"City body sixth" and computer crashing

[ChaosMaster]

Recently my computer has been taking ages to start up, and quite frequently freezing during the statup procedure, forcing me to turn it off, let it cool down and boot back up. It also has a tendancy to run very slowly when it does successfully start up, which is most noticeable when listning to music, as the tracks will skip and distort. My computer will also occasionally freeze while running, seemingly when I try and run a number fo things at once.

The only thing I can relate to this problem is the process 'city body sixth', which is ever present in the startup section of my msconfig. Whenever I dsiable this process in the statup section of msconfig, it always comes back again reenabled the next time I boot up my PC. No anti-virus or anti-spyware program has been able to pick up or remove this problem.

This morning I decided to run a spyware check to remove any spyware, then run HijackThis, to see if you could help me sort this problem out. My log file is posted below:


Logfile of HijackThis v1.99.1
Scan saved at 19:58:55, on 11/02/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alias\Maya6.0\docs\Wrapper.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Alias\Maya6.0\docs\jre\bin\java.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Inventel\Gateway\wlancfg.exe
C:\WINDOWS\system32\wwSecure.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINDOWS\vsnpstd.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Shareaza\Shareaza.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gxhctnegowmawsapyxrzsohvf...su2BUO3_0j.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.irqizyjhfdaxwopombb.com/R..._/rBq_SLPE.cgi
O1 - Hosts: 64.233.167.104 sandbox.norman.no
O1 - Hosts: 64.233.167.104 www.pandasoftware.com
O1 - Hosts: 64.233.167.104 uk.trendmicro-europe.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {9FE8BE25-3889-7BF8-3C64-F10CD76DD32F} - C:\DOCUME~1\comet\APPLIC~1\CREATI~1\Newhelp.exe (file missing)
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll (file missing)
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [serpe] C:\WINDOWS\system32\serbw.exe
O4 - HKLM\..\Run: [save dale slow road] C:\Documents and Settings\All Users\Application Data\AimSendSaveDale\eggsplus.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NAV_Update] C:\NAV_Update.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Manager inter book 1] C:\Documents and Settings\All Users\Application Data\twocoalmanagerinter\Sect 1.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Shareaza] "C:\Program Files\Shareaza\Shareaza.exe" -tray
O4 - HKCU\..\Run: [plan keep] C:\DOCUME~1\comet\APPLIC~1\ONLINE~1\City body sixth.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AdwareFilter Background Protection.lnk = C:\Program Files\AdwareFilter\AdwareFilter.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab31267.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {EB6D7E70-AAA9-40D9-BA05-F214089F2275} (Vitalize Class) - http://www.clickteam.com/vitalize3/vitalize.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Alias Documentation Server (aliasdocserver) - Unknown owner - C:\Program Files\Alias\Maya6.0\docs\Wrapper.exe" -s "C:\Program Files\Alias\Maya6.0\docs/Wrapper.conf (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Service de lancement de WlanCfg (Wlancfg) - Inventel - C:\Program Files\Inventel\Gateway\wlancfg.exe
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe



Many thanks for your time, and I hope you will be able ot target the problem.

- Tom

[sUBs]

Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted.

Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.


* * * * * * ADDITIONAL DOWNLOADS * * * * * * * * * * * * * *


Download & install CleanUp.exe (not recommended for WinXP64)

You will need to update Ewido to the latest definition files.
Launch Ewido & click Update from the left pane
Then click on Start Update.
If you are having problems with the updater, you can use this link to manually update Ewido
When you have finished updating, EXIT Ewido.

'UNPLUG'/DISCONNECT your computer from the Internet when you have finished downlaoding.
It is IMPORTANT that you don't miss a step & perform everything in the correct order.


* * * * * * FIXING ENTRIES WITH HIJACKTHIS * * * * * * * * * *


Do a HijackThis scan & place a check next to these items and select "Fix checked":

