iso help w/ this log from hijackthis v1.99.1

[NihLathak]

Logfile of HijackThis v1.99.1
Scan saved at 2:11:03 AM, on 5/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\WINDOWS\arservice.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trillian\trillian.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...RIO&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...RIO&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...RIO&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TY...RIO&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?.home=ytie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...RIO&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...RIO&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TY...RIO&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TY...RIO&pf=desktop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: HpWebHelper - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe



thus far, i have been told by a friend that i should keep the following three unchecked. but he told me to check on a forum anyway so i dont ruin anything.

these 3 i have unchecked atm:

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe


O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup


please help me, im clueless atm

[NihLathak]

bump this

[NihLathak]

Quote:

Originally Posted by NihLathak

bump this

[NihLathak]

bump this again

[Sempurna]

HI NihLathak,

Welcome to Tech Support Forum!

I apologize for the delay getting to your log. The helpers here are all volunteers and we have been very busy here lately. If you are still having malware problems, I will be glad to help.

OK, here’s what we do first.

Spyware Doctor's OnGuard protective functionality may interfere with certain fixes we need to make. Please follow these instructions to disable it.

To deactivate Spyware Doctor's OnGuard Tools:

• From within Spyware Doctor, click the "OnGuard" button on the left side.
• Uncheck "Activate OnGuard".

NEXT:

Please run HijackThis and click "Scan". Place a check (tick) next to the following entries (if present):

O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O15 - Trusted Zone: http://*.trymedia.com (HKLM)


Close ALL programs and browsers (including this one), leaving ONLY HijackThis open, then click "Fix checked".

Then please exit HijackThis.


NEXT:

Let's run some cleanup and diagnostic scans to make sure we're not leaving anything behind.

Please download CCleaner (freeware) and save it to your desktop:

1. Run the CCleaner installer.
2. During installation process, please UNCHECK "Add CCleaner Yahoo! Toolbar".
3. Once installed, run CCleaner and click the Windows tab.
4. Select the following:
   • Check everything under the Internet Explorer section.
   • Check everything under the Windows Explorer section.
   • Check everything under the System section.
   • Check ONLY Old Prefetch data under the Advanced section.
5. Then, click the Applications tab:
   • UNCHECK everything there.
6. Next, click the Options button, then click the Advanced button:
   • UNCHECK : "Only delete files in Windows Temp folders older than 48 hours".
7. Next, click the Cleaner button, then click the Run Cleaner button (bottom right), then Exit.

CAUTION: Please do NOT use the Issues button. This is a built-in registry cleaner. If you don’t know how to use it, you may cause irreparable damage to your system.


NEXT:

Please download ComboFix by sUBs:

NOTE: In the event you already have ComboFix, this is a new version that I need you to download.

• Save it to your desktop.
• Double-click combofix.exe and follow the prompts.
• When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT:

Please do an online scan with Panda ActiveScan:

1. Once you are on the Panda site click the "Scan your PC" button located at the bottom of the page.
2. A new window will open... click the "Check Now" button.
3. Enter your Country.
4. Enter your State/Province.
5. Enter your e-mail address.
6. Select either Home User or Company.
7. Click the big "Free Online Scan" button.
8. If it wants to install an ActiveX component allow it.
9. It will start downloading the files it requires for the scan (Note: It may take a couple of minutes).
10. When the download is complete, click on "Local Disks" to start the scan.
11. When the scan completes, if anything malicious is detected, click the "See Report" button; then "Save Report" and save it to a convenient location. Post the contents of the Panda scan report in your next reply.

NEXT:

Please do an online scan with Kaspersky Online Scanner using Internet Explorer (this online scanner only works with IE):

1. Click on Kaspersky Online Scanner.
2. You will be prompted to install an ActiveX component from Kaspersky, click Yes.
3. The program will launch and then begin downloading the latest definition files.
4. Once the files have been downloaded click on Next.
5. Now click on Scan Settings.
6. In the scan settings make sure that the following are selected:
   • Scan using the following Anti-Virus database:
     Extended
   • Scan Options:
     Scan Archives
     Scan Mail Bases
7. Click OK.
8. Now under select a target to scan:
   • Select My Computer.
9. This program will start and scan your system.
10. The scan will take a while so be patient and let it run.
11. Once the scan is complete it will display if your system has been infected.
    • Now click on the Save Report As button.
    • In the File name: field, type kavscan.
    • In the Save as type: field, select Text file (*.txt).
12. Save the file to your desktop.
13. Copy and paste that information in your next post.

