System slowdown - probable trojans

[sweeprman]

I picked up something that has slowed my system to a crawl. I'm assuming it has something to do with fservices.exe since I ran several virus scanners that detect is as a trojan but so far I'm unable to get rid of it. C:\WINDOWS\services.exe also looks fishy to me as I thought services.exe ran from the system32 directory, but again I'm unable to identify what it is or how to get rid of it.

Hijackthis log follows:

Logfile of HijackThis v1.99.1
Scan saved at 11:56:25 PM, on 6/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\SAgent4.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\services.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Multimedia\main\launchpd.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Palm\HOTSYNC.EXE
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\fservice.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: VS_IEHlprObj Class - {829CAB51-A4EA-4a15-87B6-4B7D0747939C} - C:\Program Files\Network Associates\VirusScan\bho.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: 1ClickPicGrabber - {D593DE91-7B41-45C2-830E-E9A99AB142AA} - C:\Program Files\ZaberSoft\1ClickPicGrabber\1ClickPicGrabber.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CleanRam] C:\Program Files\Clean Ram\cleanram.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [Zinio DLM] C:\PROGRA~1\Zinio\ZDLM.exe /hide
O4 - HKCU\..\Run: [System Mechanic Popup Blocker] "C:\Program Files\iolo\System Mechanic 6\PopupBlocker.exe"
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Startup: ItsDeductible7PopUp.lnk = C:\Program Files\ItsDeductible7\ItsD7.exe
O4 - Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: ItsDeductible7PopUp.lnk = C:\Program Files\ItsDeductible7\ItsD7.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &1CPG Grab pictures on this page - res://C:\Program Files\ZaberSoft\1ClickPicGrabber\1ClickPicGrabber.dll/GRABPAGEPICS.HTM
O8 - Extra context menu item: 1C&PG Grab Target File - res://C:\Program Files\ZaberSoft\1ClickPicGrabber\1ClickPicGrabber.dll/GRABLINK.HTM
O8 - Extra context menu item: 1C&PG Grab This Picture - res://C:\Program Files\ZaberSoft\1ClickPicGrabber\1ClickPicGrabber.dll/GRABPIC.HTM
O8 - Extra context menu item: 1CPG Grab &movies on this page - res://C:\Program Files\ZaberSoft\1ClickPicGrabber\1ClickPicGrabber.dll/GRABPAGEMOVIES.HTM
O8 - Extra context menu item: 1CPG Grab pict&ures this page links to - res://C:\Program Files\ZaberSoft\1ClickPicGrabber\1ClickPicGrabber.dll/GRABPAGELINKS.HTM
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: MasterCook: Select Image - C:\Program Files\MasterCook 9\Web\MCIEContext.hta
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Pictures Grabber - {10954C80-4F0F-11d3-B17C-00C0DFE39736} - C:\Program Files\Pictures Grabber\pgb.exe (file missing)
O9 - Extra 'Tools' menuitem: &Pictures Grabber - {10954C80-4F0F-11d3-B17C-00C0DFE39736} - C:\Program Files\Pictures Grabber\pgb.exe (file missing)
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: MasterCook Web Import Bar - {E6EF5071-7647-4E85-9785-87B6CF5CB561} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .hlq: C:\Program Files\Internet Explorer\PLUGINS\NpHcd32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.bestbuy.msn.com
O15 - Trusted Zone: http://*.msn.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1138057530984
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Epson Printer Status Agent4 (StatusAgent4) - SEIKO EPSON CORPORATION - C:\WINDOWS\System32\SAgent4.exe



Thanks

[tetonbob]

Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

You're right about that services.exe in %windir%, it's a bad guy, the proper one also shows in your running processes.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Download Ewido Anti-Malware

• Install Ewido Anti-Malware
• When installing, under "Additional Options" uncheck..
  • Install background guard
  • Install scan via context menu
• Double-click the icon on Desktop to launch Ewido

You will need to update Ewido to the latest definition files.

• On the left hand side of the main screen click update.
• Then click on Start Update.

The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido
When you have finished updating, EXIT Ewido.

Download and install CleanUp!
NOTE: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, make a backup of these before running CleanUp!. Do NOT run this program if you have XP Professional 64 bit edition. If you're unsure please do not run it! If you don't already know, you're probably not using XP64, but you can download & run this tool to find out for sure.....http://www.kellys-korner-xp.com/regs...p_whichcpu.exe

---------------------------------------------------------------------------------------------

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers.

---------------------------------------------------------------------------------------------

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' if they still exist (make sure not to miss any):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\fservice.exe

---------------------------------------------------------------------------------------------

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.

---------------------------------------------------------------------------------------------


Delete the following if they exist:

C:\WINDOWS\system32\fservice.exe
C:\WINDOWS\services.exe

---------------------------------------------------------------------------------------------


Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

• Empty Recycle Bins
• Delete Cookies
• Delete Prefetch files (if present)
• Cleanup! All Users
• Click on the Temporary Files tab and uncheck the box for Scan drives for files matching if it’s checked.

