Help - troj_startpge.fl virus!

[Emmanuel2005]

Hi

I have been having problems with a virus, which I can't get rid of with my antivirus software. I hope someone here can help. The virus is troj_startpge.fl I use trend micro pc-cillin which detects the virus every time I open Internet Explorer. Even though I then quarantine the virus, it continues to appear. The symptoms are: my Internet Explorer startpage is now blank and "about:blank" appears in the address bar; I get pop-ups; a small blank box appears on my screen when I perform an Internet search; and, various web sites are added to my "favourites".

I would also like to know if it currently safe for me to send e-mails to others.

I hope that you can help. Many thanks.

My hijackthis log is below:

Logfile of HijackThis v1.99.1
Scan saved at 10:56:48 AM, on 11/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\SYSTEM32\SPOOLSV.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ALCMTR.EXE
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\nMtsk.exe
C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\iRiver\HSeries\iHPDetect.exe
C:\WINDOWS\SYSTEM32\IPXK.EXE
C:\DOCUME~1\user\LOCALS~1\Temp\B5.tmp.exe
C:\DOCUME~1\user\LOCALS~1\Temp\B7.tmp.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\SAGEM\OTEnet-SAGEM Fast 840\dslmon.exe
C:\WINDOWS\ntzu32.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PCCTLCOM.EXE
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TMPROXY.EXE
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\MICROS~2\OFFICE\OUTLOOK.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\Program Files\Netzip Classic\Netzip.exe
C:\DOCUME~1\user\LOCALS~1\Temp\ZIPD\0\0\HIJACK~1.E XE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ljzuu.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ljzuu.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ljzuu.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ljzuu.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ljzuu.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ljzuu.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ljzuu.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Class - {7E519B7D-60F7-36E0-6009-671EAD1F7C44} - C:\WINDOWS\sdksr.dll
O2 - BHO: Class - {849E652D-E279-49D1-44C6-6C7123362280} - C:\WINDOWS\d3sr32.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [nMTaskBarService] nMtsk.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe"
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [iHP-100] C:\Program Files\iRiver\HSeries\iHPDetect.exe
O4 - HKLM\..\Run: [ipxk.exe] C:\WINDOWS\SYSTEM32\IPXK.EXE
O4 - HKLM\..\Run: [B5.tmp] C:\DOCUME~1\user\LOCALS~1\Temp\B5.tmp.exe
O4 - HKLM\..\Run: [B7.tmp] C:\DOCUME~1\user\LOCALS~1\Temp\B7.tmp.exe
O4 - HKLM\..\Run: [SpyFighterMonitor] "C:\Program Files\SpyFighter\SpyFighter.exe" monitor
O4 - HKLM\..\Run: [SpyFighterUpdate] "C:\Program Files\SpyFighter\AutoUpdate.exe" silent
O4 - HKLM\..\Run: [B5.tmp.exe] C:\DOCUME~1\user\LOCALS~1\Temp\B5.tmp.exe
O4 - HKLM\..\Run: [B7.tmp.exe] C:\DOCUME~1\user\LOCALS~1\Temp\B7.tmp.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\OTEnet-SAGEM Fast 840\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1133080125656
O17 - HKLM\System\CCS\Services\Tcpip\..\{1A536D22-B202-438C-A032-408ED32EC59F}: NameServer = 195.170.0.1 195.170.2.2
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\ntzu32.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

[Ried]

Hello Emmanuel2005 and welcome to TSF,

Please print out or copy this page to Notepad since you will not have any of browsers open while you are fixing this. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Download the following programs and tools. Please do not run them until directed to do so.

Ewido Security Suite

• Install Ewido Security Suite
• When installing, under "Additional Options" uncheck..
  • Install background guard
  • Install scan via context menu
• Double-click the icon on Desktop to launch Ewido

You will need to update Ewido to the latest definition files.

• On the left hand side of the main screen click update.
• Then click on Start Update.

The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido
When you have finished updating, EXIT Ewido.

HSFix

About Buster - Unzip to a new folder. Update About Buster & exit the program once that is completed.

CWShredder - Save it to Desktop.

• Open CWShredder and click [I AGREE]
• Click [Check For Update]
• Close CWShredder after updating

Download CleanUp! (Alternate Link if main link doesn't work) and install it. Do not run it yet.

Before we begin, let's move HiJackThis to it's own folder; like c:\HJT. When we're done 'cleaning' off your system, we're going to 'flush' the temporary folders which, with HiJackThis in it's current location, we'll lose both the program and the backups it creates. These backups are important in case we need to restore any 'fixed' entry(s) later.

---------------------------

Go to My Computer->[b]Tools[b]->Folder Options->View tab:
* Under the Hidden files and folders heading:
* select Show hidden files and folders.
* Uncheck Hide protected operating system files (recommended) option.
* Click Yes to confirm and then click OK.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.

---------------------------

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

Spy Fighter --This is considered a rogue program

Click Start->Run - type SERVICES.MSC & then click on the OK button

1. Locate the service - Network Security Service
2. Double-click on it to open the Properties dialog.
   • Under the General tab:
   • Stop the service by using the Stop button.
   • Change the Startup type to Disabled & then click on the OK button
3. Then start HiJackThis & go to Config>Misc.Tools...> Delete an NT service...
4. In the popup box that appears, type in 11Fßä#·ºÄÖ`I **please note there is a space before the 11, make sure to include it. Click on the OK button

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ljzuu.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ljzuu.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ljzuu.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ljzuu.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ljzuu.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ljzuu.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ljzuu.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {7E519B7D-60F7-36E0-6009-671EAD1F7C44} - C:\WINDOWS\sdksr.dll
O2 - BHO: Class - {849E652D-E279-49D1-44C6-6C7123362280} - C:\WINDOWS\d3sr32.dll
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ipxk.exe] C:\WINDOWS\SYSTEM32\IPXK.EXE
O4 - HKLM\..\Run: [B5.tmp] C:\DOCUME~1\user\LOCALS~1\Temp\B5.tmp.exe
O4 - HKLM\..\Run: [B7.tmp] C:\DOCUME~1\user\LOCALS~1\Temp\B7.tmp.exe
O4 - HKLM\..\Run: [SpyFighterMonitor] "C:\Program Files\SpyFighter\SpyFighter.exe" monitor
O4 - HKLM\..\Run: [SpyFighterUpdate] "C:\Program Files\SpyFighter\AutoUpdate.exe" silent
O4 - HKLM\..\Run: [B5.tmp.exe] C:\DOCUME~1\user\LOCALS~1\Temp\B5.tmp.exe
O4 - HKLM\..\Run: [B7.tmp.exe] C:\DOCUME~1\user\LOCALS~1\Temp\B7.tmp.exe
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\ntzu32.exe

Delete the following Files and Folders if they still exist.

C:\WINDOWS\system32\ ljzuu.dll
C:\WINDOWS\ sdksr.dll
C:\WINDOWS\ d3sr32.dll
C:\WINDOWS\SYSTEM32\ IPXK.EXE
C:\Program Files\ SpyFighter
C:\WINDOWS\ ntzu32.exe

---------------------------

Run CWShredder & click on [Fix].

Run About Buster and click Begin Removal. Once that's done, just hit the OK button. Open up the 'Ab LogFile.txt' (which was created in the same folder as AboutBuster) and post the log here.

Double-click on HSfix.reg & answer YES when prompted to merge into the registry.

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Standard CleanUp!"
*Uncheck the following:
-Delete Newsgroup cache
-Delete Newsgroup Subscriptions
-Scan local drives for temporary files
Click OK
Press the CleanUp! button to start the program. Do NOT reboot/logoff when prompted.
Note: [b][color=teal][size=1]CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!

