hjt log from cobra please look and advise

[cobra1968]

Hi I have done a new log and placed here for help
My computer ia running really slow opening and closing programs
I run spybot weekly it finds stuff i delete it but with no improvement
i recently ran anti virus found 5 trojons thought that might help but still really slow anyway here is the log and many thanks for looking

Cobra
Logfile of HijackThis v1.99.1
Scan saved at 20:35:34, on 05/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
D:\PROGRA~1\Ashampoo\ASHAMP~1\PopUpKiller.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\WinTV\Ir.exe
C:\Program Files\Zoom Telephonics, Inc\Zoom ADSL USB Modem\dslmon.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinTV\WinTV2K.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\temp folder for downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://znfgdnnmnonrgauyavuckl.com/vq...VKGlWkW/k.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.supanet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.freeserve.net/welcome/freeserve.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = supanet Internet Explorer
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: IE PopUp-Killer ; Neikeisoft - {49E0E0F0-5C30-11D4-945D-000000000003} - D:\PROGRA~1\Ashampoo\ASHAMP~1\PopUp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {6EB2B482-A7E4-36AA-6E6E-6503D8A1718A} - C:\DOCUME~1\ADMINI~1\APPLIC~1\LISTPI~1\CAMP MEET.exe
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Isass] C:\WINDOWS\system32\Isass.exe
O4 - HKLM\..\Run: [Anti] C:\WINDOWS\system32\Isass.exe
O4 - HKLM\..\Run: [NvMsnW] C:\WINDOWS\system32\Isass.exe
O4 - HKLM\..\Run: [eKXfT8vAE] C:\WINDOWS\rmdejif.exe
O4 - HKLM\..\Run: [eKXfT8vùõš/‚²‘ÆßfÏC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\rmdejif.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [FastFileBookOnce] C:\Documents and Settings\All Users\Application Data\Move mags fast file\CityDash.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\RunServices: [Isass] C:\WINDOWS\system32\Isass.exe
O4 - HKLM\..\RunServices: [Anti] C:\WINDOWS\system32\Isass.exe
O4 - HKLM\..\RunServices: [NvMsnW] C:\WINDOWS\system32\Isass.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Steam] "d:\halflife2\steam.exe" -silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [barb exit] C:\DOCUME~1\ADMINI~1\APPLIC~1\MFCDCO~1\ChicPhone.exe
O4 - HKCU\..\Run: [Ashampoo PopUpBlocker] D:\PROGRA~1\Ashampoo\ASHAMP~1\PopUpKiller.exe
O4 - Global Startup: AutoStart IR.lnk = C:\Program Files\WinTV\Ir.exe
O4 - Global Startup: DSLMON.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Reality Fusion GameCam SE.lnk = ?
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearc...p=ZNxmk36953GB
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0527.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0527.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.supanet.com/
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/Cl...ridge-c284.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://www.ysbweb.com/ist/softwares/...b_download.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1095189759318
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.co...haringctrl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} (ClientInstaller Class) - http://www.180searchassistant.com/180saax.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/.../Installer.exe

[sUBs]

Your log appears to be incomplete. You should have some entries after the 016s. Please check if this so. If not, please download & run the attachment I placed on this post. It would produce a log for you to paste here.


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Before doing so, please uninstall the following:

ISTsvc
Messenger Plus 3

Go to Windows Control Panel>Add/Remove Programs

1. Uninstall Messenger Plus! 3
2. The "Messenger Plus! - Setup" is now displayed.
3. Click on the Uninstall button. (options displayed on the first screen isn't related to the sponsor program)
4. The sponsor screen is now displayed (if not seen, search for it in your Task Bar).
5. To prove that someone is currently reading the screen, you have to type the code that is displayed.
6. Once you enter the code, press "Uninstall".
7. Answer Yes when prompted to uninstall.
8. Complete the uninstallation by following the instructions that are displayed

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Then have HJT fix these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://znfgdnnmnonrgauyavuckl.com/v...0VKGlWkW/k.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: (no name) - {6EB2B482-A7E4-36AA-6E6E-6503D8A1718A} - C:\DOCUME~1\ADMINI~1\APPLIC~1\LISTPI~1\CAMP MEET.exe
O4 - HKLM\..\Run: [Isass] C:\WINDOWS\system32\Isass.exe
O4 - HKLM\..\Run: [Anti] C:\WINDOWS\system32\Isass.exe
O4 - HKLM\..\Run: [NvMsnW] C:\WINDOWS\system32\Isass.exe
O4 - HKLM\..\Run: [eKXfT8vAE] C:\WINDOWS\rmdejif.exe
O4 - HKLM\..\Run: [eKXfT8vùõš/‚²‘ÆßfÏC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\rmdejif.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [FastFileBookOnce] C:\Documents and Settings\All Users\Application Data\Move mags fast file\CityDash.exe
O4 - HKLM\..\RunServices: [Isass] C:\WINDOWS\system32\Isass.exe
O4 - HKLM\..\RunServices: [Anti] C:\WINDOWS\system32\Isass.exe
O4 - HKLM\..\RunServices: [NvMsnW] C:\WINDOWS\system32\Isass.exe
O4 - HKCU\..\Run: [barb exit] C:\DOCUME~1\ADMINI~1\APPLIC~1\MFCDCO~1\ChicPhone.e xe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusear...?p=ZNxmk36953GB
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/C...bridge-c284.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://www.ysbweb.com/ist/softwares...sb_download.cab
O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} (ClientInstaller Class) - http://www.180searchassistant.com/180saax.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712...0/Installer.exe


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools>Folder Options> View tab.