Note for Internet Explorer 7 users: If at any time you have trouble with the Accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.


NEXT:

Please REBOOT your computer normally into Windows and post these logs in your next reply:

1. The log from the ComboFix scan.
2. The log from the Panda scan.
3. The log from the Kaspersky scan.
4. A new HijackThis log.

(You might have to paste the logs in multiple posts in the event they are too long and breach the post length restrictions of the forum software).

Also, please let me know how things are running now and if you encountered any problems while you were following the directions I posted.

[NihLathak]

thus far, the help here has been wonderful especially since its free ftw?

anyway lemme post these logs.

this is the combo one :

"Compaq_Administrator" - 2007-05-09 21:08:52 Service Pack 2
ComboFix 07-05.09.V - Running from: "C:\Documents and Settings\Compaq_Administrator\Desktop\"


((((((((((((((((((((((((((((((( Files Created from 2007-04-09 to 2007-05-09 ))))))))))))))))))))))))))))))))))


2007-05-09 20:59 2,714,784 --a------ C:\ccsetup139.exe
2007-05-09 20:59 <DIR> d-------- C:\Program Files\CCleaner
2007-05-06 18:06 <DIR> d-------- C:\Program Files\Opera
2007-05-06 18:06 <DIR> d-------- C:\DOCUME~1\COMPAQ~1\APPLIC~1\Opera
2007-05-06 02:15 6,561,496 --a------ C:\Opera_9.20_International_Setup.exe
2007-05-05 22:43 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-05-05 22:07 80,384 --a------ C:\WINDOWS\system32\charmap.exe
2007-05-05 22:07 605,696 --a------ C:\WINDOWS\system32\getuname.dll
2007-05-05 22:07 56,832 --a------ C:\WINDOWS\system32\sol.exe
2007-05-05 22:07 55,296 --a------ C:\WINDOWS\system32\freecell.exe
2007-05-05 22:07 538,624 --a------ C:\WINDOWS\system32\spider.exe
2007-05-05 22:07 5,632 --a------ C:\WINDOWS\system32\write.exe
2007-05-05 22:07 343,040 --a------ C:\WINDOWS\system32\mspaint.exe
2007-05-05 22:07 126,976 --a------ C:\WINDOWS\system32\mshearts.exe
2007-05-05 22:07 119,808 --a------ C:\WINDOWS\system32\winmine.exe
2007-05-05 22:07 114,688 --a------ C:\WINDOWS\system32\calc.exe
2007-05-05 22:07 102,912 --a------ C:\WINDOWS\system32\clipbrd.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-05-10 00:00:16 -------- d-----w C:\Program Files\Diablo II
2007-05-09 23:37:35 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2007-05-09 23:13:58 -------- d-----w C:\Program Files\Trillian
2007-05-06 0236 -------- d-----w C:\Program Files\Online Services
2007-05-06 0207 -------- d-----w C:\Program Files\Windows NT
2007-03-27 04:02:48 -------- d-----w C:\DOCUME~1\COMPAQ~1\APPLIC~1\U3
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ------w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2007-03-07 14:36:06 2,010,624 ----a-w C:\ventrilo-2.3.0-Windows-i386.exe
2007-02-25 03:17:56 254,680 ----a-w C:\wddu.exe
2007-02-14 21:25:30 11,352,928 ----a-w C:\sdsetup.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
"{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}"="C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll"
"{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}"="C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll"
"{AA58ED58-01DD-4d91-8333-CF10577473F7}"="c:\program files\google\googletoolbar2.dll"
"{AAAE832A-5FFF-4661-9C8F-369692D1DCB9}"="C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll"
"{B56A7D7D-6927-48C8-A975-17DF180C71AC}"="C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
"Spyware Doctor"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\
63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\
6d,73,73,74,79,6c,65,73,00
"InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\
73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages msv1_0\0\0
Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages scecli\0\0