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gxhctnegowmawsapyxrzsohvf...su2BUO3_0j.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.irqizyjhfdaxwopombb.com/R..._/rBq_SLPE.cgi
O1 - Hosts: 64.233.167.104 sandbox.norman.no
O1 - Hosts: 64.233.167.104 www.pandasoftware.com
O1 - Hosts: 64.233.167.104 uk.trendmicro-europe.com
O2 - BHO: (no name) - {9FE8BE25-3889-7BF8-3C64-F10CD76DD32F} - C:\DOCUME~1\comet\APPLIC~1\CREATI~1\Newhelp.exe (file missing)
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll (file missing)
O4 - HKLM\..\Run: [serpe] C:\WINDOWS\system32\serbw.exe
O4 - HKLM\..\Run: [save dale slow road] C:\Documents and Settings\All Users\Application Data\AimSendSaveDale\eggsplus.exe
O4 - HKLM\..\Run: [NAV_Update] C:\NAV_Update.exe
O4 - HKLM\..\Run: [Manager inter book 1] C:\Documents and Settings\All Users\Application Data\twocoalmanagerinter\Sect 1.exe
O4 - HKCU\..\Run: [plan keep] C:\DOCUME~1\comet\APPLIC~1\ONLINE~1\City body sixth.exe
O4 - Global Startup: AdwareFilter Background Protection.lnk = C:\Program Files\AdwareFilter\AdwareFilter.exe


* * * * * * RESTART WINDOWS IN SAFE MODE * * * * * * * * * *


1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the option to run Windows in Safe Mode.


* * * * * * UN-INSTALLING PROGRAMS * * * * * * * * * * * * * *


Go to Start -> Control Panel -> Add or Remove Programs and uninstall the following programs:

• AdwareFilter

Please note any other programs that you dont recognize in that list in your next response


* * * * * * DELETING FILES/FOLDERS * * * * * * * * * * * * * * *


If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools -> Folder Options -> View tab.

• Tick - 'Show hidden files and folder'
• Untick - 'Hide file extensions for known types'
• Untick - 'Hide protected operating system files'
• Click Yes to confirm & then click OK

Locate and delete the following files/folders: (let me know if you fail to find/delete any)

• C:\Documents and Settings\comet\APPLIC~1\CREATI~1\
  C:\WINDOWS\system32\serbw.exe
  C:\Documents and Settings\All Users\Application Data\AimSendSaveDale\
  C:\NAV_Update.exe
  C:\Documents and Settings\All Users\Application Data\twocoalmanagerinter\
  C:\Documents and Settings\comet\APPLIC~1\ONLINE~1\
  C:\Program Files\AdwareFilter\

Click on the Start button & select Run
Type in tasks & click Ok
In the ensuing window, click on the 'Advanced' menu (located above) & select 'View Hidden Tasks'
Review all the tasks/jobs at hand. You should be able to recognise jobs that you have created yourself.
Delete hidden jobs that look like these:

• A034B7FF91BB36BB.job
  A06F1FEF91A49933.job
  A2C3205A93B8CDFA.job
  A36F645091B91BF0.job
  A42C6F7190EFE559.job

You can recognise them by the fact that they're hidden & have names that consist of 16 random letters.


* * * * * * PURGING TEMP FOLDERS * * * * * * * * * * * * * * *


Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider initially to Standard CleanUp!
3. Uncheck the following:

• Delete Newsgroup cache
• Delete Newsgroup Subscriptions
• Scan local drives for temporary files

4. Click OK
5. Press the CleanUp! button to start the program.
6. Do NOT reboot/logoff if prompted.

* CleanUp! will not create any backups!!


* * * * * * RUNNING ADDITIONAL SCANNERS * * * * * * * * * * *


Run Ewido with it's updated definitions:(...it's important that all windows must be closed)

• Click Scanner
• Click Complete System Scan to begin scanning.
• Click OK when prompted to clean files

With the first file it prompts to clean, select the option:

• "Perform action on all infections"
• .Choose clean and click OK.

Once finished, click the Save report button & save the report to your desktop

** Ewido scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete.


* * * * * * REBOOT TO NORMAL MODE * * * * * * * * * * * * * *


Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK & have it scan My Computer
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan


Download fl.zip.
Extract the contents to a new folder on Desktop. (do NOT run it from within the zip file)
Within the folder, locate & double-click fl.bat.
It should produce a report at c:\findlop.txt. Post the contents of the report in your next reply


* * * * * * CHECK LIST * * * * * * * * * * * * * * * * * * * * *


In your next post, please include fresh logs from:

• HiJackThis log
• FindLOP.txt
• Online Scan
• Ewido

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

[ChaosMaster]

Thank you for the help posted. I followed your instructions as best I could, but there were a few issues I came across during the procedure:

- When trying to add/remove programs in the control panel, I could not find 'Adware Filter' on the list.
- I could not locate C:\WINDOWS\system32\serbw.exe
- I also could not locate C:\Program Files\AdwareFilter\ , although there were 2 folders related ot adware filter than I removed.
- I also couldn't run the Kaspersky Online Scanner, I kept getting a message that Windows had blocked the program, despite disabling any firewalls in place.