• Tick - Show hidden files and folder
• Untick - Hide file extensions for known types
• Untick - Hide protected operating system files

Click Yes to confirm & then click OK

Locate and delete the following folders, if present:

• C:\Documents and Settings\All Users\Application Data\Move mags fast file\
  C:\DOCUME~1\ADMINI~1\APPLIC~1\MFCDCO~1\
  C:\DOCUME~1\ADMINI~1\APPLIC~1\LISTPI~1\
  C:\Program Files\ISTsvc\
  C:\Program Files\MessengerPlus! 3\

Locate and delete the following files:

• C:\WINDOWS\system32\Isass.exe (do not mistake it with LSASS.exe)
  C:\WINDOWS\rmdejif.exe

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Go to Start> Run - type cleanmgr (this starts Windows DiskCleanup)

1. Select Drive C: & click the 'OK' button
2. Select the following options:
   • Temporary Internet Files
   • Recycle Bin
   • Temporary Files
3. Click the 'OK' button

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Reboot & then download fl.zip.
Extract the contents to a new folder on Desktop.
Within the folder, locate & double-click fl.bat.
It should produce a report at c:\findlop.txt. Post the contents of the report in your next reply


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


I require these logs in your next reply:

HJT
rquery.txt
findlop.txt

[cobra1968]

Thanks sub for the help so far i did all that you asked and things are running a lillte better but not as quick as it should be
Messenger +3 had a trojan with it avg disposed of that
Could not find Isass.exe or rmdejif.exe
here is the logs you asked for and i look forward to your response.
Cobra
Logfile of HijackThis v1.99.1
Scan saved at 15:10:53, on 06/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
D:\PROGRA~1\Ashampoo\ASHAMP~1\PopUpKiller.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Zoom Telephonics, Inc\Zoom ADSL USB Modem\dslmon.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\WINDOWS\Explorer.EXE
D:\temp folder for downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.lioyabkocc.biz/vq7aZijBhW...0VKGlWkW/k.cgi
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.supanet.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.freeserve.net/welcome/freeserve.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = supanet Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: IE PopUp-Killer ; Neikeisoft - {49E0E0F0-5C30-11D4-945D-000000000003} - D:\PROGRA~1\Ashampoo\ASHAMP~1\PopUp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Ashampoo PopUpBlocker] D:\PROGRA~1\Ashampoo\ASHAMP~1\PopUpKiller.exe
O4 - HKCU\..\Run: [barb exit] C:\DOCUME~1\ADMINI~1\APPLIC~1\MFCDCO~1\ChicPhone.exe
O4 - Global Startup: DSLMON.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0527.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0527.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.supanet.com/
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1095189759318
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.co...haringctrl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Service Client v.3.4) - http://ccon.futuremark.com/global/msc34.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D6A962DB-441A-457C-8D23-2EBBDEEFA503}: NameServer = 213.40.66.126 213.40.130.126
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - D:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Volume in drive C has no label.
Volume Serial Number is 28C3-F8E9

Directory of C:\Documents and Settings\Administrator\Application Data

01/01/2005 21:35 <DIR> Adobe
02/09/2005 13:04 <DIR> AdobeAUM
13/02/2005 21:33 <DIR> AdobeUM
26/01/2005 21:49 <DIR> Apple Computer
02/10/2005 22:22 <DIR> AVG7
30/08/2005 14:26 <DIR> BPFTP
30/12/2004 19:24 <DIR> CyberLink
23/10/2004 19:34 0 dm.ini
15/09/2004 04:35 <DIR> Help
14/09/2004 18:56 <DIR> Identities
17/09/2004 00:35 <DIR> InterTrust
14/03/2005 11:06 <DIR> Leadertech
25/09/2004 12:47 <DIR> Macromedia
06/10/2005 13:07 <DIR> Mfcdcopyboob
08/10/2004 13:00 <DIR> Microsoft Web Folders
16/09/2004 18:45 <DIR> MSN6
16/09/2004 21:36 <DIR> Real
16/09/2004 22:56 <DIR> Sun
14/09/2004 23:35 <DIR> Symantec
10/04/2005 15:22 <DIR> Yahoo! Messenger
1 File(s) 0 bytes
19 Dir(s) 2,065,166,336 bytes free
Volume in drive C has no label.
Volume Serial Number is 28C3-F8E9

Directory of C:\Documents and Settings\All Users\Application Data

23/10/2004 19:42 <DIR> Adobe
26/01/2005 21:46 <DIR> Apple Computer
06/10/2005 13:25 <DIR> avg7
30/12/2004 19:11 <DIR> CyberLink
02/10/2005 22:18 <DIR> Grisoft
16/09/2004 18:45 <DIR> MSN6
18/09/2004 13:21 <DIR> nView_Profiles
27/04/2005 19:42 <DIR> QuickTime
08/10/2004 18:23 <DIR> SBT
16/09/2004 20:04 <DIR> Spybot - Search & Destroy
14/09/2004 23:37 <DIR> Symantec
23/04/2005 21:04 <DIR> Viewpoint
20/08/2005 13:38 <DIR> Windows Genuine Advantage
15/09/2005 00:11 <DIR> Yahoo! Companion
0 File(s) 0 bytes
14 Dir(s) 2,065,158,144 bytes free
Volume in drive C has no label.
Volume Serial Number is 28C3-F8E9

Directory of C:\Documents and Settings\Default User\Application Data

14/09/2004 19:26 <DIR> .
14/09/2004 19:26 <DIR> ..
14/09/2004 19:26 62 desktop.ini
1 File(s) 62 bytes
2 Dir(s) 2,065,158,144 bytes free
Volume in drive C has no label.
Volume Serial Number is 28C3-F8E9