Run Ewido:
*Click [Scanner]
*Click [Complete System Scan] to begin scanning.
*Click [OK] when prompted to clean files

With the first file it prompts to clean, select the option - "Perform action on all infections" - & choose clean and click [OK].

Once finished, click the [Save report] button
Save the report to your desktop
Close Ewido

---------------------------

Reboot into Normal Mode.

Please run an online scan at http://www.pandasoftware.com/products/activescan.htm *Requires Internet Explorer.
Make sure you click the "Free Online Virus Scan" in the upper right hand corner of the page under the Free use Activescan header. We do NOT want the default spyXposer scan.

1. Click on the Scan your PC button & a 'pop up' window shall appear. * ensure that your pop up blocker doesn't block it
2. Click On 'Scan Now'
3. Enter your e-mail address & click 'Scan Now' ...begins downloading Panda's ActiveX controls.- 8MB
4. Begin the scan by selecting My Computer
   * You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
5. If it finds any malware, it will offer you a report. Click on see report
6. Then click Save report
7. Post the contents of the report in your next reply along with a new HijackThis log.

* Turn off the real time scanner of any existing antivirus program while performing the online scan

So I need the following logs:

Ewido Results
Ab LogFile.txt
Panda ActiveScan
HijackThis

[Emmanuel2005]

Hi Ried

I really appreciate your help on this

I got as far as:

"Click Start->Run - type SERVICES.MSC & then click on the OK button
Locate the service - Network Security Service"

I couldn't locate any service called "Network Security Service" in the list which appears. I did spot:

- Network Provisioning Service
- Network Connections
- Network DDE
- Network DDE DSDM
- Network Location Awareness
- Security Accounts Manager
- Security Center
- System Restore Service

Grateful if you could advise...

Thanks,
Emmanuel

[Ried]

The service may have changed..go ahead and continue with the rest of the instructions and we'll take care of that in the next round if need be.

[Emmanuel2005]

Hi

When trying the following:

"Then start HiJackThis & go to Config>Misc.Tools...> Delete an NT service...
In the popup box that appears, type in 11Fßä#·ºÄÖ`I **please note there is a space before the 11, make sure to include it. Click on the OK button"

I got a message up saying:

"The service 11Fßä#·ºÄÖ`I is enabled and/or running. Disable it first, using HiJackThis itself (from the scan results) or the Services.msc window"

Shall I just continue on to next step which is the HiJackThis scan?

Thanks
Emmanuel

[Ried]

That means the service is still running in the services.msc. Do you see any of the following in services.msc:

Network Security Service
Workstation Netlogon Service
Remote Procedure Call (RPC) Helper
Network Security Service (NSS)

I'll wait online for you...

[Emmanuel2005]

Hi

The only one I see exactly as you describe it, is the Network Security Service. I couldn't see it before when I was in safe mode though! Guess I need to get back into safe mode and look for it again?

Emmanuel

[Ried]

No, go ahead and Stop, then Disable the service from Normal Mode first, then go into Safe Mode for the rest.

[Emmanuel2005]

Hi Ried

Here are the logs in the order you requested. I would be grateful for your opinion (or that of someone in a UK/European time zone) on whether it's safe to send e-mails/documents to my clients at the moment - I'm a translator. Thanks, Emmanuel

---------------------------------------------------------
ewido security suite - Scan report---------------------------------------------------------

+ Created on: 10:34:58 PM, 11/30/2005
+ Report-Checksum: 37E3EA4

+ Scan result:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW -> Spyware.CoolWebSearch : Cleaned with backup
C:\Documents and Settings\user\My Documents\cc and emm cv\access.exe -> Trojan.Dialer.ec : Cleaned with backup
D:\My Documents Backup\cc and emm cv\access.exe -> Trojan.Dialer.ec : Cleaned with backup


::Report End


AboutBuster 5.1, reference file 33
Scan started on [11/30/2005] at [9:52:06 PM]
------------------------------------------------
No Ads Found!
------------------------------------------------
Removed File! : C:\WINDOWS\legvm.dat
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 9:53:13 PM


Panda's Activescan report

Incident Status Location

Spyware:spyware/petro-line Not desinfected C:\Documents and Settings\user\Favorites\SITES ABOUT\Ab scissor.url
Adware:adware/searchaid Not desinfected C:\Documents and Settings\user\Favorites\Only sex website.url
Adware:adware/navipromo Not desinfected C:\WINDOWS\sdkpg32.exe
Adware:adware/cws.aboutblank Not desinfected Windows Registry
Adware:Adware/SearchAid Not desinfected C:\WINDOWS\d3fl32.exe
Adware:Adware/SearchAid Not desinfected C:\WINDOWS\ipur32.exe
Adware:Adware/SearchAid Not desinfected C:\WINDOWS\javaia32.exe
Adware:Adware/SearchAid Not desinfected C:\WINDOWS\javasi32.exe
Adware:Adware/SearchAid Not desinfected C:\WINDOWS\javazo.exe
Adware:Adware/SearchAid Not desinfected C:\WINDOWS\ntzu32.exe
Adware:Adware/SearchAid Not desinfected C:\WINDOWS\system32\addyl.exe
Adware:Adware/SearchAid Not desinfected C:\WINDOWS\system32\d3ak.exe
Adware:Adware/SearchAid Not desinfected C:\WINDOWS\system32\d3xx32.exe
Adware:Adware/SearchAid Not desinfected C:\WINDOWS\system32\ipas32.exe
Adware:Adware/SearchAid Not desinfected C:\WINDOWS\system32\msdb32.exe
Adware:Adware/SearchAid Not desinfected C:\WINDOWS\system32\netir32.exe
Adware:Adware/SearchAid Not desinfected C:\WINDOWS\system32\netyp.exe
Adware:Adware/SearchAid Not desinfected C:\WINDOWS\system32\ntdo32.exe
Adware:Adware/SearchAid Not desinfected C:\WINDOWS\system32\ntlj32.exe


Logfile of HijackThis v1.99.1
Scan saved at 10:08:30 AM, on 12/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\SYSTEM32\SPOOLSV.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PCCTLCOM.EXE
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TMPROXY.EXE
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ALCMTR.EXE
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\nMtsk.exe
C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\iRiver\HSeries\iHPDetect.exe
C:\WINDOWS\NETGF.EXE
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\SAGEM\OTEnet-SAGEM Fast 840\dslmon.exe
C:\WINDOWS\ntzu32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\elcad.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\elcad.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\elcad.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\elcad.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\elcad.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\elcad.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\elcad.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Class - {5C24F68F-330D-3834-5594-F52CB787AE93} - C:\WINDOWS\system32\ipwm32.dll
O2 - BHO: Class - {7E519B7D-60F7-36E0-6009-671EAD1F7C44} - C:\WINDOWS\sdksr.dll (file missing)
O2 - BHO: Class - {849E652D-E279-49D1-44C6-6C7123362280} - C:\WINDOWS\d3sr32.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [nMTaskBarService] nMtsk.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe"
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [iHP-100] C:\Program Files\iRiver\HSeries\iHPDetect.exe
O4 - HKLM\..\Run: [ipxk.exe] C:\WINDOWS\SYSTEM32\IPXK.EXE
O4 - HKLM\..\Run: [B5.tmp] C:\DOCUME~1\user\LOCALS~1\Temp\B5.tmp.exe
O4 - HKLM\..\Run: [B7.tmp] C:\DOCUME~1\user\LOCALS~1\Temp\B7.tmp.exe
O4 - HKLM\..\Run: [B5.tmp.exe] C:\DOCUME~1\user\LOCALS~1\Temp\B5.tmp.exe
O4 - HKLM\..\Run: [B7.tmp.exe] C:\DOCUME~1\user\LOCALS~1\Temp\B7.tmp.exe
O4 - HKLM\..\Run: [netgf.exe] C:\WINDOWS\NETGF.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\OTEnet-SAGEM Fast 840\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1133080125656
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1A536D22-B202-438C-A032-408ED32EC59F}: NameServer = 195.170.0.1 195.170.2.2
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\ntzu32.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

[Ried]

Hi Emmanuel,

For the most part, we're going to have to repeat the previous procedure. This fix needs to be done all at one time, with no pauses in between the steps outlined, so make sure you have enough time set aside.