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^start menu^programs^startup^microsoft office.lnk
C:\PROGRA~1\MICROS~4\Office\OSA9.EXE -b -l

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^start menu^programs^startup^reschedhpsu.lnk
C:\hp\bin\CLOAKER.EXE c:\hp\bin\commands /c /ww C:\hp\drivers\hpsu\ReSchedHPSU.bat

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\alwaysready power message app
ARPWRMSG.EXE

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\aniwzcs2service
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avg7_cc
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bgmonitor_{79662e04-7c6c-4d9f-84c7-88d8a56b10aa}
"C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccapp
"c:\Program Files\Common Files\Symantec Shared\ccApp.exe"

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe
C:\WINDOWS\system32\ctfmon.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\d-link airplus g
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\discover
C:\Program Files\DISC\DISCover.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\discupdatemanager
C:\Program Files\DISC\DiscUpdMgr.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehtray
C:\WINDOWS\ehome\ehtray.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpbootop
"C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\is cfgwiz
c:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {F073BDC9-0D67-4ff0-879E-27241C843828} /MODE CfgWiz /CMDLINE "REBOOT"

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ituneshelper
"C:\Program Files\iTunes\iTunesHelper.exe"

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msmsgs
"C:\Program Files\Messenger\msmsgs.exe" /background

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nerofiltercheck
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nvcpldaemon
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz
nwiz.exe /install

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pcdrprofiler
"C:\Program Files\PC-Doctor 5 for Windows\RunProfiler.exe" -r

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\quicktime task
"C:\Program Files\QuickTime\qttask.exe" -atboottime

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\recguard
C:\WINDOWS\SMINST\RECGUARD.EXE

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\reminder
"C:\Windows\Creator\Remind_XP.exe"

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rthdcpl
RTHDCPL.EXE

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ssc_userprompt
"c:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tkbellexe
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter HTTPFilter\0\0
LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService DnsCache\0\0
DcomLaunch DcomLaunch\0TermService\0\0
rpcss RpcSs\0\0
imgsvc StiSvc\0\0
termsvcs TermService\0\0

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\K]
Shell\AutoRun\command K:\LaunchU3.exe -a

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-09 21:10:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 2007-05-09 21:10:48
C:\ComboFix-quarantined-files.txt ... 2007-05-09 21:10



okay, this is the panda scan :


Incident Status Location

Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\ComboFix.exe[ComboFixT\nircmd.exe]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\cookies.txt[.adultfriendfinder.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\cookies.txt[.yadro.ru/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\cookies.txt[.hitbox.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\cookies.txt[.hitbox.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\cookies.txt[.com.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/MediaTickets Not disinfected C:\Documents and Settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\cookies.txt[.kinghost.com/]
Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\cookies.txt[.fortunecity.com/]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\Cache\C2152591d01[ComboFixT\nircmd.exe]
Potentially unwanted tool:Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe
Spyware:Spyware/PeoplePC Not disinfected C:\Program Files\Online Services\PeoplePC\ISP5900\Dll\RAS.DLL
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\nircmd.exe


okay this is the kavscan :

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, May 10, 2007 12:02:46 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 10/05/2007
Kaspersky Anti-Virus database records: 315991
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics:
Total number of scanned objects: 98527
Number of viruses found: 1
Number of infected objects: 1 / 0
Number of suspicious objects: 0
Duration of the scan process: 00:56:48

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\cert8.db Object is locked skipped
C:\Documents and Settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\history.dat Object is locked skipped
C:\Documents and Settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\key3.db Object is locked skipped
C:\Documents and Settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\parent.lock Object is locked skipped
C:\Documents and Settings\Compaq_Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Compaq_Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Compaq_Administrator\Local Settings\History\History.IE5\MSHist012007050920070510\index.dat Object is locked skipped
C:\Documents and Settings\Compaq_Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Compaq_Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Compaq_Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\hp\bin\KillWind.exe Infected: not-a-virus:RiskTool.Win32.PsKill.p skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP57\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{41FA48B2-A2FC-4FB9-8C3C-9B6ACF7E9880}.crmlog Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{6FCDBC63-1446-4F21-8248-2CEDE52139A2}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP57\change.log Object is locked skipped

Scan process completed.


and last but not least, the hijackthis scan :

Logfile of HijackThis v1.99.1
Scan saved at 1213 AM, on 5/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\WINDOWS\arservice.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...RIO&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?.home=ytie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...RIO&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...RIO&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TY...RIO&pf=desktop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: HpWebHelper - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe



okay i shall await for the helpers Lol :P

[Sempurna]

Hi NihLathak,

You're most welcome, NihLathak.