Directory of C:\Documents and Settings\LocalService\Application Data

Volume in drive C has no label.
Volume Serial Number is 28C3-F8E9

Directory of C:\Documents and Settings\NetworkService\Application Data

! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
DebugOptions REG_SZ 2048
Documents REG_SZ
DosPrint REG_SZ no
load REG_SZ
NetMessage REG_SZ no
NullPort REG_SZ None
Programs REG_SZ com exe bat pif cmd
Device REG_SZ HP DeskJet 690C,winspool,LPT1:

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
AutoRestartShell REG_DWORD 0x1
DefaultDomainName REG_SZ SUE-OWJULEJADM2
DefaultUserName REG_SZ Administrator
LegalNoticeCaption REG_SZ
LegalNoticeText REG_SZ
PowerdownAfterShutdown REG_SZ 0
ReportBootOk REG_SZ 1
Shell REG_SZ Explorer.exe
ShutdownWithoutLogon REG_SZ 0
System REG_SZ
Userinit REG_SZ C:\WINDOWS\system32\userinit.exe,
VmApplet REG_SZ rundll32 shell32,Control_RunDLL "sysdm.cpl"
SfcQuota REG_DWORD 0xffffffff
allocatecdroms REG_SZ 0
allocatedasd REG_SZ 0
allocatefloppies REG_SZ 0
cachedlogonscount REG_SZ 10
forceunlocklogon REG_DWORD 0x0
passwordexpirywarning REG_DWORD 0xe
scremoveoption REG_SZ 0
AllowMultipleTSSessions REG_DWORD 0x1
UIHost REG_EXPAND_SZ logonui.exe
LogonType REG_DWORD 0x1
Background REG_SZ 0 0 0
DebugServerCommand REG_SZ no
SFCDisable REG_DWORD 0x0
WinStationsDisabled REG_SZ 0
HibernationPreviouslyEnabled REG_DWORD 0x1
ShowLogonOptions REG_DWORD 0x0
AltDefaultUserName REG_SZ Administrator
AltDefaultDomainName REG_SZ SUE-OWJULEJADM2

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Credentials

! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
CTFMON.EXE REG_SZ C:\WINDOWS\system32\ctfmon.exe
WebCamRT.exe REG_SZ
MSMSGS REG_SZ "C:\Program Files\Messenger\msmsgs.exe" /background
Ashampoo PopUpBlocker REG_SZ D:\PROGRA~1\Ashampoo\ASHAMP~1\PopUpKiller.exe
barb exit REG_SZ C:\DOCUME~1\ADMINI~1\APPLIC~1\MFCDCO~1\ChicPhone.exe

! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ccApp REG_SZ "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
ccRegVfy REG_SZ "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
SunJavaUpdateSched REG_SZ C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
NvCplDaemon REG_SZ RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
nwiz REG_SZ nwiz.exe /install
Symantec NetDriver Monitor REG_SZ C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
LVCOMS REG_SZ C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
RemoteControl REG_SZ "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
QuickTime Task REG_SZ "C:\Program Files\QuickTime\qttask.exe" -atboottime
NvMediaCenter REG_SZ RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
TkBellExe REG_SZ "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
AVG7_CC REG_SZ C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
AVG7_EMC REG_SZ C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
MSConfig REG_SZ C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoDriveTypeAutoRun REG_DWORD 0x91
Btn_Back REG_DWORD 0x0
Btn_Forward REG_DWORD 0x0
Btn_Stop REG_DWORD 0x0
Btn_Refresh REG_DWORD 0x0
Btn_Home REG_DWORD 0x0
Btn_Search REG_DWORD 0x0
Btn_History REG_DWORD 0x0
Btn_Favorites REG_DWORD 0x0
Btn_Folders REG_DWORD 0x0
Btn_Fullscreen REG_DWORD 0x0
Btn_Tools REG_DWORD 0x0
Btn_MailNews REG_DWORD 0x0
Btn_Size REG_DWORD 0x0
Btn_Print REG_DWORD 0x0
Btn_Edit REG_DWORD 0x0
Btn_Discussions REG_DWORD 0x0
Btn_Cut REG_DWORD 0x0
Btn_Copy REG_DWORD 0x0
Btn_Paste REG_DWORD 0x0
Btn_Encoding REG_DWORD 0x0

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs REG_SZ
DeviceNotSelectedTimeout REG_SZ 15
GDIProcessHandleQuota REG_DWORD 0x2710
Spooler REG_SZ yes
swapdisk REG_SZ
TransmissionRetryTimeout REG_SZ 90
USERProcessHandleQuota REG_DWORD 0x2710

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
PostBootReminder REG_SZ {7849596a-48ea-486e-8937-a2a3009f31a9}
CDBurn REG_SZ {fbeb8a05-beee-4442-804e-409d6c4515e9}
WebCheck REG_SZ {E6FB5E20-DE35-11CF-9C87-00AA005127ED}
SysTray REG_SZ {35CEC8A3-2BE6-11D2-8773-92E220524153}

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
{438755C2-A8BA-11D1-B96B-00A0C90312E1} REG_SZ Browseui preloader
{8C7461EF-2B13-11d2-BE35-3078302C2030} REG_SZ Component Categories cache daemon

[sUBs]

Quote:

Extract the contents to a new folder on Desktop.
Within the folder, locate & double-click fl.bat.
It should produce a report at c:\findlop.txt. Post the contents of the report in your next reply

You did not extract the contents of fl.zip into a new folder. As a result of that, your findlop.txt log is incorrect.