Unfortunately, my computer is still running as badly as ever, and taking an age to start up. There has been no improvement in performance since completing the above procedure. On the bright side, the 'city body sixth' process has completely dissapeared, which can only be a good thing, however also dissapointing as I believed that it may have had something to do with my computer's pitiful performance recently.

Here is my HijackThis log after completing the procedure:

Logfile of HijackThis v1.99.1
Scan saved at 18:38:05, on 12/02/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alias\Maya6.0\docs\Wrapper.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Alias\Maya6.0\docs\jre\bin\java.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Inventel\Gateway\wlancfg.exe
C:\WINDOWS\system32\wwSecure.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.zekntlvttwufyeaeoc.biz/R1...u2BUO3_0j.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab31267.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {EB6D7E70-AAA9-40D9-BA05-F214089F2275} (Vitalize Class) - http://www.clickteam.com/vitalize3/vitalize.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Alias Documentation Server (aliasdocserver) - Unknown owner - C:\Program Files\Alias\Maya6.0\docs\Wrapper.exe" -s "C:\Program Files\Alias\Maya6.0\docs/Wrapper.conf (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Service de lancement de WlanCfg (Wlancfg) - Inventel - C:\Program Files\Inventel\Gateway\wlancfg.exe
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe


Here is the log from ewido, seems to indicate no infection:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 1813, 12/02/2006
+ Report-Checksum: E6FD6271

+ Scan result:

No infected objects found.


::Report End


And finally here is the findlop.txt result:

Volume in drive C is Local Disk
Volume Serial Number is 9459-4064

Directory of C:\Documents and Settings\All Users\Application Data

22/01/2006 18:08 <DIR> Adobe
24/10/2004 14:23 <DIR> Ahead
10/08/2005 23:13 <DIR> AOL
28/11/2004 21:27 <DIR> Apple Computer
30/01/2005 20:19 <DIR> Autodesk
11/02/2006 19:58 <DIR> AVG7
29/12/2005 17:10 <DIR> Driving Test Success
22/12/2004 17:25 <DIR> Grisoft
01/11/2004 19:29 <DIR> Kazaa Lite
24/01/2005 20:35 <DIR> Macrovision
25/09/2004 11:57 <DIR> nView_Profiles
09/11/2004 18:56 <DIR> pixelStorm
24/01/2005 19:34 <DIR> QuickTime
01/09/2004 18:42 <DIR> SBSI
12/01/2005 15:30 <DIR> SBT
12/02/2005 14:53 <DIR> Sony Corporation
11/02/2006 19:41 <DIR> Spybot - Search & Destroy
0 File(s) 0 bytes
17 Dir(s) 143,120,830,464 bytes free
Volume in drive C is Local Disk
Volume Serial Number is 9459-4064

Directory of C:\Documents and Settings\comet\Application Data

22/01/2006 17:44 <DIR> Adobe
20/11/2004 20:53 <DIR> AdobeUM
24/10/2004 15:16 <DIR> Ahead
28/11/2004 21:27 <DIR> Apple Computer
25/12/2004 14:25 <DIR> ArcSoft
22/12/2004 18:22 <DIR> AVG7
02/11/2005 20:29 <DIR> fltk.org
15/08/2005 20:55 69,536 GDIPFONTCACHEV1.DAT
16/10/2005 14:09 <DIR> Google
01/11/2004 19:08 <DIR> Help
01/09/2004 18:41 <DIR> Identities
28/09/2004 07:06 <DIR> InterVideo
19/02/2005 15:03 <DIR> Jasc
26/10/2004 18:59 <DIR> Jasc Software Inc
25/07/2005 20:04 <DIR> Lavasoft
24/01/2005 20:44 <DIR> Macromedia
12/01/2005 15:29 <DIR> Microsoft Web Folders
10/08/2005 15:45 <DIR> Mozilla
28/03/2005 12:24 <DIR> Real
10/08/2005 16:24 <DIR> Sierra
28/12/2005 20:15 <DIR> SlySoft
12/02/2005 14:59 <DIR> Sony Corporation
24/11/2004 20:27 <DIR> Sun
24/10/2004 15:04 <DIR> Template
14/08/2005 17:34 <DIR> Webroot
1 File(s) 69,536 bytes
24 Dir(s) 143,120,830,464 bytes free
Volume in drive C is Local Disk
Volume Serial Number is 9459-4064