Click OK
Press the CleanUp! button to start the program. Do NOT Reboot/logoff when prompted.
* CleanUp! will not create any backups!!

---------------------------------------------------------------------------------------------

Run Ewido with it's updated definitions:(...it's important that all windows must be closed)

• Click Scanner
• Click Complete System Scan to begin scanning.
• Click OK when prompted to clean files

With the first file it prompts to clean, select the option:

• "Perform action on all infections"
• Choose clean and click OK.

Once finished, click the Save report button & save the report to your desktop

** Ewido scan would require at least an hour.

---------------------------------------------------------------------------------------------

Restart in normal mode.

---------------------------------------------------------------------------------------------

Perform an online scan with Internet Explorer with Panda ActiveScan

Click on the "Free To Use ActiveScan" located on the top right hand corner

1. Click Check Now and a "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
2. Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place *

Begin the scan by selecting My Computer

• If it finds any malware, it will offer you a report.
• Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
• Click on See report then click Save report

*Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------------------------------------------------------------------------------------

Run a new HijackThis scan. Save the log file and post it here.

---------------------------------------------------------------------------------------------

Please return with logs from:

Ewido
Panda
HJT

[sweeprman]

Ran into a hangup. Booted into Safe mode after installing the two software aps. Scanned with Hijackthis and checked the two R0 and the one F2 lines following with Fix Checked.
Successfuly deleted C:\WINDOWS\system32\fservice.exe, but could not delete C:\WINDOWS\services.exe as it is still in use.
Followed up with another hijackthis scan and the 'F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\fservice.exe' line is still there. It appears that hijackthis isn't fixing that entry.

After rebooting in normal mode fservice.exe reappears back into the system32 directory. Also note, that there is also a fservice.exe.bat file in that same directory.

I'm attaching another log file for further review and await further instructions.

Thanks

Logfile of HijackThis v1.99.1
Scan saved at 1:08:36 AM, on 6/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\SAgent4.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\services.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Multimedia\main\launchpd.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\notepad.exe
C:\hijackthis\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\fservice.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: VS_IEHlprObj Class - {829CAB51-A4EA-4a15-87B6-4B7D0747939C} - C:\Program Files\Network Associates\VirusScan\bho.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: 1ClickPicGrabber - {D593DE91-7B41-45C2-830E-E9A99AB142AA} - C:\Program Files\ZaberSoft\1ClickPicGrabber\1ClickPicGrabber.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CleanRam] C:\Program Files\Clean Ram\cleanram.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [Zinio DLM] C:\PROGRA~1\Zinio\ZDLM.exe /hide
O4 - HKCU\..\Run: [System Mechanic Popup Blocker] "C:\Program Files\iolo\System Mechanic 6\PopupBlocker.exe"
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Startup: ItsDeductible7PopUp.lnk = C:\Program Files\ItsDeductible7\ItsD7.exe
O4 - Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: ItsDeductible7PopUp.lnk = C:\Program Files\ItsDeductible7\ItsD7.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &1CPG Grab pictures on this page - res://C:\Program Files\ZaberSoft\1ClickPicGrabber\1ClickPicGrabber.dll/GRABPAGEPICS.HTM
O8 - Extra context menu item: 1C&PG Grab Target File - res://C:\Program Files\ZaberSoft\1ClickPicGrabber\1ClickPicGrabber.dll/GRABLINK.HTM
O8 - Extra context menu item: 1C&PG Grab This Picture - res://C:\Program Files\ZaberSoft\1ClickPicGrabber\1ClickPicGrabber.dll/GRABPIC.HTM
O8 - Extra context menu item: 1CPG Grab &movies on this page - res://C:\Program Files\ZaberSoft\1ClickPicGrabber\1ClickPicGrabber.dll/GRABPAGEMOVIES.HTM
O8 - Extra context menu item: 1CPG Grab pict&ures this page links to - res://C:\Program Files\ZaberSoft\1ClickPicGrabber\1ClickPicGrabber.dll/GRABPAGELINKS.HTM
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: MasterCook: Select Image - C:\Program Files\MasterCook 9\Web\MCIEContext.hta
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Pictures Grabber - {10954C80-4F0F-11d3-B17C-00C0DFE39736} - C:\Program Files\Pictures Grabber\pgb.exe (file missing)
O9 - Extra 'Tools' menuitem: &Pictures Grabber - {10954C80-4F0F-11d3-B17C-00C0DFE39736} - C:\Program Files\Pictures Grabber\pgb.exe (file missing)
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: MasterCook Web Import Bar - {E6EF5071-7647-4E85-9785-87B6CF5CB561} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .hlq: C:\Program Files\Internet Explorer\PLUGINS\NpHcd32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.bestbuy.msn.com
O15 - Trusted Zone: http://*.msn.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1138057530984
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Epson Printer Status Agent4 (StatusAgent4) - SEIKO EPSON CORPORATION - C:\WINDOWS\System32\SAgent4.exe

[tetonbob]

Please zip up and attach the fservice.exe.bat to your next reply.

