Fatal Errors Using Virus Scanning (Norton Systemworks)

rozel · 04-20-2006, 09:34 AM

Hi I have been running my system for several years now but recently I had to uninstall Norton Systemworks and reinstall. There was a period in between and my PC became infected with god knows what. After running several Spyware cleaners: - AdawareSE, SpyBot Search&Destroy, Xoftspy, Spysweeper, Ewido and the Panda online checker I seem to be getting the following fatal error during the course of a full or partial System Check in Systemwork's Norton Antivirus 2005: -

STOP: C000021a { Fatal System Error}
The Windows Logon Process system process terminated unexpectedly with a status of 0xc0000005 ( 0x00000000 0x00000000)
The system has been shut down.

This error also ocurrs if I leave my machine on for any length of time unused and I think kicks in at the time the screen saver activates, as when I disable the screen saver, this problem doesn't seem to ocurr.

Over the years I am sure I have infections which these progs do not pick up and given a reformat at the present time is out of the question, I feel the time is right for your experts to take a look please. I can find little of relevance when looking up this Stop Error apart from some reference to Adaware and Panda. I have uninstalled the Panda stuff but still I am getting this error.

I work the night shift but finish tomorrow morning early and will endeavour to reply speedily to your responses/requests. I confirm that I have run the processes and checks in your First Steps Sticky.

My Hijack log is as follows:-

Logfile of HijackThis v1.99.1
Scan saved at 17:14:27, on 20/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\KService\KService.exe
c:\opt\MBCASE\pm\bin\mcp.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\opt\MBCASE\WIS\TBCD\tbmux32.exe
E:\DreamBox\Plugins\NFS Server\portmap.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\cmd.exe
C:\opt\MBCASE\pm\bin\cmserver.exe
C:\WINDOWS\system32\cmd.exe
C:\opt\MBCASE\pm\bin\lic_srv.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\GIANT Company Software\Spam Inspector\siService.exe
C:\Program Files\SMSC\Seticon.exe
C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\GIANT Company Software\Spam Inspector\siMailProxyServer.exe
C:\Program Files\GIANT Company Software\Spam Inspector\siSpamFilterEngine.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\SmartM\BlueOpal\Utilities\BlueTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\HPHipm11.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\VM_STI.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SanDisk\low power 128MB + Wi-Fi CompactFlash Card\WLANUTL.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: WsftpBrowserHelper Class - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [siService.exe] "C:\Program Files\GIANT Company Software\Spam Inspector\siService.exe"
O4 - HKLM\..\Run: [SetIcon] C:\Program Files\SMSC\Seticon.exe
O4 - HKLM\..\Run: [ServiceLayer] C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [Opware12] "C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe"
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [BlueTray] C:\Program Files\SmartM\BlueOpal\Utilities\BlueTray.exe
O4 - HKLM\..\Run: [BCWipeTM Startup] "C:\Program Files\Jetico\BCWipe\BCWipeTM.exe" startup
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE INTEX USB PC Camera
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [STManager] C:/Program Files/SpeedTouch/Dr SpeedTouch/drst.exe -b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Windows Workstation Service] wkssvc.exe
O4 - HKCU\..\RunServices: [Windows Workstation Service] wkssvc.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\RECYCLER\NPROTECT\01501711.exe
O4 - Global Startup: SanDisk Wi-Fi.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O15 - Trusted Zone: http://Download.Windowsupdate.com
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) -
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) -
O16 - DPF: {0F9B4CA4-A30F-480A-841D-69B45C50A8F8} - http://secure2.comned.com/signuptemp...veSekurity.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} -
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.gocyberlink.com/english/c...dio/ChkDVD.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1093454827421
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1125763413078
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} - http://secure2.comned.com/signuptemp...veSecurity.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemp...ogin-devel.cab
O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgGB2404.exe
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} -
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) -
O16 - DPF: {E0051273-5988-41EC-A891-11D4A1BABF35} (KDreg class) - http://217.69.157.142/player/kdreg.cab
O16 - DPF: {E862C832-3A5F-4CEB-BFAA-167B22010A71} (InfosFinder2.InfosFinder) - http://support.packardbell.com/files...fosFinder2.CAB
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.comp...bio5_1_6_0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1BFEED49-519D-46EF-93E2-5CCA5FB05CF7}: NameServer = 158.43.240.4,158.43.240.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{2BCACEBE-51E7-451A-8952-30AF761EA251}: NameServer = 62.241.162.200,62.241.163.200
O20 - Winlogon Notify: winccf32 - winccf32.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\System32\CTsvcCDA.exe (file missing)
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: konfig - Unknown owner - c:\opt\MBCASE\pm\bin\mcp (file missing)
O23 - Service: KService - Kontiki Inc. - C:\Program Files\KService\KService.exe
O23 - Service: license - Unknown owner - c:\opt\MBCASE\pm\bin\mcp (file missing)
O23 - Service: mcp - Unknown owner - c:\opt\MBCASE\pm\bin\mcp (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TransBaseService - TransAction Software, D 81737 Munich - c:\opt\MBCASE\WIS\TBCD\tbmux32.exe
O23 - Service: TrueGrid NFS Server - Unknown owner - E:\DreamBox\NFS Server\nfs.exe (file missing)
O23 - Service: TrueGrid Portmapper - Unknown owner - E:\DreamBox\Plugins\NFS Server\portmap.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: V2i Protector - PowerQuest Corporation - C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe

Your assistance is greatly appreciated right now

Paul

MoralTerror · 04-20-2006, 11:40 AM

Hi.

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem as soon as possible.

You may wish to Subscribe to this thread (Thread Tools) so that you are notified when you receive a reply.

Please be patient with me during this time.

MoralTerror · 04-21-2006, 01:17 AM

Hi Paul

Please print this page or copy it to Notepad in order to assist you while carrying out the following instructions.

Please download Cleanup! or use this (Alternate Link) if the main link does not work and install it. You will use this later.

Please disable Webroot SpySweeper, as it may hinder the removal of some entries. You can re-enable it after you're clean.
To disable Webroot SpySweeper:

Go to the Options>Program Options
Uncheck Load at Windows Startup
Click Shields & uncheck all items there
Uncheck Home page shield.

Please disable Ewido Security Suite's Guard by doing the following:

Open ewido by double-clicking the yellow 'e' icon in the system tray.
In the 'Your security status' section, toggle the ewido Guard realtime protection 'off' by clicking 'active' which will then change the protection status to 'inactive'.
When you reboot, ewido will prompt you as to whether you would like to "Restart the guard?". Reply "No" and set it to ''inactive'' for the duration of your cleanup.

Launch Ewido & click Update from the left pane
Then click on Start Update.[/list]
If you are having problems with the updater, you can use this link to manually update Ewido
When you have finished updating, EXIT Ewido.

Please leave both of those programs disabled until your logs are clean.

Please use Symantec's guide to remove the Norton Quarantine files.

Go to My Computer >Tools >Folder Options >View tab and select Show hidden files and folders. Uncheck the Hide protected operating system files (recommended) option. Also make sure there is no checkmark beside Hide file extensions for known file types. Click OK.

Open Cleanup! by double-clicking the icon on your desktop (or from Start > All Programs). Set the program up as follows:

Click Options
Move the slider button down to Custom CleanUp!

Check the following:

Empty Recycle Bins
Delete Cookies
Delete Prefetch files
Cleanup! All Users

Uncheck the following :

Scan local drives for temporary files

Click OK, Press the CleanUp! button to start the program and reboot when prompted.

Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears).

Run Ewido with it's updated definitions:(...it's important that all windows must be closed)

Click Scanner
Click Complete System Scan to begin scanning.
Click OK when prompted to clean files

With the first file it prompts to clean, select the option:

* "Perform action on all infections"
* Choose clean and click OK.

Once finished, click the Save report button & save the report to your desktop

** Ewido scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete.

Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O4 - HKCU\..\Run: [Windows Workstation Service] wkssvc.exe
O4 - HKCU\..\RunServices: [Windows Workstation Service] wkssvc.exe
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\RECYCLER\NPROTECT\01501711.exe
O16 - DPF: {0F9B4CA4-A30F-480A-841D-69B45C50A8F8} - http://secure2.comned.com/signuptemp...veSekurity.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} - http://secure2.comned.com/signuptemp...veSecurity.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemp...ogin-devel.cab
O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgGB2404.exe
O16 - DPF: {E0051273-5988-41EC-A891-11D4A1BABF35} (KDreg class) - http://217.69.157.142/player/kdreg.cab
O20 - Winlogon Notify: winccf32 - winccf32.dll (file missing)

Please remember to close all other windows, including browsers then click Fix checked.

Delete the following Files indicated in RED if they still exist.

winccf32.dll find via start>search
wkssvc.exe find via start>search
C:\RECYCLER\NPROTECT\01501711.exe

Reboot your system in Normal Mode.

Perform an online scan with Internet Explorer with Panda ActiveScan

Click on the "Free To Use ActiveScan" located on the top right hand corner

Click Check Now and a "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place *

Begin the scan by selecting My Computer

If it finds any malware, it will offer you a report.

Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.

Click on See report then click Save report

* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

Paste the Panda Scan report here together with a new HiJack This log.

Required Logs

Ewido report
Panda report
new HijackThis log

rozel · 04-21-2006, 09:18 AM

Thanks for getting back so quickly. I had to have some sleep today - it was a hard shift last night and just read your helpful thread. I am in the process of undertaking your requirements and will post back later today tomorrow morning. In the meantime I ran Cleanup and as I did not have the option to "scan local drives" I disregarded it only to find it deleted 208Gb of files downloaded to a "temp" folder - oh well. Once I've recovered them (I'm in the process of doing so now) I will crack on with the remainder of your requirements. By the way I have noticed that you can elect to scan what drive(s) you want to in Cleanup, but you need to adjust your registry first - what a bind! - wht do they just make it simple to check or not to check a simple box as your description says? Just my tuppenceworth here - thankyou again and I will be back asap.

Paul

MoralTerror · 04-21-2006, 11:17 AM

Image1.gif click for larger image

you mean you don't have this option in cleanup????

rozel · 04-22-2006, 09:43 AM

OK - sorry again for the delay but my sleeping patterns seem erratic these days to say the least.

No absolutlely not - this option does not appear - I downloaded Cleanup via the link on your reply earlier. See Thumbnail attached at the end of this post. I have lost further sleep due to my temporary "folders" being deleted. Several local discs have been cleaned out including 1 which included my paging file. Imagine now how hard it will be for me to recover the files/folders on this disc? I'm not impressed, particularly at a time when I am being afflicted with my BSOD - which I restate is as follows: -

STOP: C000021a { Fatal System Error}
The Windows Logon Process system process terminated unexpectedly with a status of 0xc0000005 ( 0x00000000 0x00000000)
The system has been shut down.