Please give me a new findlop.txt

[cobra1968]

sorry i should of read it better here is the log
Volume in drive C has no label.
Volume Serial Number is 28C3-F8E9

Directory of C:\Documents and Settings\Administrator\Application Data

01/01/2005 21:35 <DIR> Adobe
02/09/2005 13:04 <DIR> AdobeAUM
13/02/2005 21:33 <DIR> AdobeUM
26/01/2005 21:49 <DIR> Apple Computer
02/10/2005 22:22 <DIR> AVG7
30/08/2005 14:26 <DIR> BPFTP
30/12/2004 19:24 <DIR> CyberLink
23/10/2004 19:34 0 dm.ini
15/09/2004 04:35 <DIR> Help
14/09/2004 18:56 <DIR> Identities
17/09/2004 00:35 <DIR> InterTrust
14/03/2005 11:06 <DIR> Leadertech
25/09/2004 12:47 <DIR> Macromedia
06/10/2005 13:07 <DIR> Mfcdcopyboob
08/10/2004 13:00 <DIR> Microsoft Web Folders
16/09/2004 18:45 <DIR> MSN6
16/09/2004 21:36 <DIR> Real
16/09/2004 22:56 <DIR> Sun
14/09/2004 23:35 <DIR> Symantec
10/04/2005 15:22 <DIR> Yahoo! Messenger
1 File(s) 0 bytes
19 Dir(s) 2,063,429,632 bytes free
Volume in drive C has no label.
Volume Serial Number is 28C3-F8E9

Directory of C:\Documents and Settings\All Users\Application Data

23/10/2004 19:42 <DIR> Adobe
26/01/2005 21:46 <DIR> Apple Computer
06/10/2005 13:25 <DIR> avg7
30/12/2004 19:11 <DIR> CyberLink
02/10/2005 22:18 <DIR> Grisoft
16/09/2004 18:45 <DIR> MSN6
18/09/2004 13:21 <DIR> nView_Profiles
27/04/2005 19:42 <DIR> QuickTime
08/10/2004 18:23 <DIR> SBT
16/09/2004 20:04 <DIR> Spybot - Search & Destroy
14/09/2004 23:37 <DIR> Symantec
23/04/2005 21:04 <DIR> Viewpoint
20/08/2005 13:38 <DIR> Windows Genuine Advantage
15/09/2005 00:11 <DIR> Yahoo! Companion
0 File(s) 0 bytes
14 Dir(s) 2,063,429,632 bytes free
Volume in drive C has no label.
Volume Serial Number is 28C3-F8E9

Directory of C:\Documents and Settings\Default User\Application Data

14/09/2004 19:26 <DIR> .
14/09/2004 19:26 <DIR> ..
14/09/2004 19:26 62 desktop.ini
1 File(s) 62 bytes
2 Dir(s) 2,063,429,632 bytes free
Volume in drive C has no label.
Volume Serial Number is 28C3-F8E9

Directory of C:\Documents and Settings\LocalService\Application Data

Volume in drive C has no label.
Volume Serial Number is 28C3-F8E9

Directory of C:\Documents and Settings\NetworkService\Application Data

[TRACE] Enumerating jobs and queues
[TRACE] Activating job 'A6CA35079391A953.job'
[TRACE] Printing all job properties

ApplicationName: 'c:\docume~1\admini~1\applic~1\mfcdco~1\Byte debug user.exe'
Parameters: ''
WorkingDirectory: ''
Comment: ''
Creator: 'Administrator'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 10/06/2005 12:00:00
NextRun: 10/06/2005 17:00:00
StartError: 0x80070002
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 1
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 06/05/2000
EndDate: 00/00/0000
StartTime: 00:00
MinutesDuration: 1440
MinutesInterval: 60
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0


[TRACE] Activating job 'Symantec NetDetect.job'
[TRACE] Printing all job properties

ApplicationName: 'C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE'
Parameters: ''
WorkingDirectory: 'C:\Program Files\Symantec\LiveUpdate'
Comment: 'Symantec NetDetect'
Creator: 'Administrator'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 10/06/2005 15:51:00
NextRun: 10/06/2005 19:52:00
StartError: S_OK
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 0
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 10/06/2005
EndDate: 00/00/0000
StartTime: 19:52
MinutesDuration: 1440
MinutesInterval: 240
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0

[sUBs]

Dont worry about it. It's a common error many people make. I needed that log to see if Messenger Plus left any suprises for you. Good thing that I did ask for that log. It left a time bomb for ya - A6CA35079391A953.job.

Okay..time to defuse it.

Have HijackThis fix these:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.lioyabkocc.biz/vq7aZijBh...s0VKGlWkW/k.cgi
O4 - HKCU\..\Run: [barb exit] C:\DOCUME~1\ADMINI~1\APPLIC~1\MFCDCO~1\ChicPhone.exe


Uninstall this program - ViewPoint


Then delete these folders, if present:

C:\Documents and Settings\Administrator\Application Data\Mfcdcopyboob
C:\Program Files\ViewPoint


Perform an online scan with Internet Explorer at one of the following sites:

• Panda ActiveScan
  
  
• Kaspersky Web Scanner

Take note the names and locations of any file it detects but fails to clean.
* Turn off the real time scanner of any existing antivirus program while performing the online scan


Download Trend Micro™ Anti-Spyware (by clicking the "Scan and Clean your PC" button).

• Double-click the tmas-web-scan.exe icon
• It will say "Loading TrendMicro definitions".
• Click "Start Scan"

After it's done scanning, click "Scan Results"

• Make sure all items found have a check next to them, then click "Clean Threats Now".
• Click Exit.

Reboot your computer. I then need you to repeat the same procedure above again... using the TrendMicro tool. I need the log from the second scan/clean...NOT the first...as this will contain what’s left in the system.

In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them here.