Please delete this FILE:

C:\Program Files\Online Services\PeoplePC\ISP5900\Dll\RAS.DLL

Everything else appears to be clean. Any persistent problems or suspicious behaviour on your machine that I should know about?

[NihLathak]

do i just delete that file or should i get rid of that entire folder?

also, just a random question...i play a game online, when i open the game and then exit it, ( it is a full screen game ) my background changes from a "ripple background" to just a plain color. I have no idea why...lol

[Sempurna]

Hi NihLathak,

Just delete the file.

Hmm, no idea why that happens to your background. It could be because the game is somehow causing Windows to *forget* the background (memory probably got screwed because of the game running).

Just some loose ends to tie up, and then we can let you go home.

Your version of Sun Java is out-of-date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older Java version components and update:

• CLICK HERE to download the offline installer.
  • Select "Java Runtime Environment (JRE) 6u1" and click the "Download" button to the right.
  • Check the box that says "Accept License Agreement".
  • Click on the link to download "Windows Offline Installation, Multi-language".
  • Save the file to your desktop.
• Next, uninstall your currently installed version from Add/Remove Programs.
• If you have older versions listed uninstall them also. If you simply update to the new version it leaves the older versions still installed, complete with previous vulnerabilities.
• Examples of older versions in Add/Remove Programs:
  • Java 2 Runtime Environment, SE v1.4.2
  • J2SE Runtime Environment 5.0
  • J2SE Runtime Environment 5.0 Update 2
• Reboot your system.
• Install the new version by double-clicking on the file you downloaded.

NEXT:

Everything looks great --- your HijackThis log appears to be clean.

Please take some time reading this list; it is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

• Windows Updates (a must!)
  It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. You can either click on the link above and bookmark the updates page, or open Internet Explorer, then go to the Tools menu -> Windows Update, and follow the online instructions from there.
  
  
• Firewall (a must!)
  It is definitely a must have. Some good FREE versions are Comodo, Outpost, or ZoneAlarm.
  Note: You must only use 1 (one) firewall at a time because if you have 2 or more firewalls running at the same time, they will conflict with each other and make your security less reliable. Please also remember to turn off Windows Firewall once you have installed a new firewall.
  
  
• Also make sure to run your antivirus software regularly, and to keep it up-to-date.
  
  
• SpywareBlaster
  This is a great FREE prevention tool to keep nasties from installing on your system.
  Tutorial: How to use!
  
  
• IE-SPYAD
  This FREE tool puts over 5000 sites in your IE Restricted Zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  Tutorial: How to use!
  
  
• Spybot - Search & Destroy
  This is a very powerful FREE tool that can search for and annihilate nasties that make it onto your system. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features for realtime protection.
  Tutorial: How to use!
  
  
• Ad-Aware SE
  This is another very powerful FREE tool that searches for and kills nasties that infect your system. Ad-Aware SE and Spybot Search & Destroy compliment each other very well.
  Tutorial: How to use!
  
  
• AVG Anti-Spyware
  This is an excellent FREE scanner to look for trojans and other nasties that might be residing in your system.
  User Manual: How to use!
  
  
• SUPERAntiSpyware
  This is another excellent FREE scanner to look for nasties that might be lurking in your system. SUPERAntiSpyware and AVG Anti-Spyware compliment each other very well.
  Quick Guide: How to use!

Please also read Tony Klein's excellent article How I got Infected in the First Place and this CastleCops article Malware Prevention: Prevent Re-infection.

Hopefully this should take care of your problems! Good luck!


Please respond one more time and let me know you received this post, so that it can be marked as resolved, unless you have other problems.