Download KillBox http://www.greyknight17.com/spy/KillBox.exe. (it's important that you get version v2.0.0.175) Do not run it yet.

---------------------------

Click Start->Run - type SERVICES.MSC & then click on the OK button

1. Locate the service - Network Security Service
2. Double-click on it to open the Properties dialog.
   • Under the General tab:
   • Stop the service by using the Stop button.
   • Change the Startup type to Disabled & then click on the OK button
3. Then start HiJackThis & go to Config>Misc.Tools...> Delete an NT service...
4. In the popup box that appears, type in 11Fßä#·ºÄÖ`I **please note there is a space before the 11, make sure to include it. Click on the OK button

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.

---------------------------
Start KillBox.
Copy the file names below to the clipboard by highlighting them and pressing Ctrl-C:

C:\WINDOWS\system32\ipwm32.dll
C:\WINDOWS\elcad.dll
C:\WINDOWS\SYSTEM32\IPXK.EXE
C:\WINDOWS\NETGF.EXE
C:\WINDOWS\sdkpg32.exe
C:\WINDOWS\d3fl32.exe
C:\WINDOWS\ipur32.exe
C:\WINDOWS\javaia32.exe
C:\WINDOWS\javasi32.exe
C:\WINDOWS\javazo.exe
C:\WINDOWS\ntzu32.exe
C:\WINDOWS\system32\addyl.exe
C:\WINDOWS\system32\d3ak.exe
C:\WINDOWS\system32\d3xx32.exe
C:\WINDOWS\system32\ipas32.exe
C:\WINDOWS\system32\msdb32.exe
C:\WINDOWS\system32\netir32.exe
C:\WINDOWS\system32\netyp.exe
C:\WINDOWS\system32\ntdo32.exe
C:\WINDOWS\system32\ntlj32.exe
C:\WINDOWS\sdksr.dll

Go to the File menu, and choose Paste from Clipboard
*Click on the dropdown menu next to Full Path of File to Delete field.
*Verify that the filenames you pasted are found there

Select/tick the following:
* Delete on Reboot
* End Explorer Shell While Killing File
* Unregister.dll Before Deleting" if it's not grayed out.

Click the RED X button.

Click [Yes] at the 'Delete on Reboot' prompt. Click [No] at the Pending Operations prompt.

---------------------------

Run a scan in HijackThis. 'Check' each of the following if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\elcad.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\elcad.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\elcad.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\elcad.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\elcad.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\elcad.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\elcad.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {5C24F68F-330D-3834-5594-F52CB787AE93} - C:\WINDOWS\system32\ipwm32.dll
O2 - BHO: Class - {7E519B7D-60F7-36E0-6009-671EAD1F7C44} - C:\WINDOWS\sdksr.dll (file missing)
O2 - BHO: Class - {849E652D-E279-49D1-44C6-6C7123362280} - C:\WINDOWS\d3sr32.dll (file missing)
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ipxk.exe] C:\WINDOWS\SYSTEM32\IPXK.EXE
O4 - HKLM\..\Run: [B5.tmp] C:\DOCUME~1\user\LOCALS~1\Temp\B5.tmp.exe
O4 - HKLM\..\Run: [B7.tmp] C:\DOCUME~1\user\LOCALS~1\Temp\B7.tmp.exe
O4 - HKLM\..\Run: [B5.tmp.exe] C:\DOCUME~1\user\LOCALS~1\Temp\B5.tmp.exe
O4 - HKLM\..\Run: [B7.tmp.exe] C:\DOCUME~1\user\LOCALS~1\Temp\B7.tmp.exe
O4 - HKLM\..\Run: [netgf.exe] C:\WINDOWS\NETGF.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\ntzu32.exe

Click 'Fix Checked' and close HijackThis.

Delete the following files/folders:

C:\Documents and Settings\user\Favorites\SITES ABOUT
C:\Documents and Settings\user\Favorites\Only sex website.url

---------------------------

Run CWShredder & click on [Fix].

Run About Buster and click Begin Removal. Once that's done, just hit the OK button. Open up the 'Ab LogFile.txt' (which was created in the same folder as AboutBuster) and post the log here.

Double-click on HSfix.reg & answer YES when prompted to merge into the registry.

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Standard CleanUp!"
*Uncheck the following:
-Delete Newsgroup cache
-Delete Newsgroup Subscriptions
-Scan local drives for temporary files
Click OK
Press the CleanUp! button to start the program. Do NOT reboot/logoff when prompted.
Note: [b][color=teal][size=1]CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!

Run Ewido:
*Click [Scanner]
*Click [Complete System Scan] to begin scanning.
*Click [OK] when prompted to clean files

With the first file it prompts to clean, select the option - "Perform action on all infections" - & choose clean and click [OK].

Once finished, click the [Save report] button
Save the report to your desktop
Close Ewido

---------------------------

Reboot into Normal Mode.

Please run an online scan at http://www.pandasoftware.com/products/activescan.htm *Requires Internet Explorer.
Make sure you click the "Free Online Virus Scan" in the upper right hand corner of the page under the Free use Activescan header. We do NOT want the default spyXposer scan.

1. Click on the Scan your PC button & a 'pop up' window shall appear. * ensure that your pop up blocker doesn't block it
2. Click On 'Scan Now'
3. Enter your e-mail address & click 'Scan Now' ...begins downloading Panda's ActiveX controls.- 8MB
4. Begin the scan by selecting My Computer
   * You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
5. If it finds any malware, it will offer you a report. Click on see report
6. Then click Save report
7. Post the contents of the report in your next reply along with a new HijackThis log.

* Turn off the real time scanner of any existing antivirus program while performing the online scan

So I need the following logs:

Ewido Results
Ab LogFile.txt
Panda ActiveScan
HijackThis

[Emmanuel2005]

Hi Ried

Here are the latest scans as requested. I have got control of my homepage again and have re-set to what I wanted. Progress I think Thanks for all your help so far.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 4:01:35 PM, 12/2/2005
+ Report-Checksum: CB50115D

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{4822A81B-A35C-81CA-4B1E-595C44DF3F5E} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{676575DD-4D46-911D-8037-9B10D6EE8BB5} -> Spyware.CoolWebSearch : Cleaned with backup


::Report End



AboutBuster 5.1, reference file 33
Scan started on [12/2/2005] at [3:37:01 PM]
------------------------------------------------
No Ads Found!
------------------------------------------------
Removed File! : C:\WINDOWS\system32\mdspf.dat
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 3:38:07 PM



Panda Activevision

Incident Status Location

Adware:adware/cws.aboutblank Not disinfected Windows Registry
Adware:Adware/SearchAid Not disinfected C:\WINDOWS\apiql.exe
Adware:Adware/SearchAid Not disinfected C:\WINDOWS\system32\addfm.exe
Adware:Adware/SearchAid Not disinfected C:\WINDOWS\system32\ipdz.exe
Adware:Adware/SearchAid Not disinfected C:\WINDOWS\system32\mfcfg32.exe
Adware:Adware/SearchAid Not disinfected C:\WINDOWS\system32\nettj.exe


