk
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com/PhotoUpload/MsnPUpld.cab?10,0,910,0
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1157994385670
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2280C46B-DD13-41A3-8E36-0B83AB34F451}: NameServer = 192.168.100.101
O17 - HKLM\System\CCS\Services\Tcpip\..\{ECB09BD1-70F2-417F-9BE3-0B29B5B4A2ED}: NameServer = 212.50.160.100 213.249.130.100
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Network Client (nwclntc) - Unknown owner - C:\WINDOWS\system32\netclnc.exe (file missing)
O23 - Service: Network Client-Server (nwclntserv) - Unknown owner - C:\WINDOWS\system32\srvss.exe (file missing)
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\rthlpsvc.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe
O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe

Again, really appreciate this Ruby

**Ruby** · 15.09.2006 10:00

Hello Andy

Please load down a Trial version of www.kaspersky.com (Kaspersky Anti-Virus 6.0).
Update the program online.

Please NOTE: you may not run two AV-Programs with On-Access-Scanners at the same time. Please disable your other AV-Program using KAV.

Now turn off your computer and remove the network cable/phone line from your machine.
Reboot your computer in Safe Mode
Scan your system with Kaspersky in Safe Mode.
Let the program delete everything it finds.
Save the logfile.

-> Post the Kaspersky logfile, please.

Run HijackThis, have it save a new log.
Post it, please.

**andy1984uk** · 17.09.2006 17:33

Kaspersky log:

Code:

Scan
----
Scanned:	199767
Detected:	19
Untreated:	0
Start time:	15/09/2006 17:41:21
Duration:	02:34:00
Finish time:	15/09/2006 20:15:21


Detected
--------
Status	Object
------	------
deleted: Trojan program Trojan-Downloader.JS.IstBar.ai	File: C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0C9A2DB7.htm/CryptFF
deleted: Trojan program Trojan-PSW.Win32.LdPinch.jf	File: C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\18D541E9.exe/CryptFF/FSG
deleted: Trojan program Trojan-PSW.Win32.Sinowal.aa	File: C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\2148606E.exe/CryptFF
deleted: Trojan program Trojan.Win32.Agent.e	File: C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\22025D3B.VIR/CryptFF/ASPack
deleted: malware Exploit.HTML.Mht (modification)	File: C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\28752C1C.htm/CryptFF
deleted: malware Exploit.Java.ByteVerify	File: C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\287C0014.zip/CryptFF\BlackBox.class
deleted: malware Exploit.Java.ByteVerify	File: C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\287C0014.zip/CryptFF\VerifierBug.class
deleted: Trojan program Trojan-Downloader.Java.OpenConnection.aa	File: C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\287C0014.zip/CryptFF\Beyond.class
deleted: malware Exploit.Java.ByteVerify	File: C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\287F2A11.cla/CryptFF
deleted: malware Exploit.Java.ByteVerify	File: C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\2882540D.cla/CryptFF
deleted: Trojan program Trojan-Downloader.Win32.Small.cxx	File: C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\2D8D3C58.exe/CryptFF/FSG
deleted: Trojan program Trojan-Spy.Win32.Sters.v	File: C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3F1D2FD2.exe/CryptFF/PE_Patch.UPX/UPX
deleted: Trojan program Trojan-Downloader.BAT.Ftp.r	File: C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\46D36078.ftp/CryptFF
deleted: virus Net-Worm.Win32.Dedler.q	File: C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\487234B0.dll/CryptFF/UPX
deleted: virus Net-Worm.Win32.Dedler.x	File: C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\487808A9.dll/CryptFF/UPX
deleted: Trojan program Trojan.Win32.Dialer.t	File: C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\51432328.cab/CryptFF\Information.exe
deleted: virus Net-Worm.Win32.Dedler.aa	File: C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\51647910.dll/CryptFF/UPX
deleted: pornware not-a-virus:Porn-Dialer.Win32.AsianRaw.be	File: C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\633B1F35.exe/CryptFF/JDPack
deleted: Trojan program Trojan-Downloader.BAT.Ftp.j	File: C:\WINDOWS\system32\a