Did you run Ewido, or just stop at that instruction? Ewido is a powerful antimalware tool, and may rip those out.

[sweeprman]

Attached is the zipped .bat file. I hadn't run Cleanup or Ewido when I posted last (as I thought that being unable to delete the services.exe might through a wrench in the whole thing) but went ahead and conducted the scans in Safe Mode after reading your last reply. Logs follow:

EWIDO:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 6:17:48 AM, 6/5/2006
+ Report-Checksum: 3A406F44

+ Scan result:

[824] C:\WINDOWS\services.exe -> Backdoor.Prorat.19.i : Cleaned with backup
[1084] C:\WINDOWS\system32\winkey.dll -> Backdoor.Prorat.19.ah : Cleaned with backup
[1188] C:\WINDOWS\system32\winkey.dll -> Backdoor.Prorat.19.ah : Error during cleaning
C:\Program Files\1st Position 2.5\1stPosition.exe.bak -> Backdoor.Bifrose.mv : Cleaned with backup
C:\Program Files\EA Games\The Sims 2\SimsCelebrity.exe/simspatch.exe -> Backdoor.Wootbot : Cleaned with backup
C:\QUARANTINE\gdnUS1035[1].exe.Vir -> Trojan.Dialer.ay : Cleaned with backup
C:\QUARANTINE\gdnUS1035[1].exe.Vir.0 -> Trojan.Dialer.ay : Cleaned with backup
C:\QUARANTINE\msbb[1].exe.Vir -> Adware.180Solutions : Cleaned with backup
C:\QUARANTINE\sploit[1].anr.Vir -> Downloader.Ani.c : Cleaned with backup
C:\QUARANTINE\sploit[1].anr.Vir.0 -> Downloader.Ani.c : Cleaned with backup
C:\QUARANTINE\sploit[1].anr.Vir.1 -> Downloader.Ani.c : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\WinAdServX.dll -> Adware.WinAD : Cleaned with backup
C:\WINDOWS\services.exe -> Backdoor.Prorat.19.i : Cleaned with backup
C:\WINDOWS\system\sservice.exe -> Backdoor.Prorat.19.i : Cleaned with backup
C:\WINDOWS\system32\fservice.exe -> Backdoor.Prorat.19.i : Cleaned with backup
C:\WINDOWS\system32\reginv.dll -> Backdoor.Prorat.19.i : Cleaned with backup
C:\WINDOWS\system32\reginv.dll_tobedeleted -> Backdoor.Prorat.19.i : Cleaned with backup
C:\WINDOWS\system32\winkey.dll -> Backdoor.Prorat.19.ah : Cleaned with backup
C:\WINDOWS\system32\winkey.dll_tobedeleted -> Backdoor.Prorat.19.ah : Cleaned with backup


::Report End

PANDA:


Incident Status Location

Adware:adware/azesearch Not disinfected c:\myvbs.vbs
Adware:adware/dyfuca Not disinfected c:\windows\STWSI
Potentially unwanted tool:application/mywebsearch Not disinfected hkey_classes_root\clsid\{147A976E-EEE1-4377-8EA7-4716E4CDD239}
Adware:adware/superspider Not disinfected Windows Registry
Adware:adware/cws Not disinfected Windows Registry
Adware:adware/favadd Not disinfected Windows Registry
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-2b716a62-671c8744.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-2b716a62-671c8744.zip[VB.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-2b716a62-671c8744.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-2b716a62-671c8744.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-3dae1402-6dc45113.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-3dae1402-6dc45113.zip[VB.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-3dae1402-6dc45113.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-3dae1402-6dc45113.zip[Beyond.class]
Virus:Trj/Java.Binny.A Disinfected C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-68978e16-32b522cf.zip[Mein.class]
Virus:Trj/Java.Binny.A Disinfected C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-68978e16-32b522cf.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-1c836ba2-37442b36.zip[GetAccess.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-1c836ba2-37442b36.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-1c836ba2-37442b36.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-1c836ba2-37442b36.zip[Installer.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-3852b20e-4d7ee93f.zip[GetAccess.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-3852b20e-4d7ee93f.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-3852b20e-4d7ee93f.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-3852b20e-4d7ee93f.zip[Installer.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-7bc864be-31d604f1.zip[GetAccess.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-7bc864be-31d604f1.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-7bc864be-31d604f1.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-7bc864be-31d604f1.zip[Installer.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-3b6ccbd9-65029902.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-3b6ccbd9-65029902.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-3b6ccbd9-65029902.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-3b6ccbd9-65029902.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-4f293f6f-64728aad.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-4f293f6f-64728aad.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-4f293f6f-64728aad.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-4f293f6f-64728aad.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-69741795-6650ce4e.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-69741795-6650ce4e.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-69741795-6650ce4e.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-69741795-6650ce4e.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-dd757b2-40140442.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-dd757b2-40140442.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-dd757b2-40140442.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-dd757b2-40140442.zip[Beyond.class]
Virus:Trj/Classloader.G Disinfected C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count3.jar-a84a25a-61c7bb1f.zip[Beyond.class]
Virus:Trj/Classloader.G Disinfected C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count3.jar-a84a25a-61c7bb1f.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count3.jar-a84a25a-61c7bb1f.zip[Dummy.class]
Virus:Trj/Classloader.G Disinfected C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count3.jar-a84a25a-61c7bb1f.zip[VerifierBug.class]
Adware:Adware/IST.ISTBar Not disinfected C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-3cc46f89-1897544a.zip[javainstaller/InstallerApplet.class]
Adware:Adware/IST.ISTBar Not disinfected C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-3cc46f89-71b3339b.zip[javainstaller/InstallerApplet.class]
Adware:Adware/IST.ISTBar Not disinfected C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-5ad1bcbe-138bd5b0.zip[javainstaller/InstallerApplet.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv505.jar-2a45da8b-2ec43ea8.zip[Matrix.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv505.jar-2a45da8b-2ec43ea8.zip[Counter.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv505.jar-2a45da8b-2ec43ea8.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv505.jar-2a45da8b-2ec43ea8.zip[Parser.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv684.jar-6cc4c343-4168d2e7.zip[Matrix.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv684.jar-6cc4c343-4168d2e7.zip[Counter.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv684.jar-6cc4c343-4168d2e7.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv684.jar-6cc4c343-4168d2e7.zip[Parser.class]
Virus:Trj/Downloader.MR Disinfected C:\Documents and Settings\Dad\DoctorWeb\Quarantine\vx1sp__0.chm
Potentially unwanted tool:Application/FunWeb Not disinfected C:\Documents and Settings\Dad\My Documents\backups\backup-20040728-203900-159.inf
Adware:Adware/SaveNow Not disinfected C:\Program Files\MyEmoticons\uninstall.exe
Virus:Exploit/LoadImage Disinfected C:\QUARANTINE\1125217937[1].ani.Vir

HJT

Logfile of HijackThis v1.99.1
Scan saved at 931 AM, on 6/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\SAgent4.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Multimedia\main\launchpd.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: VS_IEHlprObj Class - {829CAB51-A4EA-4a15-87B6-4B7D0747939C} - C:\Program Files\Network Associates\VirusScan\bho.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: 1ClickPicGrabber - {D593DE91-7B41-45C2-830E-E9A99AB142AA} - C:\Program Files\ZaberSoft\1ClickPicGrabber\1ClickPicGrabber.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CleanRam] C:\Program Files\Clean Ram\cleanram.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [Zinio DLM] C:\PROGRA~1\Zinio\ZDLM.exe /hide
O4 - HKCU\..\Run: [System Mechanic Popup Blocker] "C:\Program Files\iolo\System Mechanic 6\PopupBlocker.exe"
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Startup: ItsDeductible7PopUp.lnk = C:\Program Files\ItsDeductible7\ItsD7.exe
O4 - Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: ItsDeductible7PopUp.lnk = C:\Program Files\ItsDeductible7\ItsD7.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &1CPG Grab pictures on this page - res://C:\Program Files\ZaberSoft\1ClickPicGrabber\1ClickPicGrabber.dll/GRABPAGEPICS.HTM
O8 - Extra context menu item: 1C&PG Grab Target File - res://C:\Program Files\ZaberSoft\1ClickPicGrabber\1ClickPicGrabber.dll/GRABLINK.HTM
O8 - Extra context menu item: 1C&PG Grab This Picture - res://C:\Program Files\ZaberSoft\1ClickPicGrabber\1ClickPicGrabber.dll/GRABPIC.HTM
O8 - Extra context menu item: 1CPG Grab &movies on this page - res://C:\Program Files\ZaberSoft\1ClickPicGrabber\1ClickPicGrabber.dll/GRABPAGEMOVIES.HTM
O8 - Extra context menu item: 1CPG Grab pict&ures this page links to - res://C:\Program Files\ZaberSoft\1ClickPicGrabber\1ClickPicGrabber.dll/GRABPAGELINKS.HTM
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: MasterCook: Select Image - C:\Program Files\MasterCook 9\Web\MCIEContext.hta
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Pictures Grabber - {10954C80-4F0F-11d3-B17C-00C0DFE39736} - C:\Program Files\Pictures Grabber\pgb.exe (file missing)
O9 - Extra 'Tools' menuitem: &Pictures Grabber - {10954C80-4F0F-11d3-B17C-00C0DFE39736} - C:\Program Files\Pictures Grabber\pgb.exe (file missing)
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: MasterCook Web Import Bar - {E6EF5071-7647-4E85-9785-87B6CF5CB561} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .hlq: C:\Program Files\Internet Explorer\PLUGINS\NpHcd32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.bestbuy.msn.com
O15 - Trusted Zone: http://*.msn.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1138057530984
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Epson Printer Status Agent4 (StatusAgent4) - SEIKO EPSON CORPORATION - C:\WINDOWS\System32\SAgent4.exe

Thanks,

[tetonbob]

Excellent, that's much better. And it's better to be safe than sorry, so that's ok. Ewido looks to have done as I thought it would.