Logfile of HijackThis v1.99.1
Scan saved at 4:22:21 PM, on 12/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\SYSTEM32\SPOOLSV.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PCCTLCOM.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TMPROXY.EXE
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ALCMTR.EXE
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\nMtsk.exe
C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\iRiver\HSeries\iHPDetect.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\SAGEM\OTEnet-SAGEM Fast 840\dslmon.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\elcad.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\elcad.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\elcad.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\elcad.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\elcad.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\elcad.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\elcad.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Class - {5C24F68F-330D-3834-5594-F52CB787AE93} - C:\WINDOWS\system32\ipwm32.dll (file missing)
O2 - BHO: Class - {7E519B7D-60F7-36E0-6009-671EAD1F7C44} - C:\WINDOWS\sdksr.dll (file missing)
O2 - BHO: Class - {849E652D-E279-49D1-44C6-6C7123362280} - C:\WINDOWS\d3sr32.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [nMTaskBarService] nMtsk.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe"
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [iHP-100] C:\Program Files\iRiver\HSeries\iHPDetect.exe
O4 - HKLM\..\Run: [ipxk.exe] C:\WINDOWS\SYSTEM32\IPXK.EXE
O4 - HKLM\..\Run: [B5.tmp] C:\DOCUME~1\user\LOCALS~1\Temp\B5.tmp.exe
O4 - HKLM\..\Run: [B7.tmp] C:\DOCUME~1\user\LOCALS~1\Temp\B7.tmp.exe
O4 - HKLM\..\Run: [B5.tmp.exe] C:\DOCUME~1\user\LOCALS~1\Temp\B5.tmp.exe
O4 - HKLM\..\Run: [B7.tmp.exe] C:\DOCUME~1\user\LOCALS~1\Temp\B7.tmp.exe
O4 - HKLM\..\Run: [netgf.exe] C:\WINDOWS\NETGF.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\OTEnet-SAGEM Fast 840\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1133080125656
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1A536D22-B202-438C-A032-408ED32EC59F}: NameServer = 195.170.0.1 195.170.2.2
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

[Ried]

Hi Emmanuel,

A little bit of progress, but the main infections are still present.

Download WinPFInd http://www.bleepingcomputer.com/files/oldtimer/WinPFind.zip and extract it to your C:\ folder. This will create a folder called WinPFind in the C:\ folder. Do Not run it yet.

Download Trackqoo http://www.geekstogo.com/downloads/Trackqoo.zip
Save it somewhere you will remember like the Desktop. Unzip the Track qoo.vbs inside to your desktop. DO NOT run it yet.

Use this online scanner:

Perform an online scan using Internet Explorer with Kaspersky WebScanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
*The program will launch and then begin downloading the latest definition files:
*Once the files have been downloaded click on NEXT
*Now click on Scan Settings
*In the scan settings make that the following are selected:
*Scan using the following Anti-Virus database:
*Standard
*Scan Options:
*Scan Archives
*Scan Mail Bases
*Click OK
*Now under select a target to scan:
*Select My Computer
*This will program will start and scan your system.
*The scan will take a while so be patient and let it run.
*Once the scan is complete it will display if your system has been infected.
*Now click on the Save as Text button:
*Save the file to your desktop.
*Copy and paste that information in your next post.

Reboot into Safe Mode.

Inside C:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.! Once the Scan is Complete it will make a txt file (log) of what was found. Save that log and post it here.

Restart one more time back into Normal Mode. Run a scan with HijackThis and save the log.

Locate & double-click on TrackQoo1.vbs . Wait a few seconds and a notepad page will pop up, Copy & Paste those results in your next post
* If your Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless!

So I will need the following logs:

Kaspersky Results
WPFind
Trackqoo
HijackThis

[Emmanuel2005]

Hi Reid

As requested here are the latest scans and reports. Thanks.


-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Friday, December 02, 2005 17:19:39
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 2/12/2005
Kaspersky Anti-Virus database records: 153085
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 21052
Number of viruses found: 4
Number of infected objects: 151
Number of suspicious objects: 0
Duration of the scan process: 629 sec