OK I ran your requirements as exactly as I could in the specific order you stated. However after adjusting my registry, I managed to get Cleanup to look solely at my C:\ drive. At the beginning Ewido would not complete it's scan - it kept bombing 75% of the way through. However at the end, prior to running the Panda Active Scan and HiJackThis, I ran it exclusively on my C:\ drive (I aborted the test after all the files on this drive had been scanned and then saved the log file - hope this is ok). HiJackThis bombed with the BSOD 3 times before the final run right at the end. In fact my PC was bombing with the BSOD regularly whether in Safe Mode or in Normal mode, when running these tests. Eiwedo bombed by itself sometimes and sometimes with the BSOD - this was the same for CleanUp and Panda. Hope I am making sense to you. I did report that I was having problems with Panda, in my first post - this did perform as expected at the end but again I ran it on my C:\ drive alone.

I submit the following Reports: -

EWIDO

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 17:13:42, 22/04/2006
+ Report-Checksum: 2BDDECE6

+ Scan result:

C:\Documents and Settings\Paul\Cookies\paul@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup

::Report End

PANDA

Incident Status Location

Potentially unwanted tool:application/funweb Not disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\f3initialsetup1.0.0.15.inf
Adware:adware/ist.istbar Not disinfected C:\Documents and Settings\Paul\Favorites\~ VIP Free Porn ~.url
Adware:adware/clickalchemy Not disinfected C:\WINDOWS\alchem.ini
Adware:adware/exact.bargainbuddy Not disinfected Windows Registry
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Paul\Cookies\paul@apmebf[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Paul\Cookies\paul@tribalfusion[1].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Paul\Cookies\paul@apmebf[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Paul\Cookies\paul@tribalfusion[1].txt
Security Risk:HackTool/Gendel.A Not disinfected C:\Program Files\Jummpa Software\setup\gendel32.ex_
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\Mozilla Firefox\plugins\NPMyWebS.dll
Potentially unwanted tool:Application/FunWeb Not disinfected C:\WINDOWS\Downloaded Program Files\f3initialsetup1.0.0.15.inf
Security Risk:HackTool/Gendel.A Not disinfected C:\WINDOWS\system32\Setup\gendel32.ex_

HIJACKTHIS

Logfile of HijackThis v1.99.1
Scan saved at 17:15:52, on 22/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\KService\KService.exe
c:\opt\MBCASE\pm\bin\mcp.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
c:\opt\MBCASE\WIS\TBCD\tbmux32.exe
E:\DreamBox\Plugins\NFS Server\portmap.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\GIANT Company Software\Spam Inspector\siService.exe
C:\Program Files\SMSC\Seticon.exe
C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\WINDOWS\System32\hphmon04.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\SmartM\BlueOpal\Utilities\BlueTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\GIANT Company Software\Spam Inspector\siMailProxyServer.exe
C:\Program Files\GIANT Company Software\Spam Inspector\siSpamFilterEngine.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\VM_STI.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SanDisk\low power 128MB + Wi-Fi CompactFlash Card\WLANUTL.exe
C:\WINDOWS\system32\cmd.exe
C:\opt\MBCASE\pm\bin\cmserver.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\cmd.exe
C:\opt\MBCASE\pm\bin\lic_srv.exe
C:\PROGRA~1\DVDREG~1\DVDRegionFree.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: WsftpBrowserHelper Class - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [siService.exe] "C:\Program Files\GIANT Company Software\Spam Inspector\siService.exe"
O4 - HKLM\..\Run: [SetIcon] C:\Program Files\SMSC\Seticon.exe
O4 - HKLM\..\Run: [ServiceLayer] C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [Opware12] "C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe"
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [BlueTray] C:\Program Files\SmartM\BlueOpal\Utilities\BlueTray.exe
O4 - HKLM\..\Run: [BCWipeTM Startup] "C:\Program Files\Jetico\BCWipe\BCWipeTM.exe" startup
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE INTEX USB PC Camera
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [STManager] C:/Program Files/SpeedTouch/Dr SpeedTouch/drst.exe -b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Windows Workstation Service] wkssvc.exe
O4 - HKCU\..\RunServices: [Windows Workstation Service] wkssvc.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SanDisk Wi-Fi.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O15 - Trusted Zone: http://Download.Windowsupdate.com
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) -
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) -
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} -
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.gocyberlink.com/english/c...dio/ChkDVD.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1093454827421
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1125763413078
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} -
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) -
O16 - DPF: {E862C832-3A5F-4CEB-BFAA-167B22010A71} (InfosFinder2.InfosFinder) - http://support.packardbell.com/files...fosFinder2.CAB
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.comp...bio5_1_6_0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1BFEED49-519D-46EF-93E2-5CCA5FB05CF7}: NameServer = 158.43.240.4,158.43.240.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{2BCACEBE-51E7-451A-8952-30AF761EA251}: NameServer = 62.241.162.200,62.241.163.200
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\System32\CTsvcCDA.exe (file missing)
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: konfig - Unknown owner - c:\opt\MBCASE\pm\bin\mcp (file missing)
O23 - Service: KService - Kontiki Inc. - C:\Program Files\KService\KService.exe
O23 - Service: license - Unknown owner - c:\opt\MBCASE\pm\bin\mcp (file missing)
O23 - Service: mcp - Unknown owner - c:\opt\MBCASE\pm\bin\mcp (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TransBaseService - TransAction Software, D 81737 Munich - c:\opt\MBCASE\WIS\TBCD\tbmux32.exe
O23 - Service: TrueGrid NFS Server - Unknown owner - E:\DreamBox\NFS Server\nfs.exe (file missing)
O23 - Service: TrueGrid Portmapper - Unknown owner - E:\DreamBox\Plugins\NFS Server\portmap.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: V2i Protector - PowerQuest Corporation - C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe

OK so there you have it - I am still struggling to recover my files and weekend is being spent trying so very hard to do this as these were really important files. However since running Ewido and Panda I have not seen a recurrence of my BSOD (fingers and toes crossed) - YET!

I am however, having moaned a bit about CleanUp, very impressed with your kind support, and would be grateful if you would tell me what is happening or what was happening viz-a-viz and how my PC's behaviour relates(related) to the BSOD, which was why I sought out help in the first place.

Thankyou in anticipation once again

Paul

rozel · 04-22-2006, 12:00 PM

Quote:

Originally Posted by rozel

However since running Ewido and Panda I have not seen a recurrence of my BSOD (fingers and toes crossed) - YET!

Spoke too soon! As usual when running my file recovery program, well before the found files have been recovered, I get the BSOD - I really am hoping this Stop Error is to do with a virul/spyware/malware infrction of some kind - I would appreciate your confirmation that you have seen this Stop Error before and that it is something you can sort out please.

Paul

rozel · 04-23-2006, 04:31 AM

Just another thing - when I come to send an email or reply to one, the following appears automatically in the text - could this be a clue to what is happening?

Ôà

This is worrying as maybe my PC has been taken over and god knows what damage it's doing to me and the PC's on my network!

Paul

MoralTerror · 04-23-2006, 06:02 AM

Hi Paul

Is it a win2k based network??

Any strange symptons such as the text which appears in your emails should be reported here as it can allow us to identify particular infections quicker in some cases.

rozel · 04-23-2006, 10:29 AM

Thanks - no my system is XP Pro a home network via a router - 2 pc's hard wired and 3 via wireless. No starnge behaviours on other pc's yet! lol. So where now - again sorry for the delay in responding but I have been testing my memory usin memtest-86 v 3.2 for the last 4 hours or so. Am getting one error repeating: - Test 7. failing address:00038b24a5c 907.2mb Good: e0ae6a0d Bad: e0ae6b0d Err-Bits: 00000100 - I have had 3 ocurrences of this same error in 6 passes. Do you or anyone know if this is my problem. MoralTerror - could you please answer my question as to your help and if this will errdicate the Stop Error and advise me what to do next - I'm tempted to do a Windows Reair - please advise - I will now do nothing moreuntil I hear from you. I will be at work from 21.00 tonight until 06.30 tomorrow

Thanks again

Paul

MoralTerror · 04-24-2006, 06:10 AM

Hi Paul

I apologize for the delay in replying. We may have the solution to your stop error but first we need to clean most if not all of the malware from this machine.

Could you please confirm the following details

208Gb of files accidently deleted. Is it definately 208Gb this isn't a typo??

What drive and/or directory were these files?? what is their file extensions??

How many drives do you have and what are thier sizes??

This is a XP Pro machine not XP 64bit???

Do you recognise these services?? Are they necessary?

O23 - Service: konfig - Unknown owner - c:\opt\MBCASE\pm\bin\mcp (file missing)
O23 - Service: KService - Kontiki Inc. - C:\Program Files\KService\KService.exe
O23 - Service: license - Unknown owner - c:\opt\MBCASE\pm\bin\mcp (file missing)
O23 - Service: mcp - Unknown owner - c:\opt\MBCASE\pm\bin\mcp (file missing)
O23 - Service: TransBaseService - TransAction Software, D 81737 Munich - c:\opt\MBCASE\WIS\TBCD\tbmux32.exe
O23 - Service: TrueGrid NFS Server - Unknown owner - E:\DreamBox\NFS Server\nfs.exe (file missing)
O23 - Service: TrueGrid Portmapper - Unknown owner - E:\DreamBox\Plugins\NFS Server\portmap.exe

RE:memtest - it's unusual to have test 7 fail and any fail would indicate either the ram module or another component is failing. However I would wait until you have been declared clean and the stop error has been dealt with, then run the test again testing only the free ram before you go moving modules to locate the 1 that is possibly failing.

MoralTerror · 04-24-2006, 06:30 AM

Hi Paul

Please print or copy this page to Notepad in order to assist you while carrying out the following instructions

Please disable Ewido Security Suite's Guard by doing the following:

Open ewido by double-clicking the yellow 'e' icon in the system tray.
In the 'Your security status' section, toggle the ewido Guard realtime protection 'off' by clicking 'active' which will then change the protection status to 'inactive'.
When you reboot, ewido will prompt you as to whether you would like to "Restart the guard?". Reply "No" and set it to ''inactive'' for the duration of your cleanup.

Go to My Computer >Tools >Folder Options >View tab and select Show hidden files and folders. Uncheck the Hide protected operating system files (recommended) option. Also make sure there is no checkmark beside Hide file extensions for known file types. Click OK.

Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O4 - HKCU\..\Run: [Windows Workstation Service] wkssvc.exe
O4 - HKCU\..\RunServices: [Windows Workstation Service] wkssvc.exe
O15 - Trusted Zone: http://Download.Windowsupdate.com
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) -
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) -
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} -
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} -
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) -

Please remember to close all other windows, including browsers then click Fix checked.

Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears).

Click Start > Run and type regsvr32 /u occache.dll and press enter.

Delete the following Files indicated in RED if they still exist.