Now for round 2.

Download CWShredder and run it. Click on Update. Click on 'I Agree' button if you agree. Click on 'Fix' (it will automatically fix anything it finds for you) and then click OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit.

-----------------------------------------------------------------

See this page for instructions on how to clear java's cache.

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)

• Under Temporary Internet Files, click the Delete Files button.
• There are three options in the window to clear the cache - Leave ALL 3 Checked
  • Downloaded Applets
    Downloaded Applications
    Other Files
• Click OK on Delete Temporary Files Window
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
• Click OK to leave the Java Control Panel.

-----------------------------------------------------------------

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. Close the Registry Editor now. Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

REGEDIT4

[-hkey_classes_root\clsid\{147A976E-EEE1-4377-8EA7-4716E4CDD239}]

Save the file as "delete.reg". Make sure to save it with the quotes. Close Notepad. Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.

-----------------------------------------------------------------

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.


Delete the following if they exist:

c:\myvbs.vbs
c:\windows\STWSI
C:\Documents and Settings\Dad\My Documents\backups\backup-20040728-203900-159.inf
C:\Program Files\MyEmoticons\uninstall.exe

If they resist deletion, boot to safe mode and delete from there.


---------------------------------------------------------------------------------------------

Create an uninstall list:

• Open HiJackThis
• Click on the configure button on the bottom right
• Click on the tab "Misc Tools"
• Click on the Box that says "Open Uninstall Manager"
• Click on the button "Save list"
• Copy and past the List from the notepad file into your post

---------------------------------------------------------------------------------------------

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK & have it scan My Computer
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------------------------------------------------------------------------------------

Open Hijack This and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

---------------------------------------------------------------------------------------------

So, please post results from:

Uninstall List
Kaspersky online scan
HJT

How is your system behaving now please?

[sweeprman]

Here's the latest round of logs:

Uninstall List

1ClickPicGrabber
ABBYY FineReader 5.0 Sprint Plus
AC-3 ACM Decompressor
Ad-Aware SE Personal
Adobe Acrobat 7.0 Professional
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 7.0
Adobe Stock Photos 1.0
Allok Video Joiner 1.5.8
Allok Video Splitter 1.4.6
Alocet PDF Writer
AnalogX DXMan
ArcSoft PhotoImpression
ARELIS 4.4.2
Armies of the Imperium
Armies of the Imperium Patch v2.6.05
Army Builder V2.2c
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
ATI Multimedia Center 7.9.0.0
ATI Multimedia Center 9.13
AvantGo Client
AVIcodec (remove only)
AviSynth 2.5
BlindWrite suite
BSPlayer
Call of Duty(R) 2
CleanUp!
Crosstrainer
DAEMON Tools
DAO
DAO
DawnOfWar
Digital Video Camera Manager
DivX
DivX Player
Documents To Go
DVD Shrink 3.2
DVDXCopy Xpress 3.0.2
Dynamic Link Promoter
Easy Icon Maker
Easy Schedule Maker
Elecard MPEG2 Decoder Package 2.0
eMule
Enemies of the Imperium
Enemies of the Imperium Patch v2.6.05
EPSON Printer Software
ewido anti-malware
Fast File Saw & Joiner V3.2
Forté Agent
FTDI USB Serial Converter Drivers
Galactic Civilizations II
Galactopedia
Google Earth
GSpot Codec Information Appliance
GTW V.92 Voice Modem
GUIDE PLUS+(TM) for Windows® System - ATI
Half-Life
Half-Life(R) 2
Half-Life: Counter-Strike
HijackThis 1.99.1
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB915865)
hp dvd writer
HP Image Zone 4.7
HP PSC & OfficeJet 4.7
HP Software Update
HWiNFO32 Version 1.41
IBP 8.1
IconEdit2 v4.2
Immortal Cities: Children of the Nile
Intel(R) PRO Network Adapters and Drivers
Ipswitch WS_FTP LE
IrfanView (remove only)
IsoBuster 1.5
iTunes
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_04
Lavasoft VX2 Cleaner
Learn2 Player (Uninstall Only)
Link Popularity Check 3.0.1
LiveReg (Symantec Corporation)
LiveUpdate 2.5 (Symantec Corporation)
Macromedia Dreamweaver 8
Macromedia Extension Manager
Macromedia Shockwave Player
MasterCook 5: The Best of MasterCook
MasterCook Deluxe 9
McAfee VirusScan Enterprise
MediaFACE 4.01
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft Data Access Components KB870669
Microsoft Office FrontPage 2003
Microsoft Office Professional Edition 2003
Mozilla Firefox (1.5.0.4)
MSN Messenger 7.5
MSN Music Assistant
MuVo Driver
Nero 6 Ultra Edition
Net Spite and Malice 5
Neverwinter Nights
Paint.NET v2.5
Palm Conduit Support for COM
palmOne
Panda ActiveScan
PCPitstop Panda AntiVirus Scan (remove only)
PicaLoader 1.47.1231
PowerDVD
QuickBooks Premier Edition 2006
Quicken 2006
QuickTime
QXpress Version 6.0
RCT3 Soaked
RealPlayer
RecordNow
RegistryFix v5.0
Rhapsody Player Engine
RollerCoaster Tycoon® 3
Savings Bond Wizard
ScanToWeb
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Serif PhotoPlus 6.0
SharpReader 0.9.5.1
Shockwave
Shoppers' Hotline Control Center
Sierra Utilities
SimCity 4 Deluxe
SkillSoft Course Manager
SmartDraw 7
Sound Blaster Live!
Sound Blaster Live! Web 2K/XP
SoundMAX
Spybot - Search & Destroy 1.4
Steam
The Sims 2
The Sims 2 Nightlife
The Sims 2 University
TitanTV Client components for ATI
TMPGEnc DVD Author 1.5
TMPGEnc Plus 2.5
TurboTax Basic 2005
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB900930)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB912945)
Utilità Sierra
WebPosition 4
WexTech AnswerWorks
Windows Defender Signatures
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB887797
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinRAR archiver
Wisdom-soft ScreenHunter 4.0 Free
WM Recorder + RM Recorder 10.21
World of Warcraft
XviD 1.1 final uninstall
Yahoo! Messenger
yProxy