In your next post, please include fresh logs from:

• HiJackThis log
  Online Scan
  Trend's Antispyware.log

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

[cobra1968]

hi subs did all the stuff panda scan would not work could not put in details
program viewpoint was not in add and remove so found all the files and folders and deleted them
computer is working a bit better but still hangs when loading programs
anyway here is the logs for you
--------------------------------- Anti-Spyware session started ---------------------------------
Machine=SUE-OWJULEJADM2
Time=Thu Oct 06 23:19:42 2005
Product Version=3, 0, 1, 23
OS Version=Microsoft Windows XP Professional Service Pack 2 (Build 2600)

[SPYSUBTRACT] An Unexpected Problem was encountered Error#: 0x80004003
--------------------------------- Anti-Spyware session started ---------------------------------
Machine=SUE-OWJULEJADM2
Time=Fri Oct 07 00:01:49 2005
Product Version=3, 0, 1, 23
OS Version=Microsoft Windows XP Professional Service Pack 2 (Build 2600)

Started Scanning
Programs in Memory
Finished Scanning
--------------------------------- Anti-Spyware session started ---------------------------------
Machine=SUE-OWJULEJADM2
Time=Fri Oct 07 00:05:41 2005
Product Version=3, 0, 1, 23
OS Version=Microsoft Windows XP Professional Service Pack 2 (Build 2600)

Started Scanning
Internet Cookies
Internet Cookies: Found 'ad.yieldmanager.com' in 'Internet Explorer Cache'
Internet Cookies: Found 'advertising.com' in 'Internet Explorer Cache'
Internet Cookies: Found 'atdmt.com' in 'Internet Explorer Cache'
Internet Cookies: Found 'doubleclick.net' in 'Internet Explorer Cache'
Internet Cookies: Found 'hitbox.com' in 'Internet Explorer Cache'
Internet Cookies: Found 'maxserving.com' in 'Internet Explorer Cache'
Internet Cookies: Found 'servedby.advertising.com' in 'Internet Explorer Cache'
Internet Cookies: Found 'zedo.com' in 'Internet Explorer Cache'
CoolWebSearch Variants (CWShredder)
Programs in Memory
Windows Registry
Windows Registry: Found '' in 'CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}'
Windows Registry: Found '' in 'SOFTWARE\Classes\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}'
Windows Registry: Found '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Power Scan'
Windows Registry: Found '' in 'CLSID\{9AFB8248-617F-460d-9366-D71CDEDA3179}'
Windows Registry: Found '' in 'SOFTWARE\Classes\CLSID\{9AFB8248-617F-460d-9366-D71CDEDA3179}'
Windows Registry: Found '' in 'CLSID\{147A976E-EEE1-4377-8EA7-4716E4CDD239}'
Windows Registry: Found '' in 'SOFTWARE\Classes\CLSID\{147A976E-EEE1-4377-8EA7-4716E4CDD239}'
Windows Registry: Found '{86227D9C-0EFE-4F8A-AA55-30386A3F5686}' in 'S-1-5-21-1844237615-1580436667-854245398-500\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser'
Internet URL Shortcuts
Files and Directories
Files and Directories: Found 'ysb[1].dll' in 'C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\XP4V28PJ'
Files and Directories: Found '' in 'C:\Program Files\Real Spy Monitor'
Files and Directories: Found 'WinStat.exe' in 'D:\Program Files\Windows AdStatus'
Files and Directories: Found 'WinStatComm.dll' in 'D:\Program Files\Windows AdStatus'
Files and Directories: Found 'WinStatKeep.exe' in 'D:\Program Files\Windows AdStatus'
Files and Directories: Found 'backup-20051006-122336-255.inf' in 'D:\temp folder for downloads\backups'
Finished Scanning
Logfile of HijackThis v1.99.1
Scan saved at 11:19:42, on 07/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
D:\PROGRA~1\Ashampoo\ASHAMP~1\PopUpKiller.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Zoom Telephonics, Inc\Zoom ADSL USB Modem\dslmon.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
D:\Program Files\Tmas.exe
C:\WINDOWS\system32\MDM.EXE
D:\temp folder for downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://egqdkqenaaehlyvtpxoloc.us/vq7...0VKGlWkW/k.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.supanet.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.freeserve.net/welcome/freeserve.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = supanet Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: IE PopUp-Killer ; Neikeisoft - {49E0E0F0-5C30-11D4-945D-000000000003} - D:\PROGRA~1\Ashampoo\ASHAMP~1\PopUp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Ashampoo PopUpBlocker] D:\PROGRA~1\Ashampoo\ASHAMP~1\PopUpKiller.exe
O4 - HKCU\..\Run: [barb exit] C:\DOCUME~1\ADMINI~1\APPLIC~1\MFCDCO~1\ChicPhone.exe
O4 - Global Startup: DSLMON.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = D:\Program Files\Tmas.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0527.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0527.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.supanet.com/
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1095189759318
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.co...haringctrl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Service Client v.3.4) - http://ccon.futuremark.com/global/msc34.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - D:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Thursday, October 06, 2005 20:15:12
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 6/10/2005
Kaspersky Anti-Virus database records: 143505
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 85662
Number of viruses found: 7
Number of infected objects: 8
Number of suspicious objects: 4
Duration of the scan process: 6707 sec

Infected Object Name - Virus Name
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\C8YWDTHI\ibar[1].js Infected: Trojan-Downloader.JS.IstBar.ad
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\ONYTNT4W\ysb_prompt[1].html Infected: Trojan-Downloader.JS.IstBar.j

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy2.zip/msexreg.exe Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy2.zip Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy5.zip/trkgif.exe Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy5.zip Suspicious: Password-protected-EXE

C:\WINDOWS\staff.html Infected: Trojan-Clicker.JS.Linker.j
C:\WINDOWS\system32\cmd.ftp Infected: Trojan-Downloader.BAT.Ftp.r
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0D4TOR4J\mtrslib2[1].js Infected: Exploit.HTML.CodeBaseExec
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0D4TOR4J\portal.soul-gate[1].htm Infected: Trojan-Clicker.JS.Linker.j
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KT0NMJ4N\portal.soul-gate[1].htm Infected: Trojan-Clicker.JS.Linker.j
D:\temp folder for downloads\backups\backup-20051006-122335-680.dll Infected: Trojan-Downloader.Win32.Swizzor.bo

Scan process completed.