C:\Documents and Settings\Paul\Favorites\~ VIP Free Porn ~.url
C:\Program Files\Mozilla Firefox\plugins\NPMyWebS.dll
C:\WINDOWS\alchem.ini
C:\WINDOWS\DOWNLOADED PROGRAM FILES\f3initialsetup1.0.0.15.inf

If any of the following Files are present the please delete those also

C:\WINDOWS\system32\Programs\2 Find MP3 8.2.0.exe
C:\WINDOWS\system32\Programs\Fifa 2006 crack.exe
C:\WINDOWS\system32\Programs\Hotmail account hacker in 30 minutes.exe
C:\WINDOWS\system32\Programs\Hotmail hacker.exe
C:\WINDOWS\system32\Programs\Hotmailhacker v1.0.exe
C:\WINDOWS\system32\Programs\Microsoft Office 2000 Regmaker.exe
C:\WINDOWS\system32\Programs\Microsoft Office 2003 Professional Universal Crack without serial.exe
C:\WINDOWS\system32\Programs\Microsoft Office XP Activation Crack.exe
C:\WINDOWS\system32\Programs\Microsoft Office XP Activation Killer.exe
C:\WINDOWS\system32\Programs\Microsoft Office XP Professional Crack.exe
C:\WINDOWS\system32\Programs\Microsoft Office XP Professional Serial.exe
C:\WINDOWS\system32\Programs\Microsoft Office XP Universal Activator v1.0.exe
C:\WINDOWS\system32\Programs\Midnight Club 3 - DUB Edition Rockstar Games crack.exe
C:\WINDOWS\system32\Programs\Norton AntiVirus 2005 crack.exe
C:\WINDOWS\system32\Programs\Norton AntiVirus 2006 crack.exe
C:\WINDOWS\system32\Programs\Norton antivirus crack.exe
C:\WINDOWS\system32\Programs\Yahoo_mail_cracker.exe
C:\WINDOWS\system32\Programs\Yoshinoya Success crack.exe
C:\WINDOWS\system32\Programs\ZoneAlarm crack (keygen).exe
C:\WINDOWS\system32\Programs\hotmail_account_sniffer.exe
C:\WINDOWS\system32\Programs\norton anti virus FULL NEWEST VERSION.exe
C:\WINDOWS\system32\Programs\porn.exe
C:\WINDOWS\system32\Programs\porn_account_cracker.exe
C:\WINDOWS\system32\Programs\porn_account_hacker.exe
C:\WINDOWS\system32\Programs\pornmovie (hardcore sex adult asian).exe
C:\WINDOWS\system32\Programs\yahoo_cracker.exe
C:\WINDOWS\system32\Programs\yahoo_hacker.exe
C:\WINDOWS\system32\wkssvc.exe

Empty the contents of the following Folder(DO NOT delete the Folder)

C:\Documents and Settings\Paul\Cookies

Click Start > Run and type regsvr32 occache.dll and press enter.

Boot to Normal Mode

Perform an online scan with Internet Explorer with

Kaspersky WebScanner

Next Click on Launch Kaspersky Anti-Virus Web Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
- Extended Scan
- Scan Options:
- Scan Archives
  Scan Mail Bases
Click OK
Now under select a target to scan:
- Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

Take note the names and locations of any file it detects but fails to clean.

* Turn off the real time scanner of any existing antivirus program while performing the online scan

Required Logs

Kaspersky results
new HijackThis log

rozel · 04-24-2006, 11:25 AM

Well this is my third attempt to write this post as my system keeps crashing with the BSOD - I followed your requirements to the letter apart from the Kaspersky Scan - I was afraid that it too would bomb out so I "stopped" it after it went on to the H:\ partition, thinking that by then it had scanned C:\, D:\,E:\ F:\ and G:\ - I hope my thinking is correct and I also hope I can finish this post before I get another BSOD - I'm more than frustrated now and totally in your care.

Thank you for replying again - I read your responses when I woke up this afternoon, just after you sent them, I think and have been struggling ever since. However I attach the two logs requested, but can confirm that so far the BSOD is ever present ! I would just add that today I managed to catch 2 crashes - before the 1st of the 2 BSOD's I got an error message which started off "ISACTIVEGUARD" - a web search revealed this may have had something to do with Edwido, so I uninstalled it. The second message just now came on so quickly and followed immediately by the BSOD, that I could not read it - this was a longer message. There is no telling when I get the BSOD's - usually it happens when I'm running either of my 2 file recovery progs or during a system scan. I have disabled Norton Antivirus Auto-Protect throughout and no other realtime scanner is now in operation. I will now answer your 2 posts.

First my systems details:

It was not a typo - I lost 208Gb of files. D:\ 34Gb, E:\ 5Gb, F;\ 45Gb G:\ 136Gb and H:\ 6 Gb all appx.

I run a Asus P4C800-E Deluxe mobo which has two independant RAID setups a Promise and an Intel.

I'm not sure right now which way round they are but think that C:\ and D:\ are in a Promise RAID (0) 2 x Western Digital 10,000 rpm drives of 35Gb each - C:\ being my bootable partition with E:\ (100Gb), F:\ (50Gb) and G:\ (150Gb) being in an Intel RAID(0) setup. I run XP-Pro (not XP 64 bit) and I also have numerous virtual drives and removable ones which all appear fine.

The files lost wer simply due to Cleanup not having the correct configuartion requirement installed - are you suggesting that this was due to a vrus or something? as I'm not sure why you want file extensions - they were wav, Vobs and numerous others - I would add that E:\ holds my MY Documents, nothing deleted and my Outlook express storage folders - again nothing deleted. F:\ however and more importantly holds my paging file and Internet Cache so F:\ is constantly being overwritten and will hinder my file recovery. I run 2 progs namely File Scavenger 2 and R-Studio. As with virus scanners whether progs or online, they abort by themselves prior to completeion or with the BSOD which is more than totally frustrating.

OK now on to your second post of today: -

Ran everything and deleted everything meticulously I recognise most of the stuff you mention under "Services" so I would rather not delete these - most of it relates to my Dreambox or Mercedes Diagnosis programs - not sure about Kontiki though.

I will hede what you say regarding Memtest.

all entries in HiJackThis checked and fixed did what you said from then on. None of the files in C:\Windows\system32\Programs were present. Deleted the cookies and did what you said re regsvr32 all in safemode etc and then in normal mode ran Kaspersky. As I said I aborted this after it started on H:\ I'm assuming it covered C:\ and F;\ but not sure about the latter and certainly not sure about whether it cleaned anything - everything seemed to have been skipped - but it is an online scanner isn't it - not intended to do anything with what it finds isn't it? or did my stopping before completion prevent it from cleaning - please advise.

The two logs are now shown and I would be grateful for what to do next.

Kaspersky Log

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Monday, April 24, 2006 6:04:30 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 24/04/2006
Kaspersky Anti-Virus database records: 189678
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
J:\
K:\
L:\
M:\
N:\
O:\
P:\
Q:\
R:\
S:\

Scan Statistics:
Total number of scanned objects: 149270
Number of viruses found: 44
Number of infected objects: 136
Number of suspicious objects: 4
Duration of the scan process: 02:32:01