Infected Object Name - Virus Name
C:\HijackThis\backups\backup-20051130-213404-466.dll Infected: Trojan-Downloader.Win32.WinShow.bg
C:\HijackThis\backups\backup-20051130-213404-882.dll Infected: Trojan-Downloader.Win32.WinShow.bg
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP1\A0000001.pif:advcpv:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP1\A0000001.pif:mmbfo:$DATA Infected: Trojan-Downloader.Win32.WinShow.bg
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP1\A0000001.pif:qclxnt:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP1\A0000001.pif:qgxdmt:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP1\A0000001.pif:xfexkr:$DATA Infected: Trojan-Downloader.Win32.WinShow.bg
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP1\A0000002.ini:sfkos:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP1\A0000015.exe Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP2\A0000055.pif:advcpv:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP2\A0000055.pif:cqqybn:$DATA Infected: Trojan-Downloader.Win32.WinShow.bg
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP2\A0000055.pif:mmbfo:$DATA Infected: Trojan-Downloader.Win32.WinShow.bg
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP2\A0000055.pif:qclxnt:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP2\A0000055.pif:qgxdmt:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP2\A0000055.pif:urbeeq:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP2\A0000055.pif:xfexkr:$DATA Infected: Trojan-Downloader.Win32.WinShow.bg
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP2\A0000056.ini:sfkos:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP2\A0000072.pif:advcpv:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP2\A0000072.pif:cqqybn:$DATA Infected: Trojan-Downloader.Win32.WinShow.bg
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP2\A0000072.pif:mmbfo:$DATA Infected: Trojan-Downloader.Win32.WinShow.bg
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP2\A0000072.pif:qclxnt:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP2\A0000072.pif:qgxdmt:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP2\A0000072.pif:urbeeq:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP2\A0000072.pif:xfexkr:$DATA Infected: Trojan-Downloader.Win32.WinShow.bg
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP2\A0000074.ini:sfkos:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP2\A0000096.pif:advcpv:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP2\A0000096.pif:cqqybn:$DATA Infected: Trojan-Downloader.Win32.WinShow.bg
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP2\A0000096.pif:mmbfo:$DATA Infected: Trojan-Downloader.Win32.WinShow.bg
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP2\A0000096.pif:qclxnt:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP2\A0000096.pif:qgxdmt:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP2\A0000096.pif:urbeeq:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP2\A0000096.pif:xfexkr:$DATA Infected: Trojan-Downloader.Win32.WinShow.bg
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP2\A0000098.ini:sfkos:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP2\A0000111.pif:advcpv:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP2\A0000111.pif:cqqybn:$DATA Infected: Trojan-Downloader.Win32.WinShow.bg
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP2\A0000111.pif:mmbfo:$DATA Infected: Trojan-Downloader.Win32.WinShow.bg
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP2\A0000111.pif:qclxnt:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP2\A0000111.pif:qgxdmt:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP2\A0000111.pif:urbeeq:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP2\A0000111.pif:xfexkr:$DATA Infected: Trojan-Downloader.Win32.WinShow.bg
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP2\A0000112.ini:sfkos:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP2\A0000131.dll Infected: Trojan-Downloader.Win32.WinShow.bg
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP2\A0000132.dll Infected: Trojan-Downloader.Win32.WinShow.bg
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP2\A0000133.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP2\A0001196.pif:advcpv:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP2\A0001196.pif:cqqybn:$DATA Infected: Trojan-Downloader.Win32.WinShow.bg
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP2\A0001196.pif:mmbfo:$DATA Infected: Trojan-Downloader.Win32.WinShow.bg
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP2\A0001196.pif:qclxnt:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP2\A0001196.pif:qgxdmt:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP2\A0001196.pif:urbeeq:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP2\A0001196.pif:xfexkr:$DATA Infected: Trojan-Downloader.Win32.WinShow.bg
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP2\A0001197.ini:sfkos:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP2\A0001218.pif:advcpv:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP2\A0001218.pif:cqqybn:$DATA Infected: Trojan-Downloader.Win32.WinShow.bg
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP2\A0001218.pif:hkjfjm:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP2\A0001218.pif:mmbfo:$DATA Infected: Trojan-Downloader.Win32.WinShow.bg
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP2\A0001218.pif:qclxnt:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP2\A0001218.pif:qgxdmt:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP2\A0001218.pif:urbeeq:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP2\A0001218.pif:xfexkr:$DATA Infected: Trojan-Downloader.Win32.WinShow.bg
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP2\A0001218.pif:zlctep:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP2\A0001219.ini:sfkos:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP2\A0001228.pif:advcpv:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP2\A0001228.pif:cqqybn:$DATA Infected: Trojan-Downloader.Win32.WinShow.bg
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP2\A0001228.pif:hkjfjm:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP2\A0001228.pif:mmbfo:$DATA Infected: Trojan-Downloader.Win32.WinShow.bg
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP2\A0001228.pif:qclxnt:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP2\A0001228.pif:qgxdmt:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP2\A0001228.pif:urbeeq:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP2\A0001228.pif:xfexkr:$DATA Infected: Trojan-Downloader.Win32.WinShow.bg
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP2\A0001228.pif:zlctep:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP2\A0001229.ini:sfkos:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP3\A0001235.pif:advcpv:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP3\A0001235.pif:cqqybn:$DATA Infected: Trojan-Downloader.Win32.WinShow.bg
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP3\A0001235.pif:hkjfjm:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP3\A0001235.pif:mmbfo:$DATA Infected: Trojan-Downloader.Win32.WinShow.bg
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP3\A0001235.pif:qclxnt:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP3\A0001235.pif:qgxdmt:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP3\A0001235.pif:urbeeq:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP3\A0001235.pif:xfexkr:$DATA Infected: Trojan-Downloader.Win32.WinShow.bg
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP3\A0001235.pif:zlctep:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP3\A0001236.ini:sfkos:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP3\A0001246.dll Infected: Trojan-Downloader.Win32.WinShow.bg
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP3\A0001247.exe Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP3\A0001248.exe Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP3\A0001249.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP3\A0001250.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP3\A0001251.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP3\A0001252.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP3\A0001253.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP3\A0001254.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP3\A0001255.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP3\A0001256.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP3\A0001257.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP3\A0001258.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP3\A0001259.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP3\A0001260.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP3\A0001261.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP3\A0001262.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP3\A0001263.exe Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\addko.exe Infected: Trojan-Downloader.Win32.Agent.td
C:\WINDOWS\addpu32.exe Infected: Trojan-Downloader.Win32.Agent.td
C:\WINDOWS\addtm32.exe Infected: Trojan-Downloader.Win32.Agent.td
C:\WINDOWS\addyl32.exe Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\apial32.exe Infected: Trojan-Downloader.Win32.Agent.td
C:\WINDOWS\apida32.exe Infected: Trojan-Downloader.Win32.Agent.td
C:\WINDOWS\apiql.exe Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\apisd32.exe Infected: Trojan-Downloader.Win32.Agent.td
C:\WINDOWS\apitb.exe Infected: Trojan-Downloader.Win32.Agent.td
C:\WINDOWS\appgr32.exe Infected: Trojan-Downloader.Win32.Agent.td
C:\WINDOWS\d3td.exe Infected: Trojan-Downloader.Win32.Agent.td
C:\WINDOWS\Fast800.ini:sfkos:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\WINDOWS\iexu.exe Infected: Trojan-Downloader.Win32.Agent.td
C:\WINDOWS\netpb32.exe Infected: Trojan-Downloader.Win32.Agent.td
C:\WINDOWS\netuw.exe Infected: Trojan-Downloader.Win32.Agent.td
C:\WINDOWS\ntzt32.exe Infected: Trojan-Downloader.Win32.Agent.td
C:\WINDOWS\Q321064.log:bdfvva:$DATA Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\Rhododendron.bmp:udxixd:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\WINDOWS\syski.exe Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\system32\addfm.exe Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\system32\atlhy.exe Infected: Trojan-Downloader.Win32.Agent.td
C:\WINDOWS\system32\atljd.exe Infected: Trojan-Downloader.Win32.Agent.td
C:\WINDOWS\system32\d3af32.exe Infected: Trojan-Downloader.Win32.Agent.td
C:\WINDOWS\system32\d3wk.exe Infected: Trojan-Downloader.Win32.Agent.td
C:\WINDOWS\system32\ienu32.exe Infected: Trojan-Downloader.Win32.Agent.td
C:\WINDOWS\system32\ipdz.exe Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\system32\javapf.exe Infected: Trojan-Downloader.Win32.Agent.td
C:\WINDOWS\system32\mfcfg32.exe Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\system32\mfckh32.exe Infected: Trojan-Downloader.Win32.Agent.td
C:\WINDOWS\system32\mfcmq32.exe Infected: Trojan-Downloader.Win32.Agent.td
C:\WINDOWS\system32\mspw.exe Infected: Trojan-Downloader.Win32.Agent.td
C:\WINDOWS\system32\msyc.exe Infected: Trojan-Downloader.Win32.Agent.td
C:\WINDOWS\system32\netkc32.exe Infected: Trojan-Downloader.Win32.Agent.td
C:\WINDOWS\system32\nettj.exe Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\system32\netwq.exe Infected: Trojan-Downloader.Win32.Agent.td
C:\WINDOWS\system32\syskq32.exe Infected: Trojan-Downloader.Win32.Agent.td
C:\WINDOWS\system32\syslo.exe Infected: Trojan-Downloader.Win32.Agent.td
C:\WINDOWS\system32\sysvn32.exe Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\winbu.exe Infected: Trojan-Downloader.Win32.Agent.td
C:\WINDOWS\winip32.exe Infected: Trojan-Downloader.Win32.Agent.td
C:\WINDOWS\winwp.exe Infected: Trojan-Downloader.Win32.Agent.td
C:\WINDOWS\_default.pif:advcpv:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\WINDOWS\_default.pif:cqqybn:$DATA Infected: Trojan-Downloader.Win32.WinShow.bg
C:\WINDOWS\_default.pif:hkjfjm:$DATA Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\_default.pif:mmbfo:$DATA Infected: Trojan-Downloader.Win32.WinShow.bg
C:\WINDOWS\_default.pif:qclxnt:$DATA Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\_default.pif:qgxdmt:$DATA Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\_default.pif:urbeeq:$DATA Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\_default.pif:xfexkr:$DATA Infected: Trojan-Downloader.Win32.WinShow.bg
C:\WINDOWS\_default.pif:zlctep:$DATA Infected: Trojan-Downloader.Win32.Agent.td
D:\System Volume Information\_restore{6BEB3D6C-1E25-4413-B74F-320F256A8AC9}\RP2\A0001183.exe Infected: Trojan.Win32.Dialer.ec

Scan process completed.



WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 5/3/2005 11:44:44 AM 25157 C:\WINDOWS\RMAgentOutput.dll

Checking %System% folder...
PEC2 8/4/2004 2:00:00 PM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PTech 11/4/2005 4:27:24 PM 534280 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL
PECompact2 11/10/2005 9:17:18 PM 2368864 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 11/10/2005 9:17:18 PM 2368864 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 2:00:00 PM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
PEC2 8/26/1997 163384 C:\WINDOWS\SYSTEM32\ODBCJET.HLP
Umonitor 8/4/2004 2:00:00 PM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 8/4/2004 2:00:00 PM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
UPX! 9/26/2005 2:23:54 PM 962672 C:\WINDOWS\SYSTEM32\drivers\VsapiNT.sys
aspack 9/26/2005 2:23:54 PM 962672 C:\WINDOWS\SYSTEM32\drivers\VsapiNT.sys

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
12/2/2005 5:22:50 PM S 2048 C:\WINDOWS\bootstat.dat
11/10/2005 7:35:56 AM RH 749 C:\WINDOWS\WindowsShell.Manifest
11/10/2005 7:36:02 AM H 65 C:\WINDOWS\Downloaded Program Files\desktop.ini
11/10/2005 7:36:34 AM HS 67 C:\WINDOWS\Fonts\desktop.ini
11/27/2005 12:59:58 PM RH 0 C:\WINDOWS\forms\MSCREATE.DIR
11/27/2005 12:59:58 PM RH 0 C:\WINDOWS\forms\configs\MSCREATE.DIR
11/27/2005 10:30:26 AM H 0 C:\WINDOWS\inf\oem12.inf
12/2/2005 4:52:14 PM H 0 C:\WINDOWS\LastGood\INF\oem13.inf
12/2/2005 4:52:14 PM H 0 C:\WINDOWS\LastGood\INF\oem13.PNF
11/10/2005 7:36:02 AM H 65 C:\WINDOWS\Offline Web Pages\desktop.ini
11/10/2005 7:36:18 AM RHS 727 C:\WINDOWS\pchealth\helpctr\PackageStore\package_1.cab
11/10/2005 7:36:18 AM RHS 19854 C:\WINDOWS\pchealth\helpctr\PackageStore\package_2.cab
11/10/2005 7:36:18 AM RHS 244933 C:\WINDOWS\pchealth\helpctr\PackageStore\package_3.cab
11/10/2005 7:37:02 AM H 225280 C:\WINDOWS\repair\ntuser.dat
11/27/2005 1:04:18 PM RH 0 C:\WINDOWS\SendTo\MSCREATE.DIR
11/10/2005 7:35:56 AM RH 749 C:\WINDOWS\system32\cdplayer.exe.manifest
11/10/2005 7:36:02 AM RH 488 C:\WINDOWS\system32\logonui.exe.manifest
11/10/2005 7:35:56 AM RH 749 C:\WINDOWS\system32\ncpa.cpl.manifest
11/10/2005 7:35:56 AM RH 749 C:\WINDOWS\system32\nwc.cpl.manifest
11/10/2005 7:35:56 AM RH 749 C:\WINDOWS\system32\sapi.cpl.manifest
11/10/2005 7:36:02 AM RH 488 C:\WINDOWS\system32\WindowsLogon.manifest
11/10/2005 7:35:56 AM RH 749 C:\WINDOWS\system32\wuaucpl.cpl.manifest
10/5/2005 8:33:38 PM S 12849 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896424.cat
10/5/2005 3:17:40 AM S 21737 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896688.cat
12/2/2005 5:22:44 PM H 8192 C:\WINDOWS\system32\config\default.LOG
12/2/2005 5:23:00 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
12/2/2005 5:22:52 PM H 12288 C:\WINDOWS\system32\config\SECURITY.LOG
12/2/2005 5:26:28 PM H 73728 C:\WINDOWS\system32\config\software.LOG
12/2/2005 5:22:54 PM H 921600 C:\WINDOWS\system32\config\system.LOG
11/9/2005 11:14:48 PM H 1024 C:\WINDOWS\system32\config\TempKey.LOG
11/9/2005 11:14:48 PM H 1024 C:\WINDOWS\system32\config\userdiff.LOG
11/30/2005 3:17:24 PM H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
11/9/2005 11:16:34 PM HS 62 C:\WINDOWS\system32\config\systemprofile\Application Data\desktop.ini
11/25/2005 3:22:16 PM S 558 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\E6024EAC88E6B6165D49FE3C95ADD735
11/25/2005 3:22:16 PM S 144 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\E6024EAC88E6B6165D49FE3C95ADD735
11/9/2005 11:16:34 PM HS 62 C:\WINDOWS\system32\config\systemprofile\Local Settings\desktop.ini
11/10/2005 7:43:04 AM HS 113 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\desktop.ini
11/10/2005 7:43:04 AM HS 113 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\desktop.ini
11/10/2005 7:43:04 AM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\desktop.ini
11/10/2005 7:43:04 AM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini
11/10/2005 7:43:04 AM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\23GNE3AT\desktop.ini
11/10/2005 7:43:04 AM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\OB8LKDG5\desktop.ini
11/10/2005 7:43:04 AM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\U3KT896H\desktop.ini
11/10/2005 7:43:04 AM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Y3YJ4LSN\desktop.ini
11/10/2005 7:36:04 AM HS 181 C:\WINDOWS\system32\config\systemprofile\SendTo\desktop.ini
11/9/2005 11:16:34 PM HS 62 C:\WINDOWS\system32\config\systemprofile\Start Menu\desktop.ini
11/10/2005 7:37:00 AM HS 148 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\desktop.ini
11/10/2005 7:37:00 AM HS 482 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\desktop.ini
11/10/2005 7:37:00 AM HS 348 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Accessibility\desktop.ini
11/10/2005 7:37:00 AM HS 84 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Entertainment\desktop.ini
11/10/2005 7:37:00 AM HS 84 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini
11/29/2005 10:39:02 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\41786dfc-88d1-43e4-a277-2a9c5c0d3e42
11/29/2005 10:39:02 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\Preferred
11/10/2005 7:43:10 AM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\4255fd73-d732-47c5-b8f2-27273fc1a33a
11/10/2005 7:43:10 AM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
12/2/2005 5:21:50 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/4/2004 2:00:00 PM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Iomega Corporation 9/24/2002 4:44:10 PM 151552 C:\WINDOWS\SYSTEM32\ADPanel.cpl
Realtek Semiconductor Corp. 4/6/2005 12:58:48 PM 294912 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL
Microsoft Corporation 8/4/2004 2:00:00 PM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/4/2004 2:00:00 PM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/4/2004 2:00:00 PM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 2:00:00 PM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 2:00:00 PM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/4/2004 2:00:00 PM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 2:00:00 PM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 2:00:00 PM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 2:00:00 PM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Microsoft Corporation 8/4/2004 2:00:00 PM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/26/1997 53520 C:\WINDOWS\SYSTEM32\MLCFG32.CPL
Microsoft Corporation 8/4/2004 2:00:00 PM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/4/2004 2:00:00 PM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 2:00:00 PM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 2:00:00 PM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
NVIDIA Corporation 12/2/2004 5:21:00 AM 73728 C:\WINDOWS\SYSTEM32\nvtuicpl.cpl
Microsoft Corporation 8/4/2004 2:00:00 PM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 2:00:00 PM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Realtek Semiconductor Corp. 3/17/2005 5:43:34 AM 262144 C:\WINDOWS\SYSTEM32\RTSndMgr.CPL
Silicon Image 4/25/2005 2:30:26 PM R 78336 C:\WINDOWS\SYSTEM32\SilSupp.cpl
Microsoft Corporation 8/4/2004 2:00:00 PM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/4/2004 2:00:00 PM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 2:00:00 PM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/4/2004 2:00:00 PM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/4/2004 2:00:00 PM 68608 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 8/4/2004 2:00:00 PM 549888 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 8/4/2004 2:00:00 PM 135168 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 8/4/2004 2:00:00 PM 80384 C:\WINDOWS\SYSTEM32\dllcache\firewall.cpl
Microsoft Corporation 8/4/2004 2:00:00 PM 155136 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 8/4/2004 2:00:00 PM 358400 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 8/4/2004 2:00:00 PM 129536 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 8/4/2004 2:00:00 PM 68608 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 8/4/2004 2:00:00 PM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/4/2004 2:00:00 PM 618496 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 8/4/2004 2:00:00 PM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/4/2004 2:00:00 PM 25600 C:\WINDOWS\SYSTEM32\dllcache\netsetup.cpl
Microsoft Corporation 8/4/2004 2:00:00 PM 257024 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 8/4/2004 2:00:00 PM 32768 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 8/4/2004 2:00:00 PM 114688 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 8/4/2004 2:00:00 PM 155648 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 8/4/2004 2:00:00 PM 298496 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 8/4/2004 2:00:00 PM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 8/4/2004 2:00:00 PM 94208 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
Microsoft Corporation 8/4/2004 2:00:00 PM 148480 C:\WINDOWS\SYSTEM32\dllcache\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
11/27/2005 1:37:00 PM 910 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
11/10/2005 7:37:00 AM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
11/26/2005 5:01:30 AM 857 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DSLMON.lnk
11/27/2005 1:10:58 PM 1725 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
11/9/2005 11:16:34 PM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
11/10/2005 7:37:00 AM HS 84 C:\Documents and Settings\user\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
11/9/2005 11:16:34 PM HS 62 C:\Documents and Settings\user\Application Data\desktop.ini
11/29/2005 6:50:48 PM 0 C:\Documents and Settings\user\Application Data\Install.dat