Kaspersky online scan

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Monday, June 05, 2006 3:53:55 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 5/06/2006
Kaspersky Anti-Virus database records: 198499
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
G:\
H:\

Scan Statistics:
Total number of scanned objects: 146792
Number of viruses found: 5
Number of infected objects: 18
Number of suspicious objects: 0
Duration of the scan process: 03:36:33

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Dad\Local Settings\Application Data\Identities\{036D5183-69B5-46F2-879A-7A354A7D789A}\Microsoft\Outlook Express\Sent Items.dbx/[From <sweeprman2005@gawab.com>][Date Fri, 4 Mar 2005 19:38:34 -0500]/UNNAMED/543.rar/dddd.exe Infected: Email-Worm.Win32.Bagle.pac skipped
C:\Documents and Settings\Dad\Local Settings\Application Data\Identities\{036D5183-69B5-46F2-879A-7A354A7D789A}\Microsoft\Outlook Express\Sent Items.dbx/[From <sweeprman2005@gawab.com>][Date Fri, 4 Mar 2005 19:38:34 -0500]/UNNAMED/543.rar Infected: Email-Worm.Win32.Bagle.pac skipped
C:\Documents and Settings\Dad\Local Settings\Application Data\Identities\{036D5183-69B5-46F2-879A-7A354A7D789A}\Microsoft\Outlook Express\Sent Items.dbx/[From <sweeprman2005@gawab.com>][Date Fri, 4 Mar 2005 19:38:34 -0500]/UNNAMED Infected: Email-Worm.Win32.Bagle.pac skipped
C:\Documents and Settings\Dad\Local Settings\Application Data\Identities\{036D5183-69B5-46F2-879A-7A354A7D789A}\Microsoft\Outlook Express\Sent Items.dbx Mail MS Outlook 5: infected - 3 skipped
C:\Documents and Settings\Dad\Local Settings\Application Data\Identities\{27BB1562-9555-4161-BF90-CD2AF00FAAAD}\Microsoft\Outlook Express\Hotmail - Bulk Mail.dbx/[From "Francis Kitson" <elena.siegel@chi.leoburnett.com>][Date Wed, 31 May 2006 08:20:40 +0200 UT]/html/Notification_Plolice.doc.zip/Notification_Plolice.doc______________________________________________________________.exe Infected: Trojan-Downloader.Win32.Agent.ajn skipped
C:\Documents and Settings\Dad\Local Settings\Application Data\Identities\{27BB1562-9555-4161-BF90-CD2AF00FAAAD}\Microsoft\Outlook Express\Hotmail - Bulk Mail.dbx/[From "Francis Kitson" <elena.siegel@chi.leoburnett.com>][Date Wed, 31 May 2006 08:20:40 +0200 UT]/html/Notification_Plolice.doc.zip Infected: Trojan-Downloader.Win32.Agent.ajn skipped
C:\Documents and Settings\Dad\Local Settings\Application Data\Identities\{27BB1562-9555-4161-BF90-CD2AF00FAAAD}\Microsoft\Outlook Express\Hotmail - Bulk Mail.dbx/[From "Francis Kitson" <elena.siegel@chi.leoburnett.com>][Date Wed, 31 May 2006 08:20:40 +0200 UT]/html Infected: Trojan-Downloader.Win32.Agent.ajn skipped
C:\Documents and Settings\Dad\Local Settings\Application Data\Identities\{27BB1562-9555-4161-BF90-CD2AF00FAAAD}\Microsoft\Outlook Express\Hotmail - Bulk Mail.dbx/[From "Francis Kitson" <elena.siegel@chi.leoburnett.com>][Date Wed, 31 May 2006 08:20:40 +0200 UT]/html/Notification_Plolice.doc.zip/Notification_Plolice.doc______________________________________________________________.exe Infected: Trojan-Downloader.Win32.Agent.ajn skipped
C:\Documents and Settings\Dad\Local Settings\Application Data\Identities\{27BB1562-9555-4161-BF90-CD2AF00FAAAD}\Microsoft\Outlook Express\Hotmail - Bulk Mail.dbx/[From "Francis Kitson" <elena.siegel@chi.leoburnett.com>][Date Wed, 31 May 2006 08:20:40 +0200 UT]/html/Notification_Plolice.doc.zip Infected: Trojan-Downloader.Win32.Agent.ajn skipped
C:\Documents and Settings\Dad\Local Settings\Application Data\Identities\{27BB1562-9555-4161-BF90-CD2AF00FAAAD}\Microsoft\Outlook Express\Hotmail - Bulk Mail.dbx/[From "Francis Kitson" <elena.siegel@chi.leoburnett.com>][Date Wed, 31 May 2006 08:20:40 +0200 UT]/html Infected: Trojan-Downloader.Win32.Agent.ajn skipped