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DyFuCAInternetOptimizer10.zip/install.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DyFuCAInternetOptimizer10.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DyFuCAInternetOptimizer2.zip/install.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DyFuCAInternetOptimizer2.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\066150CA.htm Infected: Trojan-Clicker.JS.Linker.p skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\24233EEA.dat Infected: Backdoor.Win32.SpyBoter.dv skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2579329B.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2579329B.zip/InsecureClassLoader.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2579329B.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2579329B.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2579329B.zip ZIP: infected - 4 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2579329B.zip CryptFF: infected - 4 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3DA57B0F.dll Infected: not-a-virus:AdWare.Win32.WinAD.ad skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3FFF2F1D.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3FFF2F1D.zip/InsecureClassLoader.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3FFF2F1D.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3FFF2F1D.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3FFF2F1D.zip ZIP: infected - 4 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3FFF2F1D.zip CryptFF: infected - 4 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\56502EDE.dat Infected: P2P-Worm.Win32.Apsiv skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5A075984.zip/Counter.class Infected: Trojan.Java.Femad skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5A075984.zip/VerifierBug.class Infected: Trojan.Java.Femad skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5A075984.zip/web.exe Infected: Trojan.Win32.LowZones.cp skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5A075984.zip/Worker.class Infected: Trojan.Java.Femad skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5A075984.zip/Xeyond.class Infected: Trojan.Java.Femad skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5A075984.zip ZIP: infected - 5 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5A075984.zip CryptFF: infected - 5 skipped
C:\Documents and Settings\Paul\Desktop\Spyware stuff\Norton 2006 Cracks\norton antivirus 2006 keygen (2) (1).exe/data0001 Infected: Trojan-Downloader.Win32.IstBar.ja skipped
C:\Documents and Settings\Paul\Desktop\Spyware stuff\Norton 2006 Cracks\norton antivirus 2006 keygen (2) (1).exe/data0003 Infected: Trojan-Downloader.Win32.IstBar.nn skipped
C:\Documents and Settings\Paul\Desktop\Spyware stuff\Norton 2006 Cracks\norton antivirus 2006 keygen (2) (1).exe NSIS: infected - 2 skipped
C:\Documents and Settings\Paul\Desktop\Spyware stuff\OiUninstaller.exe/data0002 Infected: not-a-virus:AdWare.Win32.MediaTickets.y skipped
C:\Documents and Settings\Paul\Desktop\Spyware stuff\OiUninstaller.exe/data0003 Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped
C:\Documents and Settings\Paul\Desktop\Spyware stuff\OiUninstaller.exe NSIS: infected - 2 skipped
C:\Documents and Settings\Paul\Desktop\YouSendIt Downloads\YSIGet 0.99c.exe/data0006 Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
C:\Documents and Settings\Paul\Desktop\YouSendIt Downloads\YSIGet 0.99c.exe NSIS: infected - 1 skipped
C:\Program Files\DreamTSman\DreamTSman.exe Infected: P2P-Worm.Win32.Polip.a skipped
C:\Program Files\GIANT Company Software\Spam Inspector\siMailClientAccounts.exe Infected: P2P-Worm.Win32.Polip.a skipped
C:\Program Files\GIANT Company Software\Spam Inspector\siMain.exe Infected: P2P-Worm.Win32.Polip.a skipped
C:\Program Files\GIANT Company Software\Spam Inspector\siSpamFilterEngine.exe Infected: P2P-Worm.Win32.Polip.a skipped
C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe Infected: P2P-Worm.Win32.Polip.a skipped
C:\Program Files\Internet Explorer\Connection Wizard\icwconn2.exe Infected: P2P-Worm.Win32.Polip.a skipped
C:\Program Files\Internet Explorer\iexplore.exe Infected: P2P-Worm.Win32.Polip.a skipped
C:\Program Files\Microsoft ActiveSync\CeAppMgr.exe Infected: P2P-Worm.Win32.Polip.a skipped
C:\Program Files\Microsoft ActiveSync\WCESMgr.exe Infected: P2P-Worm.Win32.Polip.a skipped
C:\Program Files\Outlook Express\msimn.exe Infected: P2P-Worm.Win32.Polip.a skipped
C:\Program Files\SMSC\SetIcon.exe Infected: P2P-Worm.Win32.Polip.a skipped
C:\Program Files\Windows Media Components\Encoder\wmenc.exe Infected: P2P-Worm.Win32.Polip.a skipped
C:\Program Files\Windows NT\Pinball\pinball.exe Infected: P2P-Worm.Win32.Polip.a skipped
C:\Program Files\YSIGet\uninstall.exe/data0002 Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
C:\Program Files\YSIGet\uninstall.exe NSIS: infected - 1 skipped
C:\RECYCLER\S-1-5-21-602162358-2049760794-682003330-500\Dc16.dll Infected: not-a-virus:AdWare.Win32.MyWebSearch.i skipped
C:\System Volume Information\_restore{F69CB265-1087-4B91-B35C-6A940FD4FEBE}\RP1\A0000142.EXE/data0003 Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
C:\System Volume Information\_restore{F69CB265-1087-4B91-B35C-6A940FD4FEBE}\RP1\A0000142.EXE NSIS: infected - 1 skipped
C:\System Volume Information\_restore{F69CB265-1087-4B91-B35C-6A940FD4FEBE}\RP1\A0000163.exe Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{F69CB265-1087-4B91-B35C-6A940FD4FEBE}\RP1\A0000164.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.l skipped
C:\System Volume Information\_restore{F69CB265-1087-4B91-B35C-6A940FD4FEBE}\RP1\A0000165.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{F69CB265-1087-4B91-B35C-6A940FD4FEBE}\RP1\A0000166.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.l skipped
C:\System Volume Information\_restore{F69CB265-1087-4B91-B35C-6A940FD4FEBE}\RP1\A0000167.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{F69CB265-1087-4B91-B35C-6A940FD4FEBE}\RP2\A0000169.scr Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{F69CB265-1087-4B91-B35C-6A940FD4FEBE}\RP2\A0000171.DLL Infected: not-a-virus:AdWare.Win32.FunWeb.d skipped
C:\System Volume Information\_restore{F69CB265-1087-4B91-B35C-6A940FD4FEBE}\RP2\A0000172.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.z skipped
C:\System Volume Information\_restore{F69CB265-1087-4B91-B35C-6A940FD4FEBE}\RP2\A0000173.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{F69CB265-1087-4B91-B35C-6A940FD4FEBE}\RP2\A0000174.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.af skipped
C:\System Volume Information\_restore{F69CB265-1087-4B91-B35C-6A940FD4FEBE}\RP2\A0000175.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.af skipped
C:\System Volume Information\_restore{F69CB265-1087-4B91-B35C-6A940FD4FEBE}\RP2\A0000176.SCR Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{F69CB265-1087-4B91-B35C-6A940FD4FEBE}\RP2\A0000177.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.v skipped
C:\System Volume Information\_restore{F69CB265-1087-4B91-B35C-6A940FD4FEBE}\RP2\A0000178.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{F69CB265-1087-4B91-B35C-6A940FD4FEBE}\RP2\A0000179.EXE Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{F69CB265-1087-4B91-B35C-6A940FD4FEBE}\RP2\A0000180.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{F69CB265-1087-4B91-B35C-6A940FD4FEBE}\RP2\A0000181.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.f skipped
C:\System Volume Information\_restore{F69CB265-1087-4B91-B35C-6A940FD4FEBE}\RP2\A0000182.DLL Infected: not-a-virus:AdWare.Win32.IWon.a skipped
C:\System Volume Information\_restore{F69CB265-1087-4B91-B35C-6A940FD4FEBE}\RP2\A0000183.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.ad skipped
C:\System Volume Information\_restore{F69CB265-1087-4B91-B35C-6A940FD4FEBE}\RP2\A0000185.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.p skipped
C:\System Volume Information\_restore{F69CB265-1087-4B91-B35C-6A940FD4FEBE}\RP2\A0000186.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.ab skipped
C:\System Volume Information\_restore{F69CB265-1087-4B91-B35C-6A940FD4FEBE}\RP3\A0000187.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.i skipped
C:\System Volume Information\_restore{F69CB265-1087-4B91-B35C-6A940FD4FEBE}\RP5\A0000378.exe Infected: not-a-virus:Porn-Dialer.Win32.GBDialer.d skipped
C:\System Volume Information\_restore{F69CB265-1087-4B91-B35C-6A940FD4FEBE}\RP5\A0000495.exe Infected: Backdoor.Win32.Prorat.db skipped
C:\System Volume Information\_restore{F69CB265-1087-4B91-B35C-6A940FD4FEBE}\RP5\A0000496.exe Infected: Backdoor.Win32.Prorat.db skipped
C:\System Volume Information\_restore{F69CB265-1087-4B91-B35C-6A940FD4FEBE}\RP5\A0000497.exe Infected: not-a-virus:NetTool.Win32.AccessDiver.4140 skipped
C:\System Volume Information\_restore{F69CB265-1087-4B91-B35C-6A940FD4FEBE}\RP5\A0000672.exe Infected: Virus.DOS.Vit.a skipped
C:\WINDOWS\inf\unregmp2.exe Infected: P2P-Worm.Win32.Polip.a skipped
C:\WINDOWS\notepad.exe Infected: P2P-Worm.Win32.Polip.a skipped
C:\WINDOWS\regedit.exe Infected: P2P-Worm.Win32.Polip.a skipped
C:\WINDOWS\setup.exe/data0013 Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
C:\WINDOWS\setup.exe NSIS: infected - 1 skipped
C:\WINDOWS\system32\accwiz.exe Infected: P2P-Worm.Win32.Polip.a skipped
C:\WINDOWS\system32\dxdiag.exe Infected: P2P-Worm.Win32.Polip.a skipped
C:\WINDOWS\system32\logon.scr Infected: P2P-Worm.Win32.Polip.a skipped
C:\WINDOWS\system32\logonui.exe Infected: P2P-Worm.Win32.Polip.a skipped
C:\WINDOWS\system32\mshearts.exe Infected: P2P-Worm.Win32.Polip.a skipped
C:\WINDOWS\system32\mspaint.exe Infected: P2P-Worm.Win32.Polip.a skipped
C:\WINDOWS\system32\notepad.exe Infected: P2P-Worm.Win32.Polip.a skipped
C:\WINDOWS\system32\Restore\rstrui.exe Infected: P2P-Worm.Win32.Polip.a skipped
C:\WINDOWS\system32\taskmgr.exe Infected: P2P-Worm.Win32.Polip.a skipped
C:\WINDOWS\system32\telnet.exe Infected: P2P-Worm.Win32.Polip.a skipped
C:\WINDOWS\system32\tourstart.exe Infected: P2P-Worm.Win32.Polip.a skipped
C:\WINDOWS\system32\wbem\wmiadap.exe Infected: P2P-Worm.Win32.Polip.a skipped
C:\WINDOWS\system32\wbem\wmiapsrv.exe Infected: P2P-Worm.Win32.Polip.a skipped
C:\WINDOWS\system32\wiaacmgr.exe Infected: P2P-Worm.Win32.Polip.a skipped
C:\WINDOWS\_.EXE/data0001 Infected: Trojan-Downloader.Win32.IstBar.ja skipped
C:\WINDOWS\_.EXE/data0003 Infected: Trojan-Downloader.Win32.IstBar.nn skipped
C:\WINDOWS\_.EXE NSIS: infected - 2 skipped
E:\Kazza Lite Downloads\AutoRoute_2004_Keygen.exe/data.rar/AutoRoute_2004_Keygen/admdll.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
E:\Kazza Lite Downloads\AutoRoute_2004_Keygen.exe/data.rar/AutoRoute_2004_Keygen/video.dat Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped
E:\Kazza Lite Downloads\AutoRoute_2004_Keygen.exe/data.rar Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped
E:\Kazza Lite Downloads\AutoRoute_2004_Keygen.exe RarSFX: infected - 3 skipped
E:\Kazza Lite Downloads\Spybot-spyware-search-and-destroy.zip/setup-freewire-file-sharing-app-no-ads-or-banners.exe/data0002 Infected: not-a-virus:AdWare.Win32.IPInsight.a skipped
E:\Kazza Lite Downloads\Spybot-spyware-search-and-destroy.zip/setup-freewire-file-sharing-app-no-ads-or-banners.exe/data0004 Infected: not-a-virus:AdWare.Win32.IGetNet skipped
E:\Kazza Lite Downloads\Spybot-spyware-search-and-destroy.zip/setup-freewire-file-sharing-app-no-ads-or-banners.exe/data0005 Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
E:\Kazza Lite Downloads\Spybot-spyware-search-and-destroy.zip/setup-freewire-file-sharing-app-no-ads-or-banners.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
E:\Kazza Lite Downloads\Spybot-spyware-search-and-destroy.zip ZIP: infected - 4 skipped
E:\Kazza Lite Downloads\xoftspy registration code.rar/loader.exe/data0001 Infected: Trojan-Downloader.Win32.IstBar.ja skipped
E:\Kazza Lite Downloads\xoftspy registration code.rar/loader.exe/data0003 Infected: Trojan-Downloader.Win32.IstBar.nn skipped
E:\Kazza Lite Downloads\xoftspy registration code.rar/loader.exe Infected: Trojan-Downloader.Win32.IstBar.nn skipped
E:\Kazza Lite Downloads\xoftspy registration code.rar RAR: infected - 3 skipped
E:\My Documents\Miscellaneous Outstanding\Army Complaint and Expenses 1.doc Infected: Trojan-Dropper.MSWord.Lafool.h skipped
E:\Our PC's\George\Memory Installation - George.doc Infected: Trojan-Dropper.MSWord.Lafool.h skipped
E:\Our PC's\Raid Recovery\UBCD4WinV25.exe/data.rar/plugin/passwordspro/files/PasswordsPro.exe Infected: not-a-virus:PSWTool.Win32.SAMInside.b skipped
E:\Our PC's\Raid Recovery\UBCD4WinV25.exe/data.rar/plugin/VNCServer/vncconfig.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
E:\Our PC's\Raid Recovery\UBCD4WinV25.exe/data.rar/plugin/VNCServer/winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
E:\Our PC's\Raid Recovery\UBCD4WinV25.exe/data.rar/plugin/VNCServer/wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
E:\Our PC's\Raid Recovery\UBCD4WinV25.exe/data.rar Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
E:\Our PC's\Raid Recovery\UBCD4WinV25.exe RarSFX: infected - 5 skipped
E:\Outlook Express Mail and News Data Storage\Emmas Wedding.dbx/[From "Paul" <rozel@dsl.pipex.com>][Date Thu, 11 Aug 2005 17:49:39 +0100]/UNNAMED/Army Infected: Trojan-Dropper.MSWord.Lafool.h skipped
E:\Outlook Express Mail and News Data Storage\Emmas Wedding.dbx/[From "Paul" <rozel@dsl.pipex.com>][Date Thu, 11 Aug 2005 17:49:39 +0100]/UNNAMED Infected: Trojan-Dropper.MSWord.Lafool.h skipped
E:\Outlook Express Mail and News Data Storage\Emmas Wedding.dbx Mail MS Outlook 5: infected - 2 skipped
E:\Outlook Express Mail and News Data Storage\Inbox (5).dbx/[From "Peter and Jean" <peterandjean@chellow.free-online.co.uk>][Date Sun, 2 Jul 2000 14:27:01 +0100]/UNNAMED/UNNAMED/html Infected: Email-Worm.VBS.KakWorm skipped
E:\Outlook Express Mail and News Data Storage\Inbox (5).dbx/[From "Peter and Jean" <peterandjean@chellow.free-online.co.uk>][Date Sun, 2 Jul 2000 14:27:01 +0100]/UNNAMED/UNNAMED Infected: Email-Worm.VBS.KakWorm skipped
E:\Outlook Express Mail and News Data Storage\Inbox (5).dbx/[From "Peter and Jean" <peterandjean@chellow.free-online.co.uk>][Date Sun, 2 Jul 2000 14:27:01 +0100]/UNNAMED Infected: Email-Worm.VBS.KakWorm skipped
E:\Outlook Express Mail and News Data Storage\Inbox (5).dbx Mail MS Outlook 5: infected - 3 skipped
E:\RECYCLER\NPROTECT\00000045.DBX/[From "Peter and Jean" <peterandjean@chellow.free-online.co.uk>][Date Sun, 2 Jul 2000 14:27:01 +0100]/UNNAMED/UNNAMED/html Infected: Email-Worm.VBS.KakWorm skipped
E:\RECYCLER\NPROTECT\00000045.DBX/[From "Peter and Jean" <peterandjean@chellow.free-online.co.uk>][Date Sun, 2 Jul 2000 14:27:01 +0100]/UNNAMED/UNNAMED Infected: Email-Worm.VBS.KakWorm skipped
E:\RECYCLER\NPROTECT\00000045.DBX/[From "Peter and Jean" <peterandjean@chellow.free-online.co.uk>][Date Sun, 2 Jul 2000 14:27:01 +0100]/UNNAMED Infected: Email-Worm.VBS.KakWorm skipped
E:\RECYCLER\NPROTECT\00000045.DBX Mail MS Outlook 5: infected - 3 skipped
E:\RECYCLER\NPROTECT\00000069.DBX/[From "Paul" <rozel@dsl.pipex.com>][Date Thu, 11 Aug 2005 17:49:39 +0100]/UNNAMED/Army Infected: Trojan-Dropper.MSWord.Lafool.h skipped
E:\RECYCLER\NPROTECT\00000069.DBX/[From "Paul" <rozel@dsl.pipex.com>][Date Thu, 11 Aug 2005 17:49:39 +0100]/UNNAMED Infected: Trojan-Dropper.MSWord.Lafool.h skipped
E:\RECYCLER\NPROTECT\00000069.DBX Mail MS Outlook 5: infected - 2 skipped
E:\Screensavers Wallpapers Etc\ScreenSavers\3dscreensavers\SpiritOfFire3DScreenSaver\Spirit of Fire 3d ScreenSaver.exe/WISE0015.BIN Infected: not-a-virus:AdWare.Win32.Gator.3013 skipped
E:\Screensavers Wallpapers Etc\ScreenSavers\3dscreensavers\SpiritOfFire3DScreenSaver\Spirit of Fire 3d ScreenSaver.exe WiseSFX: infected - 1 skipped
E:\Software Programs\Microsoft Software\Microsoft Office 2003\Cracks Etc\Microsoft Office 2003 crack (VARIFIED WORKING)\rinst.exe Infected: not-a-virus:Monitor.Win32.Perflogger.f skipped