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\iRivEncrypt
{10020E84-840F-474A-9B5C-B043F0EBFC65} = C:\Program Files\iRiver\HSeries\iRivEncrypt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ZpCtxMenu
{6946AA04-2B53-11d4-9504-00D0B70779F8} = C:\Program Files\Netzip Classic\ZpCtxMenu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{48F45200-91E6-11CE-8A4F-0080C81A28D4}
= C:\Program Files\Trend Micro\Internet Security 14\Tmdshell.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\iRivEncrypt
{10020E84-840F-474A-9B5C-B043F0EBFC65} = C:\Program Files\iRiver\HSeries\iRivEncrypt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\ZpCtxMenu
{6946AA04-2B53-11d4-9504-00D0B70779F8} = C:\Program Files\Netzip Classic\ZpCtxMenu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\{48F45200-91E6-11CE-8A4F-0080C81A28D4}
= C:\Program Files\Trend Micro\Internet Security 14\Tmdshell.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ZpCtxMenu
{6946AA04-2B53-11d4-9504-00D0B70779F8} = C:\Program Files\Netzip Classic\ZpCtxMenu.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C24F68F-330D-3834-5594-F52CB787AE93}
Class = C:\WINDOWS\system32\ipwm32.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E519B7D-60F7-36E0-6009-671EAD1F7C44}
Class = C:\WINDOWS\sdksr.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{849E652D-E279-49D1-44C6-6C7123362280}
Class = C:\WINDOWS\d3sr32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\system32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\system32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\system32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} = :
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
NvCplDaemon RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
nwiz nwiz.exe /install
NvMediaCenter RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
RTHDCPL RTHDCPL.EXE
Alcmtr ALCMTR.EXE
RemoteControl "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
InCD C:\Program Files\Ahead\InCD\InCD.exe
NeroFilterCheck C:\WINDOWS\system32\NeroCheck.exe
nMTaskBarService nMtsk.exe
pccguide.exe "C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe"
ADUserMon C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
Iomega Drive Icons C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
Deskup C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
iHP-100 C:\Program Files\iRiver\HSeries\iHPDetect.exe
ipxk.exe C:\WINDOWS\SYSTEM32\IPXK.EXE
B5.tmp C:\DOCUME~1\user\LOCALS~1\Temp\B5.tmp.exe
B7.tmp C:\DOCUME~1\user\LOCALS~1\Temp\B7.tmp.exe
B5.tmp.exe C:\DOCUME~1\user\LOCALS~1\Temp\B5.tmp.exe
B7.tmp.exe C:\DOCUME~1\user\LOCALS~1\Temp\B7.tmp.exe
netgf.exe C:\WINDOWS\NETGF.EXE
MSConfig C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Network Service
Windows Internet Protocol

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 2
services 0
startup 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\system32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 12/2/2005 5:34:23 PM



REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"RTHDCPL"="RTHDCPL.EXE"
"Alcmtr"="ALCMTR.EXE"
"RemoteControl"="\"C:\\Program Files\\CyberLink DVD Solution\\PowerDVD\\PDVDServ.exe\""
"InCD"="C:\\Program Files\\Ahead\\InCD\\InCD.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"nMTaskBarService"="nMtsk.exe"
"pccguide.exe"="\"C:\\Program Files\\Trend Micro\\Internet Security 14\\pccguide.exe\""
"ADUserMon"="C:\\Program Files\\Iomega\\AutoDisk\\ADUserMon.exe"
"Iomega Drive Icons"="C:\\Program Files\\Iomega\\DriveIcons\\ImgIcon.exe"
"Deskup"="C:\\Program Files\\Iomega\\DriveIcons\\deskup.exe /IMGSTART"
"iHP-100"="C:\\Program Files\\iRiver\\HSeries\\iHPDetect.exe"
"ipxk.exe"="C:\\WINDOWS\\SYSTEM32\\IPXK.EXE"
"B5.tmp"="C:\\DOCUME~1\\user\\LOCALS~1\\Temp\\B5.tmp.exe"
"B7.tmp"="C:\\DOCUME~1\\user\\LOCALS~1\\Temp\\B7.tmp.exe"
"B5.tmp.exe"="C:\\DOCUME~1\\user\\LOCALS~1\\Temp\\B5.tmp.exe"
"B7.tmp.exe"="C:\\DOCUME~1\\user\\LOCALS~1\\Temp\\B7.tmp.exe"
"netgf.exe"="C:\\WINDOWS\\NETGF.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers


Subkey --- iRivEncrypt
{10020E84-840F-474A-9B5C-B043F0EBFC65}
C:\Program Files\iRiver\HSeries\iRivEncrypt.dll

Subkey --- Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}
C:\WINDOWS\System32\cscui.dll

Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- ZpCtxMenu
{6946AA04-2B53-11d4-9504-00D0B70779F8}
C:\Program Files\Netzip Classic\ZpCtxMenu.dll

Subkey --- {48F45200-91E6-11CE-8A4F-0080C81A28D4}

C:\Program Files\Trend Micro\Internet Security 14\Tmdshell.dll

Subkey --- {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin
C:\WINDOWS\system32\SHELL32.dll

=====================

HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers


Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE}
C:\WINDOWS\system32\SHELL32.dll

==============================
C:\Documents and Settings\All Users\Start Menu\Programs\Startup

Acrobat Assistant.lnk
desktop.ini
DSLMON.lnk
Microsoft Office.lnk
==============================
C:\Documents and Settings\user\Start Menu\Programs\Startup

Acrobat Assistant.lnk
desktop.ini
DSLMON.lnk
Microsoft Office.lnk
desktop.ini
==============================
C:\WINDOWS\system32 cpl files


access.cpl Microsoft Corporation
ADPanel.cpl Iomega Corporation
ALSNDMGR.CPL Realtek Semiconductor Corp.
appwiz.cpl Microsoft Corporation
bthprops.cpl Microsoft Corporation
desk.cpl Microsoft Corporation
firewall.cpl Microsoft Corporation
hdwwiz.cpl Microsoft Corporation
inetcpl.cpl Microsoft Corporation
intl.cpl Microsoft Corporation
irprops.cpl Microsoft Corporation
joy.cpl Microsoft Corporation
main.cpl Microsoft Corporation
MLCFG32.CPL Microsoft Corporation
mmsys.cpl Microsoft Corporation
ncpa.cpl Microsoft Corporation
netsetup.cpl Microsoft Corporation
nusrmgr.cpl Microsoft Corporation
nvtuicpl.cpl NVIDIA Corporation
odbccp32.cpl Microsoft Corporation
powercfg.cpl Microsoft Corporation
RTSndMgr.CPL Realtek Semiconductor Corp.
SilSupp.cpl Silicon Image
sysdm.cpl Microsoft Corporation
telephon.cpl Microsoft Corporation
timedate.cpl Microsoft Corporation
wscui.cpl Microsoft Corporation
wuaucpl.cpl Microsoft Corporation