C:\Documents and Settings\Dad\Local Settings\Application Data\Identities\{27BB1562-9555-4161-BF90-CD2AF00FAAAD}\Microsoft\Outlook Express\Hotmail - Bulk Mail.dbx Mail MS Outlook 5: infected - 6 skipped
C:\QUARANTINE\enter[1].htm.Vir/packed Infected: Trojan-Downloader.JS.Psyme.ap skipped
C:\QUARANTINE\enter[1].htm.Vir GZIP: infected - 1 skipped
C:\QUARANTINE\enter[1].htm.Vir.0 Infected: Trojan-Downloader.JS.Psyme.ap skipped
C:\QUARANTINE\enter[1].htm.Vir.1/packed Infected: Trojan-Downloader.JS.Psyme.ap skipped
C:\QUARANTINE\enter[1].htm.Vir.1 GZIP: infected - 1 skipped
C:\QUARANTINE\enter[1].htm.Vir.2 Infected: Trojan-Downloader.JS.Psyme.ap skipped
C:\SIERRA\Half-Life\hltv.exe Infected: not-a-virus:Server-Proxy.Win32.Hltv skipped


Scan process completed.

HJT

Logfile of HijackThis v1.99.1
Scan saved at 3:57:26 PM, on 6/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\SAgent4.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Multimedia\main\launchpd.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: VS_IEHlprObj Class - {829CAB51-A4EA-4a15-87B6-4B7D0747939C} - C:\Program Files\Network Associates\VirusScan\bho.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: 1ClickPicGrabber - {D593DE91-7B41-45C2-830E-E9A99AB142AA} - C:\Program Files\ZaberSoft\1ClickPicGrabber\1ClickPicGrabber.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CleanRam] C:\Program Files\Clean Ram\cleanram.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [Zinio DLM] C:\PROGRA~1\Zinio\ZDLM.exe /hide
O4 - HKCU\..\Run: [System Mechanic Popup Blocker] "C:\Program Files\iolo\System Mechanic 6\PopupBlocker.exe"
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Startup: ItsDeductible7PopUp.lnk = C:\Program Files\ItsDeductible7\ItsD7.exe
O4 - Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: ItsDeductible7PopUp.lnk = C:\Program Files\ItsDeductible7\ItsD7.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &1CPG Grab pictures on this page - res://C:\Program Files\ZaberSoft\1ClickPicGrabber\1ClickPicGrabber.dll/GRABPAGEPICS.HTM
O8 - Extra context menu item: 1C&PG Grab Target File - res://C:\Program Files\ZaberSoft\1ClickPicGrabber\1ClickPicGrabber.dll/GRABLINK.HTM
O8 - Extra context menu item: 1C&PG Grab This Picture - res://C:\Program Files\ZaberSoft\1ClickPicGrabber\1ClickPicGrabber.dll/GRABPIC.HTM
O8 - Extra context menu item: 1CPG Grab &movies on this page - res://C:\Program Files\ZaberSoft\1ClickPicGrabber\1ClickPicGrabber.dll/GRABPAGEMOVIES.HTM
O8 - Extra context menu item: 1CPG Grab pict&ures this page links to - res://C:\Program Files\ZaberSoft\1ClickPicGrabber\1ClickPicGrabber.dll/GRABPAGELINKS.HTM
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: MasterCook: Select Image - C:\Program Files\MasterCook 9\Web\MCIEContext.hta
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Pictures Grabber - {10954C80-4F0F-11d3-B17C-00C0DFE39736} - C:\Program Files\Pictures Grabber\pgb.exe (file missing)
O9 - Extra 'Tools' menuitem: &Pictures Grabber - {10954C80-4F0F-11d3-B17C-00C0DFE39736} - C:\Program Files\Pictures Grabber\pgb.exe (file missing)
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: MasterCook Web Import Bar - {E6EF5071-7647-4E85-9785-87B6CF5CB561} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .hlq: C:\Program Files\Internet Explorer\PLUGINS\NpHcd32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.bestbuy.msn.com
O15 - Trusted Zone: http://*.msn.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1138057530984
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Epson Printer Status Agent4 (StatusAgent4) - SEIKO EPSON CORPORATION - C:\WINDOWS\System32\SAgent4.exe