Scan was interrupted by user!

HiJackThis Log

Logfile of HijackThis v1.99.1
Scan saved at 19:23:05, on 24/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\KService\KService.exe
c:\opt\MBCASE\pm\bin\mcp.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\opt\MBCASE\WIS\TBCD\tbmux32.exe
E:\DreamBox\Plugins\NFS Server\portmap.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\GIANT Company Software\Spam Inspector\siService.exe
C:\Program Files\SMSC\Seticon.exe
C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\WINDOWS\System32\hphmon04.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\SmartM\BlueOpal\Utilities\BlueTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\GIANT Company Software\Spam Inspector\siMailProxyServer.exe
C:\Program Files\GIANT Company Software\Spam Inspector\siSpamFilterEngine.exe
C:\WINDOWS\VM_STI.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SanDisk\low power 128MB + Wi-Fi CompactFlash Card\WLANUTL.exe
C:\WINDOWS\system32\cmd.exe
C:\opt\MBCASE\pm\bin\cmserver.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\cmd.exe
C:\opt\MBCASE\pm\bin\lic_srv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Hijack This\HijackThis.exe

O2 - BHO: WsftpBrowserHelper Class - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [siService.exe] "C:\Program Files\GIANT Company Software\Spam Inspector\siService.exe"
O4 - HKLM\..\Run: [SetIcon] C:\Program Files\SMSC\Seticon.exe
O4 - HKLM\..\Run: [ServiceLayer] C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [Opware12] "C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe"
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [BlueTray] C:\Program Files\SmartM\BlueOpal\Utilities\BlueTray.exe
O4 - HKLM\..\Run: [BCWipeTM Startup] "C:\Program Files\Jetico\BCWipe\BCWipeTM.exe" startup
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE INTEX USB PC Camera
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [STManager] C:/Program Files/SpeedTouch/Dr SpeedTouch/drst.exe -b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SanDisk Wi-Fi.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.gocyberlink.com/english/c...dio/ChkDVD.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1093454827421
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1125763413078
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {E862C832-3A5F-4CEB-BFAA-167B22010A71} (InfosFinder2.InfosFinder) - http://support.packardbell.com/files...fosFinder2.CAB
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.comp...bio5_1_6_0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1BFEED49-519D-46EF-93E2-5CCA5FB05CF7}: NameServer = 158.43.240.4,158.43.240.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{2BCACEBE-51E7-451A-8952-30AF761EA251}: NameServer = 62.241.162.200,62.241.163.200
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\System32\CTsvcCDA.exe (file missing)
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: konfig - Unknown owner - c:\opt\MBCASE\pm\bin\mcp (file missing)
O23 - Service: KService - Kontiki Inc. - C:\Program Files\KService\KService.exe
O23 - Service: license - Unknown owner - c:\opt\MBCASE\pm\bin\mcp (file missing)
O23 - Service: mcp - Unknown owner - c:\opt\MBCASE\pm\bin\mcp (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TransBaseService - TransAction Software, D 81737 Munich - c:\opt\MBCASE\WIS\TBCD\tbmux32.exe
O23 - Service: TrueGrid NFS Server - Unknown owner - E:\DreamBox\NFS Server\nfs.exe (file missing)
O23 - Service: TrueGrid Portmapper - Unknown owner - E:\DreamBox\Plugins\NFS Server\portmap.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: V2i Protector - PowerQuest Corporation - C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe

Thanks again for your support - I hope you can rid me of this blasted BSOD!

Paul

rozel · 04-25-2006, 10:59 AM

Not chasing but my BSOD's are more frequent than ever and I'm getting desparate. I am writing this email on my LapTop, accessing my Router for the Internet Connection. In my endeavour to transfer a small folder of information and progs relating to this thread, I accessed my Network and my main PC, the subject of this thread. My Laptop has Norton Systemworks installed and it detected that many of my main pc's Desktop files were infected with the W32.Polip Virus. the link: -

http://securityresponse.symantec.com...w32.polip.html

I am now wondering whether this may be the cause of my difficulties? And of course if this is what you think, when you said you may have found a solution?

If so, could you please tell me how to rid myself of this Virus and how my files can be cleaned. I would mention that my main pc's Desktop is cluttered with all sorts of files and every few seconds when I was accessing the network I kept getting W32.Polip virus warnings via Norton Systemworks. I was only connected a short time (2 minutes) and as soon as I realised what was going on, I stopped the transfer of the folder deleted this closed Windows Explorer and rebooted my Laptop. This has stopped the warnings. and I confirm none of the files (.exe's) were executed on my Laptop, so hopefully nothing has been infected. I will check in safe mode soon though just to be sure.

I am now thinking about a full reformat and reinstall of my Progs, but obviously want to save my email messages etc and need to know whether by transferring them to the newly formatted C:\ partion, that I am not going to reinfect.

So the options seem to be: -

1. You can help me still and can confirm that you can clean me up once and for all

2. Try a repair install of XP

3. Full format reinstall of Windows

So I will wait for you further - I will be off to work in a couple of hours so I hope you can respond before 06.30am my time tomorrow morning.

Thank you again

Paul

rozel · 04-25-2006, 10:38 PM

-bump-

MoralTerror · 04-26-2006, 06:47 AM

Hi Paul

Your PC has an extremely nasty infection win32.polip. Disconnect it from the internet and your network NOW.

Uninstall all cracked software and obtain a liscenced anti-virus program to scan your other computers.

AVG Anti-Virus
Avast Home Edition

Scan all the other computers with updated virus definitions. If all of the computers are infected with win32.polip then I would advise full re-installation of Windows on all computers. The drives should be fully formatted with the manufacturers disk tool or a third party disk wipe utility before attempting to re-install the Operating System.

This infection is transmitted via P2P networks and injects malicous code into many important system files and program files. Cleaning of this type of infection is difficult and may still result in a full re-install being required. The best way forward is to re-install now rather than attempt cleaning.

rozel · 04-26-2006, 04:10 PM

Ok thanks for stating the obvious - I seem to be one step ahead of you here caused mainly by the time lag between my post and your reply. This, I quite accept is partly due to my working the night shift. However tonight I have not been into work so have a little more time to check things out. My Laptop gave the clue here and nothing you have said so far has given me confidence that you knew what you were looking for. Had you done so, then maybe my files and PC may have been in better shape now than they actually are. You have not answered the fundamental question as to why CleanUp deleted all my files - why did the program downloaded via your link, not have the "Scan all drives" option? - I am very surprised that you have avoided this issue having received proof as to what I have been saying - all I seem to get is "is this a typo/" etc etc - you know what I am saying. Your link destroyed 228GB (not 208Gb as I originally said) worth of files and I am very angry indeed.

OK - so what now - well I have updated my PC's NortonSystemwork' Subscription Definitions from 19th April to 24th April and run a full scan in Safe Mode. Naturally it found 447 infected files, which it could not fix - WHY? I have had to quarantine them and hope they can be cleaned? HOW?

Please advise and please start answering my questions, instead of asking your own. You have not answered anything I have asked yet - you keep changing the subject and ask your own. Symantec's site suggests this Virus can be sorted, so why can not Nort SW not repair the infected files? Most of my progs now will not work, including Internet Explorer and Outlook Express. No good telling me after I told you that this is a nasty infection. I already knew that, what I need is to how to clean the infected files and perhaps if you cannot inform me of that, more info than I can glean from Symantec, but then maybe that is where you are getting your info from? I say this not sarcastically, but because Symantec suggest this virus is new (21.04.2006) - am I right here? If so then I would have expected more from you in your last post about this extremely nasty virus, if not for me, then for the vast numbers of your memebers subscribing to your forums - YES?

Please hede what I am saying here - if this is such a new and nasty virus as seems the case then you need to flag this up staraight away and tell everyone what they should do about it. I have never seen such a virus before and wonder whether Symantec know how to clean it/repair files infected with it?