[sUBs]

Have HijackThis fix these:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://egqdkqenaaehlyvtpxoloc.us/vq...M0VKGlWkW/k.htm
O4 - HKCU\..\Run: [barb exit] C:\DOCUME~1\ADMINI~1\APPLIC~1\MFCDCO~1\ChicPhone.exe


Then delete these files/folders

C:\WINDOWS\staff.html
C:\WINDOWS\system32\cmd.ftp
D:\Program Files\Windows AdStatus
C:\Program Files\Real Spy Monitor


Download & install this program - CleanUp!.exe
Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:

• Delete Newsgroup cache
• Delete Newsgroup Subscriptions
• Scan local drives for temporary files

4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will not create any backups!!


In your next reply, please post a fresh HJT log & a new findlop.txt
Let me know how your machine is behaving now.

[cobra1968]

hi subs much better so far the internet is much quicker i did a speed test for adsl and its speed is what it should be
for other programs speed is better
one thing the anti spyware program keeps popping up saying software is try to adjust my browser settings i then have to allow or deny if i press deny it just keeps popping up
here is the logs
Volume in drive C has no label.
Volume Serial Number is 28C3-F8E9

Directory of C:\Documents and Settings\Administrator\Application Data

01/01/2005 21:35 <DIR> Adobe
02/09/2005 13:04 <DIR> AdobeAUM
13/02/2005 21:33 <DIR> AdobeUM
26/01/2005 21:49 <DIR> Apple Computer
07/10/2005 12:16 <DIR> AVG7
30/08/2005 14:26 <DIR> BPFTP
30/12/2004 19:24 <DIR> CyberLink
23/10/2004 19:34 0 dm.ini
15/09/2004 04:35 <DIR> Help
14/09/2004 18:56 <DIR> Identities
17/09/2004 00:35 <DIR> InterTrust
14/03/2005 11:06 <DIR> Leadertech
25/09/2004 12:47 <DIR> Macromedia
06/10/2005 18:06 <DIR> Mfcdcopyboob
08/10/2004 13:00 <DIR> Microsoft Web Folders
16/09/2004 18:45 <DIR> MSN6
16/09/2004 21:36 <DIR> Real
16/09/2004 22:56 <DIR> Sun
14/09/2004 23:35 <DIR> Symantec
10/04/2005 15:22 <DIR> Yahoo! Messenger
1 File(s) 0 bytes
19 Dir(s) 2,398,818,304 bytes free
Volume in drive C has no label.
Volume Serial Number is 28C3-F8E9

Directory of C:\Documents and Settings\All Users\Application Data

23/10/2004 19:42 <DIR> Adobe
26/01/2005 21:46 <DIR> Apple Computer
06/10/2005 13:25 <DIR> avg7
30/12/2004 19:11 <DIR> CyberLink
02/10/2005 22:18 <DIR> Grisoft
16/09/2004 18:45 <DIR> MSN6
18/09/2004 13:21 <DIR> nView_Profiles
27/04/2005 19:42 <DIR> QuickTime
08/10/2004 18:23 <DIR> SBT
16/09/2004 20:04 <DIR> Spybot - Search & Destroy
07/10/2005 12:50 <DIR> Symantec
20/08/2005 13:38 <DIR> Windows Genuine Advantage
15/09/2005 00:11 <DIR> Yahoo! Companion
0 File(s) 0 bytes
13 Dir(s) 2,398,818,304 bytes free
Volume in drive C has no label.
Volume Serial Number is 28C3-F8E9

Directory of C:\Documents and Settings\Default User\Application Data

14/09/2004 19:26 <DIR> .
14/09/2004 19:26 <DIR> ..
14/09/2004 19:26 62 desktop.ini
1 File(s) 62 bytes
2 Dir(s) 2,398,818,304 bytes free
Volume in drive C has no label.
Volume Serial Number is 28C3-F8E9

Directory of C:\Documents and Settings\LocalService\Application Data

Volume in drive C has no label.
Volume Serial Number is 28C3-F8E9

Directory of C:\Documents and Settings\NetworkService\Application Data

[TRACE] Enumerating jobs and queues
[TRACE] Activating job 'A6CA35079391A953.job'
[TRACE] Printing all job properties

ApplicationName: 'c:\docume~1\admini~1\applic~1\mfcdco~1\Byte debug user.exe'
Parameters: ''
WorkingDirectory: ''
Comment: ''
Creator: 'Administrator'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 10/06/2005 12:00:00
NextRun: 10/07/2005 20:00:00
StartError: 0x80070002
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 1
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 06/05/2000
EndDate: 00/00/0000
StartTime: 00:00
MinutesDuration: 1440
MinutesInterval: 60
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0


[TRACE] Activating job 'Symantec NetDetect.job'
[TRACE] Printing all job properties

ApplicationName: 'C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE'
Parameters: ''
WorkingDirectory: 'C:\Program Files\Symantec\LiveUpdate'
Comment: 'Symantec NetDetect'
Creator: 'Administrator'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 10/07/2005 15:59:00
NextRun: 10/07/2005 19:59:00
StartError: S_OK
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 0
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 10/07/2005
EndDate: 00/00/0000
StartTime: 19:59
MinutesDuration: 1440
MinutesInterval: 240
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0