Events
------
Time	Name	Status	Reason
----	----	------	------


Statistics
----------
Object	Scanned	Detected	Untreated	Deleted	Moved to Quarantine	Archived	Compressed	Password protected	Corrupted
------	-------	--------	---------	-------	-------------------	--------	----------	------------------	---------
Local Disk (C:)	199767	19	19	0	0	7020	192	136	0


Settings
--------
Name	Value
----	-----
Security Level	Recommended
Action	Prompt for action when the scan is complete
File types	All
Scan new and changed files only	No
Scan archives	All
Scan embedded OLE objects	All
Skip if object is greater than	No
Skip if scan takes longer than	No
Parse e-mail formats	No
Scan password-protected archives	No
Enable iChecker technology	Yes
Enable iSwift technology	Yes
Show detected threats on "Detected" tab	Yes

HiJackThis log:

Code:

Logfile of HijackThis v1.99.1
Scan saved at 21:20:02, on 15/09/2006
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\System32\RunDll32.exe
C:\WINDOWS\System32\dslagent.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\WINDOWS\System32\WDBtnMgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Linksys\Cordless Internet Telephony Kit\cit200.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Microsoft ActiveSync\WCESMgr.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.karoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.karoo.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://as.starware.com/dp/search?x=wKX1ILEOi+UdWpSlz2q9Dzn13Emww/YwZgbp0Dbid84P3Cb/6BpdKQthdFJPuQbL1GbZKpz+cd2Bm7r3mZYr6FLiV6PjdyXckOAUZk/yA2oCc3U70XYxKxLbUPE0S60H
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.karoo.co.uk:8080
R3 - URLSearchHook: (no name) -  - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [Microsoft Windows Session Manager Subsystem] C:\WINDOWS\system32\dllcache\smss.exe
O4 - HKLM\..\Run: [Microsoft Windows Logon Process] C:\WINDOWS\system32\dllcache\winlogon.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Linksys Cordless Internet Telephony Kit.lnk = C:\Program Files\Linksys\Cordless Internet Telephony Kit\cit200.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Convert for CLIE - C:\Program Files\Sony\Image Converter\menu.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.karoo.co.uk
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com/PhotoUpload/MsnPUpld.cab?10,0,910,0
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1157994385670
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2280C46B-DD13-41A3-8E36-0B83AB34F451}: NameServer = 192.168.100.101
O17 - HKLM\System\CCS\Services\Tcpip\..\{ECB09BD1-70F2-417F-9BE3-0B29B5B4A2ED}: NameServer = 212.50.160.100 213.249.130.100
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: klogon - C:\WINDOWS\System32\klogon.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Network Client (nwclntc) - Unknown owner - C:\WINDOWS\system32\netclnc.exe (file missing)
O23 - Service: Network Client-Server (nwclntserv) - Unknown owner - C:\WINDOWS\system32\srvss.exe (file missing)
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\rthlpsvc.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe
O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe

Looks like kaspersky removed loads of stuff that none of the other pgorams could find... why is that?

**Ruby** · 18.09.2006 19:59

Hello Andy

Kaspersky deleted the files out Norton AntiVirus' Quarantine - that's fine

Let's go on to clean up your system....

Please scan these files with HJT and Virustotal and/or Jotti

C:\WINDOWS\system32\dllcache\smss.exe
C:\WINDOWS\system32\dllcache\winlogon.exe
C:\WINDOWS\system32\netclnc.exe
C:\WINDOWS\system32\srvss.exe

You may want to make us know all about the results of the scans by copy&paste (look for an example).

Thema: Help Plz. Virus Found - Log attached

Themen-Optionen

Help Plz. Virus Found - Log attached

AW: Help Plz. Virus Found - Log attached

Re: Help Plz. Virus Found - Log attached

AW: Help Plz. Virus Found - Log attached

Re: Help Plz. Virus Found - Log attached

AW: Help Plz. Virus Found - Log attached

Re: Help Plz. Virus Found - Log attached

AW: Help Plz. Virus Found - Log attached

Aktive Benutzer

Aktive Benutzer

Ähnliche Themen

virus was found in AVGAMSVR.EXE by virustotal/Ikarus

P8A1HLVD.dll found, HJT log attached; please read and assist!

antivir xp found dyfuca.ds and swizzor.co virus

Virus Found! --- Trojan.ByteVerify???

found virus

Forumregeln