Please give me more informtion - much more information, particularly as it seems your site has directly contributed to the destroying of 228Gb of my important files and my R-Studio and FileScavenger 2 .exe files have both been affected by this virus, as well as 445 others!

Thankyou again - I'm not sorry for the tone of this post as I am very very angry at the level of support, the quality of it and the time lag between responses - these respoinses being in direct response to my own, with hardly anything new being added. Please can I suggest that this thread is sent to a more senior analyst please?

Paul

I would have responded earlier but for a family matter that has taken priority.

MoralTerror · 04-27-2006, 01:59 AM

First I have my own family matters to deal with so if I've delayed too much then I apologize

Second I stated at the start of this thread that I am consulting with the experts on this and any other log I take. These experts also all have their own family matters so if they have delayed in getting back to me before I get back to you then again I apologize.

3rd we are all volunteers here providing you and many many others FREE support

Fourth we have already told you that your P2P activity and your cracked software is the root cause of this infection. We have also told you that cleaning of this infection is NOT guaranteed and that re-installation is the best step to take.

The files quaranteed by Norton cannot be cleaned due to polymorphic code being injected into their executable files. The only way to get rid of these is to delete them from quarantine following the guide I gave you already. However as you are aware many of these programs will not work. We have already told you that this infection is too difficult to clean and re-installation is the best solution for you.

As for CleanUp your version is a newer version than mine. My version needs that "scan drives for temporary files" unchecked so that Office files are not deleted. Your version does not require this option. You have already been told this.

The questions we asked were to try and determine the cause of your important files being deleted however we were unable to gather enough information to determine the most likely cause.

The Polip version you have is very new and as far as we aware Symantec can't clean it wholly. We DO NOT rely on 1 source alone for information we use many sources to confirm our findings. Our findings are that most if not then all Anti-virus products are unable to fully clean this infection. With even traces of it left you will quickly be infested again. We have suggested the best route for you is to re-install.

I have passed this on to more senior analysts. I wish you luck with your problem. Have a nice day

rozel · 04-27-2006, 03:51 AM

Yes - sorry - I understand most of what you have said - and I know you are all volunteers and now know that deletion is the only step forward. I have paid Symantec 69 Euros, to clean my system, which they say they can do and right now, after deleting these files, god knows how I will replace them, I am in the process with Symantec. Whether this will be succesful or not remains to be seen, but they are adamant that after deleting these files, my system can be cleaned.

I am still not sure what you mean with CleanUp, there was no warning before I used this and you say my version did not need this option - errrrrrrrrr I don't understand you. My version certainly did not have this option, I hope you are not disputing this, and I was given no warning that it would then scan all my drives and delete temporary folders.

Please inform me further as right now I am in a position whereby I have lost files, probably indefinately, unless I can restore these after my system has been cleaned and the software resupplied.

Paul

MoralTerror · 04-27-2006, 05:23 AM

Hi Paul

I'm not sure where your confusion lies.

The version of cleanup which you have does NOT have the checkbox I asked you to uncheck. This is because the previous version had that checkbox to avoid deleting Office programs .tmp files. The new version does not require this checkbox so obviously there is no need to include the box in the programs interface.

The link I sent you to clearly states that temp directories will be cleaned out.

tempFoldersInCleanUp.jpg

If you continue to the download page which you obviously did then you are IMMEDIATELY faced with instructions to make a backup.

readInstructions.jpg

It then goes on to explain that temporary directories including downloads will be deleted.

readInstructions2.jpg

I hope that you appreciate while we endeavour to make instructions as simple as possible we do still need users to follow not only our suggestions but that of any links or programs we may refer you to. Failing to read instructions on your part does not by any means lay the responsibility of your lost files on either myself, my mentors, this site or indeed CleanUp.

I understand that you are upset at not only losing these files but being seriously infected by this new strain of polip. But I fail to see why that is the fault of this site.

As you have already stated that you lack confidence in my abilities I have as you requested passed this on to the more senior members and you can take it up with them.

I have apologized for your inconvenience and don't see there is much else I can do. I suspect the files were deleted due to the seriousness of your infestation but maybe the experts will shed more light on this matter for you.

04-20-2006, 09:34 AM	#1 (permalink)
rozel Registered User Join Date: Oct 2003 Location: UK Posts: 38 OS: XP Pro (SP2)	Fatal Errors Using Virus Scanning (Norton Systemworks) Hi I have been running my system for several years now but recently I had to uninstall Norton Systemworks and reinstall. There was a period in between and my PC became infected with god knows what. After running several Spyware cleaners: - AdawareSE, SpyBot Search&Destroy, Xoftspy, Spysweeper, Ewido and the Panda online checker I seem to be getting the following fatal error during the course of a full or partial System Check in Systemwork's Norton Antivirus 2005: - STOP: C000021a { Fatal System Error} The Windows Logon Process system process terminated unexpectedly with a status of 0xc0000005 ( 0x00000000 0x00000000) The system has been shut down. This error also ocurrs if I leave my machine on for any length of time unused and I think kicks in at the time the screen saver activates, as when I disable the screen saver, this problem doesn't seem to ocurr. Over the years I am sure I have infections which these progs do not pick up and given a reformat at the present time is out of the question, I feel the time is right for your experts to take a look please. I can find little of relevance when looking up this Stop Error apart from some reference to Adaware and Panda. I have uninstalled the Panda stuff but still I am getting this error. I work the night shift but finish tomorrow morning early and will endeavour to reply speedily to your responses/requests. I confirm that I have run the processes and checks in your First Steps Sticky. My Hijack log is as follows:- Logfile of HijackThis v1.99.1 Scan saved at 17:14:27, on 20/04/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Executive Software\Diskeeper\DkService.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\Program Files\ewido anti-malware\ewidoguard.exe C:\Program Files\KService\KService.exe c:\opt\MBCASE\pm\bin\mcp.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE C:\Program Files\Dantz\Retrospect\retrorun.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE C:\WINDOWS\System32\svchost.exe C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe c:\opt\MBCASE\WIS\TBCD\tbmux32.exe E:\DreamBox\Plugins\NFS Server\portmap.exe C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\system32\cmd.exe C:\opt\MBCASE\pm\bin\cmserver.exe C:\WINDOWS\system32\cmd.exe C:\opt\MBCASE\pm\bin\lic_srv.exe C:\Program Files\Logitech\iTouch\iTouch.exe C:\Program Files\GIANT Company Software\Spam Inspector\siService.exe C:\Program Files\SMSC\Seticon.exe C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE C:\Program Files\GIANT Company Software\Spam Inspector\siMailProxyServer.exe C:\Program Files\GIANT Company Software\Spam Inspector\siSpamFilterEngine.exe C:\WINDOWS\System32\hphmon04.exe C:\Program Files\Logitech\MouseWare\system\em_exec.exe C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe C:\Program Files\SmartM\BlueOpal\Utilities\BlueTray.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\WINDOWS\System32\HPHipm11.exe C:\WINDOWS\system32\CTHELPER.EXE C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe C:\Program Files\D-Tools\daemon.exe C:\WINDOWS\VM_STI.EXE C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\SanDisk\low power 128MB + Wi-Fi CompactFlash Card\WLANUTL.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Messenger\msmsgs.exe C:\Hijack This\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) O2 - BHO: WsftpBrowserHelper Class - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2k0.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg O4 - HKLM\..\Run: [siService.exe] "C:\Program Files\GIANT Company Software\Spam Inspector\siService.exe" O4 - HKLM\..\Run: [SetIcon] C:\Program Files\SMSC\Seticon.exe O4 - HKLM\..\Run: [ServiceLayer] C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe O4 - HKLM\..\Run: [Opware12] "C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe" O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe O4 - HKLM\..\Run: [BlueTray] C:\Program Files\SmartM\BlueOpal\Utilities\BlueTray.exe O4 - HKLM\..\Run: [BCWipeTM Startup] "C:\Program Files\Jetico\BCWipe\BCWipeTM.exe" startup O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE INTEX USB PC Camera O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" O4 - HKCU\..\Run: [STManager] C:/Program Files/SpeedTouch/Dr SpeedTouch/drst.exe -b O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Windows Workstation Service] wkssvc.exe O4 - HKCU\..\RunServices: [Windows Workstation Service] wkssvc.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\RECYCLER\NPROTECT\01501711.exe O4 - Global Startup: SanDisk Wi-Fi.lnk = ? O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html O15 - Trusted Zone: http://Download.Windowsupdate.com O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - O16 - DPF: {0F9B4CA4-A30F-480A-841D-69B45C50A8F8} - http://secure2.comned.com/signuptemp...veSekurity.cab O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.gocyberlink.com/english/c...dio/ChkDVD.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1093454827421 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1125763413078 O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} - http://secure2.comned.com/signuptemp...veSecurity.cab O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemp...ogin-devel.cab O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgGB2404.exe O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} - O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - O16 - DPF: {E0051273-5988-41EC-A891-11D4A1BABF35} (KDreg class) - http://217.69.157.142/player/kdreg.cab O16 - DPF: {E862C832-3A5F-4CEB-BFAA-167B22010A71} (InfosFinder2.InfosFinder) - http://support.packardbell.com/files...fosFinder2.CAB O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.comp...bio5_1_6_0.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{1BFEED49-519D-46EF-93E2-5CCA5FB05CF7}: NameServer = 158.43.240.4,158.43.240.3 O17 - HKLM\System\CCS\Services\Tcpip\..\{2BCACEBE-51E7-451A-8952-30AF761EA251}: NameServer = 62.241.162.200,62.241.163.200 O20 - Winlogon Notify: winccf32 - winccf32.dll (file missing) O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\System32\CTsvcCDA.exe (file missing) O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: konfig - Unknown owner - c:\opt\MBCASE\pm\bin\mcp (file missing) O23 - Service: KService - Kontiki Inc. - C:\Program Files\KService\KService.exe O23 - Service: license - Unknown owner - c:\opt\MBCASE\pm\bin\mcp (file missing) O23 - Service: mcp - Unknown owner - c:\opt\MBCASE\pm\bin\mcp (file missing) O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: TransBaseService - TransAction Software, D 81737 Munich - c:\opt\MBCASE\WIS\TBCD\tbmux32.exe O23 - Service: TrueGrid NFS Server - Unknown owner - E:\DreamBox\NFS Server\nfs.exe (file missing) O23 - Service: TrueGrid Portmapper - Unknown owner - E:\DreamBox\Plugins\NFS Server\portmap.exe O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe O23 - Service: V2i Protector - PowerQuest Corporation - C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe Your assistance is greatly appreciated right now Paul

04-20-2006, 11:40 AM	#2 (permalink)
MoralTerror Analyst, Security Team Join Date: Nov 2005 Location: UK Posts: 1,968 OS: xp	Hi. I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem as soon as possible. You may wish to Subscribe to this thread (Thread Tools) so that you are notified when you receive a reply. Please be patient with me during this time. Last edited by MoralTerror; 04-20-2006 at 11:41 AM.