Logfile of HijackThis v1.99.1
Scan saved at 5:38:30 PM, on 12/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ALCMTR.EXE
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\nMtsk.exe
C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\iRiver\HSeries\iHPDetect.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\SAGEM\OTEnet-SAGEM Fast 840\dslmon.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PCCTLCOM.EXE
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\elcad.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\elcad.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\elcad.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\elcad.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\elcad.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\elcad.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\elcad.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Class - {5C24F68F-330D-3834-5594-F52CB787AE93} - C:\WINDOWS\system32\ipwm32.dll (file missing)
O2 - BHO: Class - {7E519B7D-60F7-36E0-6009-671EAD1F7C44} - C:\WINDOWS\sdksr.dll (file missing)
O2 - BHO: Class - {849E652D-E279-49D1-44C6-6C7123362280} - C:\WINDOWS\d3sr32.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [nMTaskBarService] nMtsk.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe"
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [iHP-100] C:\Program Files\iRiver\HSeries\iHPDetect.exe
O4 - HKLM\..\Run: [ipxk.exe] C:\WINDOWS\SYSTEM32\IPXK.EXE
O4 - HKLM\..\Run: [B5.tmp] C:\DOCUME~1\user\LOCALS~1\Temp\B5.tmp.exe
O4 - HKLM\..\Run: [B7.tmp] C:\DOCUME~1\user\LOCALS~1\Temp\B7.tmp.exe
O4 - HKLM\..\Run: [B5.tmp.exe] C:\DOCUME~1\user\LOCALS~1\Temp\B5.tmp.exe
O4 - HKLM\..\Run: [B7.tmp.exe] C:\DOCUME~1\user\LOCALS~1\Temp\B7.tmp.exe
O4 - HKLM\..\Run: [netgf.exe] C:\WINDOWS\NETGF.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\OTEnet-SAGEM Fast 840\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1133080125656
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

[Ried]

Emmanuel, before we do this the 'hard way', I'd like to double check something with you. When you enter Safe Mode to do the outlined fixes, are you logging into Safe Mode under the same account you are running the HijackThis scans in? I ask this because I'm seeing the same entries remaining as the original log and some of these should have been easily removed after the first round.

[Emmanuel2005]

Hi Ried

As far as I know, I don't have different accounts set up on my computer. I just switch it on and start working. When I log into safe mode, I get the option to do it as "administrator" or "user" and I choose "user" each time. Should I be choosing "adminstrator" or does this not matter?

Emmanuel

[Emmanuel2005]

Hi Ried

Did you want me to delete any files too? See unfinished sentence in your post.

Thanks
Emmanuel

[Ried]

You have Temp entries here that are listed under the User acct, but there are simple entries that should not have returned after the first run. Log in to Safe Mode as Administrator this time and let's try this again.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

**Note: These R1 entries may have changed again. 'Fix' any R1 and R0 entries with res://C:\WINDOWS\ *random.dll/sp.html#

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\elcad.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\elcad.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\elcad.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\elcad.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\elcad.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\elcad.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\elcad.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {5C24F68F-330D-3834-5594-F52CB787AE93} - C:\WINDOWS\system32\ipwm32.dll (file missing)
O2 - BHO: Class - {7E519B7D-60F7-36E0-6009-671EAD1F7C44} - C:\WINDOWS\sdksr.dll (file missing)
O2 - BHO: Class - {849E652D-E279-49D1-44C6-6C7123362280} - C:\WINDOWS\d3sr32.dll (file missing)
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ipxk.exe] C:\WINDOWS\SYSTEM32\IPXK.EXE
O4 - HKLM\..\Run: [B5.tmp] C:\DOCUME~1\user\LOCALS~1\Temp\B5.tmp.exe
O4 - HKLM\..\Run: [B7.tmp] C:\DOCUME~1\user\LOCALS~1\Temp\B7.tmp.exe
O4 - HKLM\..\Run: [B5.tmp.exe] C:\DOCUME~1\user\LOCALS~1\Temp\B5.tmp.exe
O4 - HKLM\..\Run: [B7.tmp.exe] C:\DOCUME~1\user\LOCALS~1\Temp\B7.tmp.exe
O4 - HKLM\..\Run: [netgf.exe] C:\WINDOWS\NETGF.EXE

Delete the following files:

C:\WINDOWS\ elcad.dll (or whatever file it may have changed to. Refer to the Ro and R1 entries above.)
C:\WINDOWS\SYSTEM32\ IPXK.EXE
C:\WINDOWS\ NETGF.EXE
C:\DOCUME~1\user\LOCALS~1\Temp\ B5.tmp.exe
C:\DOCUME~1\user\LOCALS~1\Temp\ B7.tmp.exe

C:\WINDOWS\ NETGF.EXE

Run CWShredder & click on [Fix].

Run About Buster and click Begin Removal. Once that's done, just hit the OK button. Open up the 'Ab LogFile.txt' (which was created in the same folder as AboutBuster) and post the log here.

Run Ewido:
*Click [Scanner]
*Click [Complete System Scan] to begin scanning.
*Click [OK] when prompted to clean files

With the first file it prompts to clean, select the option - "Perform action on all infections" - & choose clean and click [OK].

Once finished, click the [Save report] button
Save the report to your desktop
Close Ewido

Run AboutBuster again. Post that log as well as the first AboutBuster log.

Reboot into Normal Mode. Run another scan with HijackThis and post the log here along with Ewido and bot 'Ab LogFile.txt' .

[Ried]

My apologies on that previous post Emmanuel. I got dropped from internet part way through posting reply...

[Emmanuel2005]

Hi Ried

No problem - thanks again for your help and patience.

There were no other similar looking Ro and R1 entries and I couldn't find these files in order to delete them:

C:\WINDOWS\elcad.dll (or whatever file it may have changed to. Refer to the Ro and R1 entries above.)
C:\WINDOWS\SYSTEM32\IPXK.EXE
C:\WINDOWS\NETGF.EXE
C:\DOCUME~1\user\LOCALS~1\Temp\B5.tmp.exe
C:\DOCUME~1\user\LOCALS~1\Temp\B7.tmp.exe

Here are the logs you asked for:

AboutBuster 5.1, reference file 33
Scan started on [12/5/2005] at [4:33:19 PM]
------------------------------------------------
No Ads Found!
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 4:34:23 PM


AboutBuster 5.1, reference file 33
Scan started on [12/5/2005] at [4:53:34 PM]
------------------------------------------------
No Ads Found!
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 4:54:33 PM


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 4:52:43 PM, 12/5/2005
+ Report-Checksum: 739C8EF1

+ Scan result:

C:\Documents and Settings\user\Cookies\user@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup


::Report End


Logfile of HijackThis v1.99.1
Scan saved at 4:56:59 PM, on 12/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\nMtsk.exe
C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\iRiver\HSeries\iHPDetect.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\SAGEM\OTEnet-SAGEM Fast 840\dslmon.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PCCTLCOM.EXE
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\HijackThis\HijackThis.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\elcad.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\elcad.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\elcad.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [nMTaskBarService] nMtsk.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe"
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [iHP-100] C:\Program Files\iRiver\HSeries\iHPDetect.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\OTEnet-SAGEM Fast 840\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1133080125656
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

[Ried]

Please make sure the following is still in effect:

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading:
* select Show hidden files and folders.
* Uncheck Hide protected operating system files (recommended) option.
* Click Yes to confirm and then click OK.

Look again for those files and let me know if you were successful or not. If you were able to find and delete them, run another scan with HijackThis and post it here once more.