Things seem to be running better so far...

[tetonbob]

I should have had you delete that C:\WINDOWS\system32\fservice.exe.bat file as well last time. Please do so now, if you haven't already.


Please Uninstall Java 2 Runtime Environment, SE v1.4.2_04

Having it on your system leaves an opening for malware writers who exploit weaknesses in it's code.

-------------------------------------------------------------

You have a few bad guys in your email folders....sent items, and bulk mail. I'd recommend you delete all items from these areas.

C:\Documents and Settings\Dad\Local Settings\Application Data\Identities\{036D5183-69B5-46F2-879A-7A354A7D789A}\Microsoft\Outlook Express\Sent Items.dbx

C:\Documents and Settings\Dad\Local Settings\Application Data\Identities\{27BB1562-9555-4161-BF90-CD2AF00FAAAD}\Microsoft\Outlook Express\Hotmail - Bulk Mail.dbx

-------------------------------------------------------------

Delete everything in this folder:

C:\QUARANTINE

-------------------------------------------------------------

Let me know if any of this poses any problem. We should be nearly done. I'll have final housekeeping and protection instructions for you if all is well.

[sweeprman]

Allrighty then. Got all that knocked out. Anything else I should do?

[tetonbob]

Well done. Your logs are clean. Any more issues? If not you should be good to go. We still have a few items to address.


Reset hidden/system files and folders

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View tab.
• Deselect the Show hidden files and folders option.
• Select the Hide file extensions for known types option.
• Select the Hide protected operating system files option.
• Click Yes to confirm.
• Click OK.

Create a new System Restore point

• click Start >> Run - type SYSDM.CPL & press Enter
• select the System Restore Tab
• tick on the checkbox - "Turn off System Restore on all drives"
• click Apply
• then untick the same checkbox & click OK

Please ensure that you have already patched your system against the recent WMF exploit.
Go to this page to get the KB912919 patch.

Enable Windows Auto Update

• Go to Start>Run - type wuaucpl.cpl
• tick on the checkbox - "Keep my computer up to date"
• Under settings, choose "Automatically download the updates, and install them on the schedule that I specify".
• Click on "OK".

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:

• SpywareBlaster to help prevent spyware from installing in the first place.
  • Install & update SpywareBlaster with the latest definitions.
    After you have updated, click the button - enable protection for all unprotected items
• SpywareGuard to catch and block spyware before it can execute.
  
• SPYBOT - SEARCH & DESTROY
  Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here
  
• AD-AWARE
  Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here
  
• Winpatrol - Download and install the free version of Winpatrol.
  A tutorial for this product is located here:
  Using Winpatrol to protect your computer from malicious software
  
  
• IE-SPYAD - IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • Download IE-SpyAD - Extract the contents to a new folder
    From within the folder, double-click install.bat
    Select Option #2 - Install the new IE-SPYAD list.
    Then return to the main menu.
    Select option #4 - Add the old porn sites domain
  
  
  
• MVPS HOST FILE
  The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
  • Download Host.zip to your desktop.
  • From your Desktop right-click (hosts.zip) and select:
    Extract All from the menu.
    
  • Click Next, click Next, select the option:
    "Show Extracted files", click Finish
    
  • This will open the newly created hosts folder on your Desktop.
    
  • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
  
  
  
• ANTIVIRUS SOFTWARE
  It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
  
  See this link for a listing of some online antivirus scanners:
  
  Anti-Spyware Tutorial
  
  Here are two very good free Antivirus products which are available:
  
• Avast!
  
  
• AVG

If you do not have a firewall, here are 4 free ones available for personal use:

• ZoneAlarm
• Avast Antivirus/Firewall
• Tiny Personal Firewall
• OutPost Firewall

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

• HOW DID I GET INFECTED IN THE FIRST PLACE?
• THE ANTI-SPYWARE TUTORIAL
• MAKING INTERNET EXPLORER SAFER

If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.