04-21-2006, 01:17 AM	#3 (permalink)
MoralTerror Analyst, Security Team Join Date: Nov 2005 Location: UK Posts: 1,968 OS: xp	Hi Paul Please print this page or copy it to Notepad in order to assist you while carrying out the following instructions. Please download Cleanup! or use this (Alternate Link) if the main link does not work and install it. You will use this later. Please disable Webroot SpySweeper, as it may hinder the removal of some entries. You can re-enable it after you're clean. To disable Webroot SpySweeper: Go to the Options>Program Options Uncheck Load at Windows Startup Click Shields & uncheck all items there Uncheck Home page shield. Please disable Ewido Security Suite's Guard by doing the following: Open ewido by double-clicking the yellow 'e' icon in the system tray. In the 'Your security status' section, toggle the ewido Guard realtime protection 'off' by clicking 'active' which will then change the protection status to 'inactive'. When you reboot, ewido will prompt you as to whether you would like to "Restart the guard?". Reply "No" and set it to ''inactive'' for the duration of your cleanup. Launch Ewido & click Update from the left pane Then click on Start Update.[/list] If you are having problems with the updater, you can use this link to manually update Ewido When you have finished updating, EXIT Ewido. Please leave both of those programs disabled until your logs are clean. Please use Symantec's guide to remove the Norton Quarantine files. Go to My Computer >Tools >Folder Options >View tab and select Show hidden files and folders. Uncheck the Hide protected operating system files (recommended) option. Also make sure there is no checkmark beside Hide file extensions for known file types. Click OK. Open Cleanup! by double-clicking the icon on your desktop (or from Start > All Programs). Set the program up as follows: Click Options Move the slider button down to Custom CleanUp! Check the following: Empty Recycle Bins Delete Cookies Delete Prefetch files Cleanup! All Users Uncheck the following : Scan local drives for temporary files Click OK, Press the CleanUp! button to start the program and reboot when prompted. Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears). Run Ewido with it's updated definitions:(...it's important that all windows must be closed) Click Scanner Click Complete System Scan to begin scanning. Click OK when prompted to clean files With the first file it prompts to clean, select the option: * "Perform action on all infections" * Choose clean and click OK. Once finished, click the Save report button & save the report to your desktop Ewido scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete. Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) O4 - HKCU\..\Run: [Windows Workstation Service] wkssvc.exe O4 - HKCU\..\RunServices: [Windows Workstation Service] wkssvc.exe O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\RECYCLER\NPROTECT\01501711.exe O16 - DPF: {0F9B4CA4-A30F-480A-841D-69B45C50A8F8} - http://secure2.comned.com/signuptemp...veSekurity.cab O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} - http://secure2.comned.com/signuptemp...veSecurity.cab O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemp...ogin-devel.cab O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgGB2404.exe O16 - DPF: {E0051273-5988-41EC-A891-11D4A1BABF35} (KDreg class) - http://217.69.157.142/player/kdreg.cab O20 - Winlogon Notify: winccf32 - winccf32.dll (file missing) Please remember to close all other windows, including browsers then click Fix checked. Delete the following Files indicated in RED if they still exist. winccf32.dll find via start>search wkssvc.exe find via start>search C:\RECYCLER\NPROTECT\01501711.exe Reboot your system in Normal Mode. Perform an online scan with Internet Explorer with Panda ActiveScan Click on the "Free To Use ActiveScan" located on the top right hand corner Click Check Now** and a "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it * Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place * Begin the scan by selecting My Computer If it finds any malware, it will offer you a report. Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later. Click on See report then click Save report * You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report. * Turn off the real time scanner of any existing antivirus program while performing the online scan Paste the Panda Scan report here together with a new HiJack This log. Required Logs Ewido report Panda report new HijackThis log

04-24-2006, 06:30 AM	#12 (permalink)
MoralTerror Analyst, Security Team Join Date: Nov 2005 Location: UK Posts: 1,968 OS: xp	Hi Paul Please print or copy this page to Notepad in order to assist you while carrying out the following instructions Please disable Ewido Security Suite's Guard by doing the following: Open ewido by double-clicking the yellow 'e' icon in the system tray. In the 'Your security status' section, toggle the ewido Guard realtime protection 'off' by clicking 'active' which will then change the protection status to 'inactive'. When you reboot, ewido will prompt you as to whether you would like to "Restart the guard?". Reply "No" and set it to ''inactive'' for the duration of your cleanup. Go to My Computer >Tools >Folder Options >View tab and select Show hidden files and folders. Uncheck the Hide protected operating system files (recommended) option. Also make sure there is no checkmark beside Hide file extensions for known file types. Click OK. Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) O4 - HKCU\..\Run: [Windows Workstation Service] wkssvc.exe O4 - HKCU\..\RunServices: [Windows Workstation Service] wkssvc.exe O15 - Trusted Zone: http://Download.Windowsupdate.com O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} - O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - Please remember to close all other windows, including browsers then click Fix checked. Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears). Click Start > Run and type regsvr32 /u occache.dll and press enter. Delete the following Files indicated in RED if they still exist. C:\Documents and Settings\Paul\Favorites\~ VIP Free Porn ~.url C:\Program Files\Mozilla Firefox\plugins\NPMyWebS.dll C:\WINDOWS\alchem.ini C:\WINDOWS\DOWNLOADED PROGRAM FILES\f3initialsetup1.0.0.15.inf If any of the following Files are present the please delete those also C:\WINDOWS\system32\Programs\2 Find MP3 8.2.0.exe C:\WINDOWS\system32\Programs\Fifa 2006 crack.exe C:\WINDOWS\system32\Programs\Hotmail account hacker in 30 minutes.exe C:\WINDOWS\system32\Programs\Hotmail hacker.exe C:\WINDOWS\system32\Programs\Hotmailhacker v1.0.exe C:\WINDOWS\system32\Programs\Microsoft Office 2000 Regmaker.exe C:\WINDOWS\system32\Programs\Microsoft Office 2003 Professional Universal Crack without serial.exe C:\WINDOWS\system32\Programs\Microsoft Office XP Activation Crack.exe C:\WINDOWS\system32\Programs\Microsoft Office XP Activation Killer.exe C:\WINDOWS\system32\Programs\Microsoft Office XP Professional Crack.exe C:\WINDOWS\system32\Programs\Microsoft Office XP Professional Serial.exe C:\WINDOWS\system32\Programs\Microsoft Office XP Universal Activator v1.0.exe C:\WINDOWS\system32\Programs\Midnight Club 3 - DUB Edition Rockstar Games crack.exe C:\WINDOWS\system32\Programs\Norton AntiVirus 2005 crack.exe C:\WINDOWS\system32\Programs\Norton AntiVirus 2006 crack.exe C:\WINDOWS\system32\Programs\Norton antivirus crack.exe C:\WINDOWS\system32\Programs\Yahoo_mail_cracker.exe C:\WINDOWS\system32\Programs\Yoshinoya Success crack.exe C:\WINDOWS\system32\Programs\ZoneAlarm crack (keygen).exe C:\WINDOWS\system32\Programs\hotmail_account_sniffer.exe C:\WINDOWS\system32\Programs\norton anti virus FULL NEWEST VERSION.exe C:\WINDOWS\system32\Programs\porn.exe C:\WINDOWS\system32\Programs\porn_account_cracker.exe C:\WINDOWS\system32\Programs\porn_account_hacker.exe C:\WINDOWS\system32\Programs\pornmovie (hardcore sex adult asian).exe C:\WINDOWS\system32\Programs\yahoo_cracker.exe C:\WINDOWS\system32\Programs\yahoo_hacker.exe C:\WINDOWS\system32\wkssvc.exe Empty the contents of the following Folder(DO NOT delete the Folder) C:\Documents and Settings\Paul\Cookies Click Start > Run and type regsvr32 occache.dll and press enter. Boot to Normal Mode Perform an online scan with Internet Explorer with Kaspersky WebScanner Next Click on Launch Kaspersky Anti-Virus Web Scanner You will be prompted to install an ActiveX component from Kaspersky, Click Yes. The program will launch and then begin downloading the latest definition files: Once the files have been downloaded click on NEXT Now click on Scan Settings In the scan settings make that the following are selected: Scan using the following Anti-Virus database: Extended Scan Scan Options: Scan Archives Scan Mail Bases Click OK Now under select a target to scan: Select My Computer This will program will start and scan your system. The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected. Now click on the Save as Text button: Save the file to your desktop. Copy and paste that information in your next post. Take note the names and locations of any file it detects but fails to clean. * Turn off the real time scanner of any existing antivirus program while performing the online scan Required Logs Kaspersky results new HijackThis log

04-26-2006, 04:10 PM	#17 (permalink)
rozel Registered User Join Date: Oct 2003 Location: UK Posts: 38 OS: XP Pro (SP2)	Very Very Angry Now !!!! Ok thanks for stating the obvious - I seem to be one step ahead of you here caused mainly by the time lag between my post and your reply. This, I quite accept is partly due to my working the night shift. However tonight I have not been into work so have a little more time to check things out. My Laptop gave the clue here and nothing you have said so far has given me confidence that you knew what you were looking for. Had you done so, then maybe my files and PC may have been in better shape now than they actually are. You have not answered the fundamental question as to why CleanUp deleted all my files - why did the program downloaded via your link, not have the "Scan all drives" option? - I am very surprised that you have avoided this issue having received proof as to what I have been saying - all I seem to get is "is this a typo/" etc etc - you know what I am saying. Your link destroyed 228GB (not 208Gb as I originally said) worth of files and I am very angry indeed. OK - so what now - well I have updated my PC's NortonSystemwork' Subscription Definitions from 19th April to 24th April and run a full scan in Safe Mode. Naturally it found 447 infected files, which it could not fix - WHY? I have had to quarantine them and hope they can be cleaned? HOW? Please advise and please start answering my questions, instead of asking your own. You have not answered anything I have asked yet - you keep changing the subject and ask your own. Symantec's site suggests this Virus can be sorted, so why can not Nort SW not repair the infected files? Most of my progs now will not work, including Internet Explorer and Outlook Express. No good telling me after I told you that this is a nasty infection. I already knew that, what I need is to how to clean the infected files and perhaps if you cannot inform me of that, more info than I can glean from Symantec, but then maybe that is where you are getting your info from? I say this not sarcastically, but because Symantec suggest this virus is new (21.04.2006) - am I right here? If so then I would have expected more from you in your last post about this extremely nasty virus, if not for me, then for the vast numbers of your memebers subscribing to your forums - YES? Please hede what I am saying here - if this is such a new and nasty virus as seems the case then you need to flag this up staraight away and tell everyone what they should do about it. I have never seen such a virus before and wonder whether Symantec know how to clean it/repair files infected with it? Please give me more informtion - much more information, particularly as it seems your site has directly contributed to the destroying of 228Gb of my important files and my R-Studio and FileScavenger 2 .exe files have both been affected by this virus, as well as 445 others! Thankyou again - I'm not sorry for the tone of this post as I am very very angry at the level of support, the quality of it and the time lag between responses - these respoinses being in direct response to my own, with hardly anything new being added. Please can I suggest that this thread is sent to a more senior analyst please? Paul I would have responded earlier but for a family matter that has taken priority.