Directory of C:\Documents and Settings\Default User\Application Data

01/09/2004 18:41 <DIR> .
01/09/2004 18:41 <DIR> ..
01/09/2004 19:37 62 desktop.ini
1 File(s) 62 bytes
2 Dir(s) 143,120,830,464 bytes free
Volume in drive C is Local Disk
Volume Serial Number is 9459-4064

Directory of C:\Documents and Settings\LocalService\Application Data

Volume in drive C is Local Disk
Volume Serial Number is 9459-4064

Directory of C:\Documents and Settings\NetworkService\Application Data

[TRACE] Enumerating jobs and queues


As previously mentions I could not run the Kaspersky Online Scanner so unfortunately i cannot provide a log from that.

Many thanks for your help,

- Tom

[sUBs]

Did Kaspersky offer any error messages? If so, please show them to me.



Please have HijackThis fix this entry:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.zekntlvttwufyeaeoc.biz/R1...u2BUO3_0j.html



If Kaspersky is still unavailable to you, please try Panda ActiveScan

1. Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
2. Click Scan Now
3. Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls

Begin the scan by selecting My Computer

• If it finds any malware, it will offer you a report.
• Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
• Click on see report. Then click Save report

Post the contents of the report in your next reply

*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan

[ChaosMaster]

Right, I've had HijackThis fix the offending article, and have also run a scan with Panda ActiveScan. Heres the log:


Incident Status Location

Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\comet\Cookies\comet@ad.yieldmanager[1].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\comet\Cookies\comet@casalemedia[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\comet\Cookies\comet@realmedia[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\comet\Cookies\comet@tribalfusion[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\comet\Application Data\Mozilla\Firefox\Profiles\n43vovwp.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\comet\Application Data\Mozilla\Firefox\Profiles\n43vovwp.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\comet\Application Data\Mozilla\Firefox\Profiles\n43vovwp.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\comet\Application Data\Mozilla\Firefox\Profiles\n43vovwp.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\comet\Application Data\Mozilla\Firefox\Profiles\n43vovwp.default\cookies.txt[.com.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\comet\Application Data\Mozilla\Firefox\Profiles\n43vovwp.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\comet\Application Data\Mozilla\Firefox\Profiles\n43vovwp.default\cookies.txt[]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\comet\Cookies\comet@ad.yieldmanager[1].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\comet\Cookies\comet@casalemedia[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\comet\Cookies\comet@realmedia[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\comet\Cookies\comet@tribalfusion[1].txt


Also, the message I'm getting when trying to run Kaspersky says "Windows has blocked this software because it can't verify the publisher". It's a security warning apparently. Your help is greatly appreciated,

- Tom

[sUBs]

Nothing but some harmless cookies. Please do this ...

From within Internet Explorer click on the Tools menu and then click on Internet Options.

• Select the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Select Custom Level .
    • Change 'Download unsigned ActiveX controls' to Prompt
    • Click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
• Select OK to exit the Internet Properties page.

After that, you should be able to run Kaspersky

PS... Tell me if you overclock your PC

[ChaosMaster]

OK, I followed your instructions and managed to run Kaspersky. The resulting log life is huge, too big to post, so I've attached it.

Also, in response to your question, I've never overclocked my PC, in fact, I've never opened the back up at all.

Thanks again for your help,

- Tom

[sUBs]

Kaspersky only managed to find infected files from the System volume Information folder. That's System Restore's cache. Whatever's in there will not harm you unless you do a restore. Please do this to clear the cache...

Go to Start >> Run - type control sysdm.cpl,,4 & press Enter

• Tick on the checkbox - Turn off System Restore on all drives
• Click Apply

Turn it back 'On' by unticking the same checkbox & click OK

At this juncture, I would surmise that your machine is clean. Both Kaspersky/Panda with their extensive databases of malware have failed to find anything notable other than the LOP infection which we have removed.

If you're still suffering from slow starts, I suggest you begin a new thread at the Windows XP forum.. Let them know that the HijackThis forum has declared you as clean.

[ChaosMaster]

OK, thanks for all your help, it's nice to know I have a clean computer, even if is still playing up. I'll look into it on the other forum see if anyone there can help me out. Thanks again for sticking with me,

- Tom