Logfile of HijackThis v1.99.1
Scan saved at 19:05:00, on 07/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
D:\PROGRA~1\Ashampoo\ASHAMP~1\PopUpKiller.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Zoom Telephonics, Inc\Zoom ADSL USB Modem\dslmon.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
D:\Program Files\Tmas.exe
C:\WINDOWS\system32\MDM.EXE
D:\temp folder for downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.supanet.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.freeserve.net/welcome/freeserve.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = supanet Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;localh;;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: IE PopUp-Killer ; Neikeisoft - {49E0E0F0-5C30-11D4-945D-000000000003} - D:\PROGRA~1\Ashampoo\ASHAMP~1\PopUp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Ashampoo PopUpBlocker] D:\PROGRA~1\Ashampoo\ASHAMP~1\PopUpKiller.exe
O4 - HKCU\..\Run: [barb exit] C:\DOCUME~1\ADMINI~1\APPLIC~1\MFCDCO~1\ChicPhone.exe
O4 - Global Startup: DSLMON.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = D:\Program Files\Tmas.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0527.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0527.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.supanet.com/
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1095189759318
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.co...haringctrl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Service Client v.3.4) - http://ccon.futuremark.com/global/msc34.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - D:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

[sUBs]

Do you have 2 antivirus programs on your PC. That's highly inadvisable. Please uninstall one of them

I have attached a file to this post - lopdel.txt
Download it & rename it "lopdel.BAT" (inclusive of the quotes)
Make sure you do not mistakenly rename it as lopdel.BAT.txt (double extensions)

** IMPORTANT - Place the lopdel.bat into the same folder as fl.bat

Launch lopdel.BAT by double-clicking it.
When it finish running, it shall produce a report at - C:\findlop.txt
Please post the contents of that report in your next reply

[cobra1968]

i dont have 2 antivurus i did have norton the n i uninstalled it and replaced it with avg
today i took off norton firwall so at the moment dont have one i will down load zone alarm and put that on after the computer is better unless you have any other thoughts on it
i am just doing the lopdel.bat file
cobra

[cobra1968]

log file
Volume in drive C has no label.
Volume Serial Number is 28C3-F8E9

Directory of C:\Documents and Settings\Administrator\Application Data

01/01/2005 21:35 <DIR> Adobe
02/09/2005 13:04 <DIR> AdobeAUM
13/02/2005 21:33 <DIR> AdobeUM
26/01/2005 21:49 <DIR> Apple Computer
07/10/2005 12:16 <DIR> AVG7
30/08/2005 14:26 <DIR> BPFTP
30/12/2004 19:24 <DIR> CyberLink
23/10/2004 19:34 0 dm.ini
15/09/2004 04:35 <DIR> Help
14/09/2004 18:56 <DIR> Identities
17/09/2004 00:35 <DIR> InterTrust
14/03/2005 11:06 <DIR> Leadertech
25/09/2004 12:47 <DIR> Macromedia
08/10/2004 13:00 <DIR> Microsoft Web Folders
16/09/2004 18:45 <DIR> MSN6
16/09/2004 21:36 <DIR> Real
16/09/2004 22:56 <DIR> Sun
14/09/2004 23:35 <DIR> Symantec
10/04/2005 15:22 <DIR> Yahoo! Messenger
1 File(s) 0 bytes
18 Dir(s) 2,395,467,776 bytes free
Volume in drive C has no label.
Volume Serial Number is 28C3-F8E9

Directory of C:\Documents and Settings\All Users\Application Data

23/10/2004 19:42 <DIR> Adobe
26/01/2005 21:46 <DIR> Apple Computer
06/10/2005 13:25 <DIR> avg7
30/12/2004 19:11 <DIR> CyberLink
02/10/2005 22:18 <DIR> Grisoft
16/09/2004 18:45 <DIR> MSN6
18/09/2004 13:21 <DIR> nView_Profiles
27/04/2005 19:42 <DIR> QuickTime
08/10/2004 18:23 <DIR> SBT
16/09/2004 20:04 <DIR> Spybot - Search & Destroy
07/10/2005 12:50 <DIR> Symantec
20/08/2005 13:38 <DIR> Windows Genuine Advantage
15/09/2005 00:11 <DIR> Yahoo! Companion
0 File(s) 0 bytes
13 Dir(s) 2,395,467,776 bytes free
Volume in drive C has no label.
Volume Serial Number is 28C3-F8E9

Directory of C:\Documents and Settings\Default User\Application Data

14/09/2004 19:26 <DIR> .
14/09/2004 19:26 <DIR> ..
14/09/2004 19:26 62 desktop.ini
1 File(s) 62 bytes
2 Dir(s) 2,395,467,776 bytes free
Volume in drive C has no label.
Volume Serial Number is 28C3-F8E9

Directory of C:\Documents and Settings\LocalService\Application Data

Volume in drive C has no label.
Volume Serial Number is 28C3-F8E9

Directory of C:\Documents and Settings\NetworkService\Application Data

[TRACE] Enumerating jobs and queues
[TRACE] Activating job 'Symantec NetDetect.job'
[TRACE] Printing all job properties

ApplicationName: 'C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE'
Parameters: ''
WorkingDirectory: 'C:\Program Files\Symantec\LiveUpdate'
Comment: 'Symantec NetDetect'
Creator: 'Administrator'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 10/07/2005 15:59:00
NextRun: 10/07/2005 19:59:00
StartError: S_OK
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 0
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 10/07/2005
EndDate: 00/00/0000
StartTime: 19:59
MinutesDuration: 1440
MinutesInterval: 240
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0

[sUBs]

Reboot & tell me if MS AntiSpyware is still nagging you about browser hijack.

[cobra1968]

yep still nagging the browser hijack

[sUBs]

The next time it nags, allow it to change your browser settings.