04-21-2006, 09:18 AM	#4 (permalink)
rozel Registered User Join Date: Oct 2003 Location: UK Posts: 38 OS: XP Pro (SP2)	Thanks for getting back so quickly. I had to have some sleep today - it was a hard shift last night and just read your helpful thread. I am in the process of undertaking your requirements and will post back later today tomorrow morning. In the meantime I ran Cleanup and as I did not have the option to "scan local drives" I disregarded it only to find it deleted 208Gb of files downloaded to a "temp" folder - oh well. Once I've recovered them (I'm in the process of doing so now) I will crack on with the remainder of your requirements. By the way I have noticed that you can elect to scan what drive(s) you want to in Cleanup, but you need to adjust your registry first - what a bind! - wht do they just make it simple to check or not to check a simple box as your description says? Just my tuppenceworth here - thankyou again and I will be back asap. Paul

04-21-2006, 11:17 AM	#5 (permalink)
MoralTerror Analyst, Security Team Join Date: Nov 2005 Location: UK Posts: 1,968 OS: xp	Image1.gif click for larger image you mean you don't have this option in cleanup????

04-23-2006, 04:31 AM	#8 (permalink)
rozel Registered User Join Date: Oct 2003 Location: UK Posts: 38 OS: XP Pro (SP2)	Just another thing - when I come to send an email or reply to one, the following appears automatically in the text - could this be a clue to what is happening? Ôà This is worrying as maybe my PC has been taken over and god knows what damage it's doing to me and the PC's on my network! Paul

04-23-2006, 06:02 AM	#9 (permalink)
MoralTerror Analyst, Security Team Join Date: Nov 2005 Location: UK Posts: 1,968 OS: xp	Hi Paul Is it a win2k based network?? Any strange symptons such as the text which appears in your emails should be reported here as it can allow us to identify particular infections quicker in some cases.

04-23-2006, 10:29 AM	#10 (permalink)
rozel Registered User Join Date: Oct 2003 Location: UK Posts: 38 OS: XP Pro (SP2)	Thanks - no my system is XP Pro a home network via a router - 2 pc's hard wired and 3 via wireless. No starnge behaviours on other pc's yet! lol. So where now - again sorry for the delay in responding but I have been testing my memory usin memtest-86 v 3.2 for the last 4 hours or so. Am getting one error repeating: - Test 7. failing address:00038b24a5c 907.2mb Good: e0ae6a0d Bad: e0ae6b0d Err-Bits: 00000100 - I have had 3 ocurrences of this same error in 6 passes. Do you or anyone know if this is my problem. MoralTerror - could you please answer my question as to your help and if this will errdicate the Stop Error and advise me what to do next - I'm tempted to do a Windows Reair - please advise - I will now do nothing moreuntil I hear from you. I will be at work from 21.00 tonight until 06.30 tomorrow Thanks again Paul

04-24-2006, 06:10 AM	#11 (permalink)
MoralTerror Analyst, Security Team Join Date: Nov 2005 Location: UK Posts: 1,968 OS: xp	Hi Paul I apologize for the delay in replying. We may have the solution to your stop error but first we need to clean most if not all of the malware from this machine. Could you please confirm the following details 208Gb of files accidently deleted. Is it definately 208Gb this isn't a typo?? What drive and/or directory were these files?? what is their file extensions?? How many drives do you have and what are thier sizes?? This is a XP Pro machine not XP 64bit??? Do you recognise these services?? Are they necessary? O23 - Service: konfig - Unknown owner - c:\opt\MBCASE\pm\bin\mcp (file missing) O23 - Service: KService - Kontiki Inc. - C:\Program Files\KService\KService.exe O23 - Service: license - Unknown owner - c:\opt\MBCASE\pm\bin\mcp (file missing) O23 - Service: mcp - Unknown owner - c:\opt\MBCASE\pm\bin\mcp (file missing) O23 - Service: TransBaseService - TransAction Software, D 81737 Munich - c:\opt\MBCASE\WIS\TBCD\tbmux32.exe O23 - Service: TrueGrid NFS Server - Unknown owner - E:\DreamBox\NFS Server\nfs.exe (file missing) O23 - Service: TrueGrid Portmapper - Unknown owner - E:\DreamBox\Plugins\NFS Server\portmap.exe RE:memtest - it's unusual to have test 7 fail and any fail would indicate either the ram module or another component is failing. However I would wait until you have been declared clean and the stop error has been dealt with, then run the test again testing only the free ram before you go moving modules to locate the 1 that is possibly failing.

04-25-2006, 10:59 AM	#14 (permalink)
rozel Registered User Join Date: Oct 2003 Location: UK Posts: 38 OS: XP Pro (SP2)	Not chasing but my BSOD's are more frequent than ever and I'm getting desparate. I am writing this email on my LapTop, accessing my Router for the Internet Connection. In my endeavour to transfer a small folder of information and progs relating to this thread, I accessed my Network and my main PC, the subject of this thread. My Laptop has Norton Systemworks installed and it detected that many of my main pc's Desktop files were infected with the W32.Polip Virus. the link: - http://securityresponse.symantec.com...w32.polip.html I am now wondering whether this may be the cause of my difficulties? And of course if this is what you think, when you said you may have found a solution? If so, could you please tell me how to rid myself of this Virus and how my files can be cleaned. I would mention that my main pc's Desktop is cluttered with all sorts of files and every few seconds when I was accessing the network I kept getting W32.Polip virus warnings via Norton Systemworks. I was only connected a short time (2 minutes) and as soon as I realised what was going on, I stopped the transfer of the folder deleted this closed Windows Explorer and rebooted my Laptop. This has stopped the warnings. and I confirm none of the files (.exe's) were executed on my Laptop, so hopefully nothing has been infected. I will check in safe mode soon though just to be sure. I am now thinking about a full reformat and reinstall of my Progs, but obviously want to save my email messages etc and need to know whether by transferring them to the newly formatted C:\ partion, that I am not going to reinfect. So the options seem to be: - 1. You can help me still and can confirm that you can clean me up once and for all 2. Try a repair install of XP 3. Full format reinstall of Windows So I will wait for you further - I will be off to work in a couple of hours so I hope you can respond before 06.30am my time tomorrow morning. Thank you again Paul

04-25-2006, 10:38 PM	#15 (permalink)
rozel Registered User Join Date: Oct 2003 Location: UK Posts: 38 OS: XP Pro (SP2)	-bump-

04-26-2006, 06:47 AM	#16 (permalink)
MoralTerror Analyst, Security Team Join Date: Nov 2005 Location: UK Posts: 1,968 OS: xp	Hi Paul Your PC has an extremely nasty infection win32.polip. Disconnect it from the internet and your network NOW. Uninstall all cracked software and obtain a liscenced anti-virus program to scan your other computers. AVG Anti-Virus Avast Home Edition Scan all the other computers with updated virus definitions. If all of the computers are infected with win32.polip then I would advise full re-installation of Windows on all computers. The drives should be fully formatted with the manufacturers disk tool or a third party disk wipe utility before attempting to re-install the Operating System. This infection is transmitted via P2P networks and injects malicous code into many important system files and program files. Cleaning of this type of infection is difficult and may still result in a full re-install being required. The best way forward is to re-install now rather than attempt cleaning.

04-27-2006, 01:59 AM	#18 (permalink)
MoralTerror Analyst, Security Team Join Date: Nov 2005 Location: UK Posts: 1,968 OS: xp	First I have my own family matters to deal with so if I've delayed too much then I apologize Second I stated at the start of this thread that I am consulting with the experts on this and any other log I take. These experts also all have their own family matters so if they have delayed in getting back to me before I get back to you then again I apologize. 3rd we are all volunteers here providing you and many many others FREE support Fourth we have already told you that your P2P activity and your cracked software is the root cause of this infection. We have also told you that cleaning of this infection is NOT guaranteed and that re-installation is the best step to take. The files quaranteed by Norton cannot be cleaned due to polymorphic code being injected into their executable files. The only way to get rid of these is to delete them from quarantine following the guide I gave you already. However as you are aware many of these programs will not work. We have already told you that this infection is too difficult to clean and re-installation is the best solution for you. As for CleanUp your version is a newer version than mine. My version needs that "scan drives for temporary files" unchecked so that Office files are not deleted. Your version does not require this option. You have already been told this. The questions we asked were to try and determine the cause of your important files being deleted however we were unable to gather enough information to determine the most likely cause. The Polip version you have is very new and as far as we aware Symantec can't clean it wholly. We DO NOT rely on 1 source alone for information we use many sources to confirm our findings. Our findings are that most if not then all Anti-virus products are unable to fully clean this infection. With even traces of it left you will quickly be infested again. We have suggested the best route for you is to re-install. I have passed this on to more senior analysts. I wish you luck with your problem. Have a nice day

04-27-2006, 03:51 AM	#19 (permalink)
rozel Registered User Join Date: Oct 2003 Location: UK Posts: 38 OS: XP Pro (SP2)	Yes - sorry - I understand most of what you have said - and I know you are all volunteers and now know that deletion is the only step forward. I have paid Symantec 69 Euros, to clean my system, which they say they can do and right now, after deleting these files, god knows how I will replace them, I am in the process with Symantec. Whether this will be succesful or not remains to be seen, but they are adamant that after deleting these files, my system can be cleaned. I am still not sure what you mean with CleanUp, there was no warning before I used this and you say my version did not need this option - errrrrrrrrr I don't understand you. My version certainly did not have this option, I hope you are not disputing this, and I was given no warning that it would then scan all my drives and delete temporary folders. Please inform me further as right now I am in a position whereby I have lost files, probably indefinately, unless I can restore these after my system has been cleaned and the software resupplied. Paul

04-27-2006, 05:23 AM	#20 (permalink)
MoralTerror Analyst, Security Team Join Date: Nov 2005 Location: UK Posts: 1,968 OS: xp	Hi Paul I'm not sure where your confusion lies. The version of cleanup which you have does NOT have the checkbox I asked you to uncheck. This is because the previous version had that checkbox to avoid deleting Office programs .tmp files. The new version does not require this checkbox so obviously there is no need to include the box in the programs interface. The link I sent you to clearly states that temp directories will be cleaned out. tempFoldersInCleanUp.jpg If you continue to the download page which you obviously did then you are IMMEDIATELY faced with instructions to make a backup. readInstructions.jpg It then goes on to explain that temporary directories including downloads will be deleted. readInstructions2.jpg I hope that you appreciate while we endeavour to make instructions as simple as possible we do still need users to follow not only our suggestions but that of any links or programs we may refer you to. Failing to read instructions on your part does not by any means lay the responsibility of your lost files on either myself, my mentors, this site or indeed CleanUp. I understand that you are upset at not only losing these files but being seriously infected by this new strain of polip. But I fail to see why that is the fault of this site. As you have already stated that you lack confidence in my abilities I have as you requested passed this on to the more senior members and you can take it up with them. I have apologized for your inconvenience and don't see there is much else I can do. I suspect the files were deleted due to the seriousness of your infestation but maybe the experts will shed more light on this matter for you.