Then post a new log for me...

[cobra1968]

ok i will restart that normally does it

[cobra1968]

ok this time it never asked to change typical but here is the log any way
Logfile of HijackThis v1.99.1
Scan saved at 20:33:28, on 07/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
D:\PROGRA~1\Ashampoo\ASHAMP~1\PopUpKiller.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Zoom Telephonics, Inc\Zoom ADSL USB Modem\dslmon.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
D:\Program Files\Tmas.exe
C:\WINDOWS\system32\MDM.EXE
D:\temp folder for downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.supanet.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.freeserve.net/welcome/freeserve.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = supanet Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: IE PopUp-Killer ; Neikeisoft - {49E0E0F0-5C30-11D4-945D-000000000003} - D:\PROGRA~1\Ashampoo\ASHAMP~1\PopUp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Ashampoo PopUpBlocker] D:\PROGRA~1\Ashampoo\ASHAMP~1\PopUpKiller.exe
O4 - HKCU\..\Run: [barb exit] C:\DOCUME~1\ADMINI~1\APPLIC~1\MFCDCO~1\ChicPhone.exe
O4 - Global Startup: DSLMON.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = D:\Program Files\Tmas.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0527.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0527.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.supanet.com/
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1095189759318
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.co...haringctrl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Service Client v.3.4) - http://ccon.futuremark.com/global/msc34.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D6A962DB-441A-457C-8D23-2EBBDEEFA503}: NameServer = 213.40.66.126 213.40.130.126
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - D:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

[sUBs]

This entry is back.

O4 - HKCU\..\Run: [barb exit] C:\DOCUME~1\ADMINI~1\APPLIC~1\MFCDCO~1\ChicPhone.exe

I'm trying to determine who placed it back there... MSAS or malware

Please give me a new findlop.txt

[cobra1968]

Volume in drive C has no label.
Volume Serial Number is 28C3-F8E9

Directory of C:\Documents and Settings\Administrator\Application Data

01/01/2005 21:35 <DIR> Adobe
02/09/2005 13:04 <DIR> AdobeAUM
13/02/2005 21:33 <DIR> AdobeUM
26/01/2005 21:49 <DIR> Apple Computer
07/10/2005 12:16 <DIR> AVG7
30/08/2005 14:26 <DIR> BPFTP
30/12/2004 19:24 <DIR> CyberLink
23/10/2004 19:34 0 dm.ini
15/09/2004 04:35 <DIR> Help
14/09/2004 18:56 <DIR> Identities
17/09/2004 00:35 <DIR> InterTrust
14/03/2005 11:06 <DIR> Leadertech
25/09/2004 12:47 <DIR> Macromedia
08/10/2004 13:00 <DIR> Microsoft Web Folders
16/09/2004 18:45 <DIR> MSN6
16/09/2004 21:36 <DIR> Real
16/09/2004 22:56 <DIR> Sun
14/09/2004 23:35 <DIR> Symantec
10/04/2005 15:22 <DIR> Yahoo! Messenger
1 File(s) 0 bytes
18 Dir(s) 2,393,903,104 bytes free
Volume in drive C has no label.
Volume Serial Number is 28C3-F8E9

Directory of C:\Documents and Settings\All Users\Application Data

23/10/2004 19:42 <DIR> Adobe
26/01/2005 21:46 <DIR> Apple Computer
06/10/2005 13:25 <DIR> avg7
30/12/2004 19:11 <DIR> CyberLink
02/10/2005 22:18 <DIR> Grisoft
16/09/2004 18:45 <DIR> MSN6
18/09/2004 13:21 <DIR> nView_Profiles
27/04/2005 19:42 <DIR> QuickTime
08/10/2004 18:23 <DIR> SBT
16/09/2004 20:04 <DIR> Spybot - Search & Destroy
07/10/2005 12:50 <DIR> Symantec
20/08/2005 13:38 <DIR> Windows Genuine Advantage
15/09/2005 00:11 <DIR> Yahoo! Companion
0 File(s) 0 bytes
13 Dir(s) 2,393,903,104 bytes free
Volume in drive C has no label.
Volume Serial Number is 28C3-F8E9

Directory of C:\Documents and Settings\Default User\Application Data

14/09/2004 19:26 <DIR> .
14/09/2004 19:26 <DIR> ..
14/09/2004 19:26 62 desktop.ini
1 File(s) 62 bytes
2 Dir(s) 2,393,772,032 bytes free
Volume in drive C has no label.
Volume Serial Number is 28C3-F8E9

Directory of C:\Documents and Settings\LocalService\Application Data

Volume in drive C has no label.
Volume Serial Number is 28C3-F8E9

Directory of C:\Documents and Settings\NetworkService\Application Data

[TRACE] Enumerating jobs and queues
[TRACE] Activating job 'Symantec NetDetect.job'
[TRACE] Printing all job properties

ApplicationName: 'C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE'
Parameters: ''
WorkingDirectory: 'C:\Program Files\Symantec\LiveUpdate'
Comment: 'Symantec NetDetect'
Creator: 'Administrator'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 10/07/2005 15:59:00
NextRun: 10/07/2005 23:59:00
StartError: S_OK
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 0
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 10/07/2005
EndDate: 00/00/0000
StartTime: 19:59
MinutesDuration: 1440
MinutesInterval: 240
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0

[cobra1968]

ok sUBS time to give you a break i have got to go out for a couple of hours so it will give you a break

many thanks for the help so far there has been a big improvment in performance
speak to you soon
I am thinking of doing a cisco or a mcsa computer course which one do you reccomend i have been tinkering with comps for the past 7 years but nothing at this level and what you have helped me with has impressed me.

Thanks Cobra