Just a Few Minor Problems I Can't Figure Out

Hi MysteryGoat, Welcome to TSF !!
I recommend you Subscribe to this thread (if you have not already done so) so you are notified of any replies via email
To do this :
Click Thread Tools, then click Subscribe to this Thread
Make sure it is set to Instant Notification by email, then click Subscribe

You may wish to print out a copy of these instructions to follow while you complete this procedure

I need you to download some programs to aide in our fix :Do Not Run Them Yet

Download ATF (Atribune Temp File) Cleaner© by Atribune

Download and Install AVG Anti-Spyware© by Grisoft

Launch AVG Anti-Spyware, there should be an icon on your desktop double-click it.
The program will now go to the main screen
You will need to update AVG Anti-Spyware to the latest definition files.
On the main screen select the icon Update then select the Update now link
Next select the Start Update button, the update will start and a progress bar will show the updates being installed.
Close AVG Anti-Spyware

Reboot to Safe mode
Restart your computer and begin tapping the F8 key on your keyboard just before Windows starts to load
If done right a Windows Advanced Options menu will appear.
Select the Safe Mode option and press Enter

Run ATF Cleaner
Double-click ATF Cleaner.exe
Under Main choose: Select All
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Run AVG Anti-Spyware
Click on Scanner at top
Click on Settings
Once in the Settings screen click on Recommended actions and then select Quarantine
Under Reports, Select Automatically generate report after every scan
Un-Select Only if threats were found
Select the Scanner icon at the top and then the Scan tab then click on Complete System Scan
AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time
Once the scan is complete do the following :
If you have any infections you will prompted, then select Apply all actions
Next select the Reports icon at the top.
Select the Save report as button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
Close AVG Anti-Spyware

Reboot to Normal Mode

Run Kaspersky WebScanner
Click on Kaspersky Online Scanner
NOTE For Internet Explorer 7 Users : If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading t he latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)

Scan Options:
Scan Archives
Scan Mail Bases
Click OK

Now under select a target to scan:
Select My Computer

Then the program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.

Reboot, run HijackThis and post a fresh HijackThis Log, the AVG Anti-Spyware Log, and the Kaspersky Virus Scan Log here

Thank You !!

Logfile of HijackThis v1.99.1
Scan saved at 6:49:17 PM, on 12/31/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\spoolsv.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\WINNT\system32\crypserv.exe
D:\WINNT\System32\svchost.exe
D:\WINNT\system32\nvsvc32.exe
D:\WINNT\system32\regsvc.exe
D:\WINNT\system32\RioMSC.exe
D:\WINNT\system32\MSTask.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\Explorer.EXE
D:\WINNT\Mixer.exe
D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\Program Files\Internet Explorer\iexplore.exe
d:\progra~1\intern~1\iexplore.exe
D:\Program Files\Saitek\Software\SaiMfd.exe
D:\Program Files\Saitek\Software\Profiler.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
D:\Program Files\[email protected]\winfah.exe
D:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
D:\Program Files\[email protected]\FahCore_7a.exe
D:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.amiright.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.amiright.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {FDCD9DC6-B84D-8085-ED3F-072E89B12C0A} - D:\DOCUME~1\ZEDRYA~1\APPLIC~1\MFCDGR~1\GLOBAL ELSE.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [StupidBashPlanMapi] D:\Documents and Settings\All Users\Application Data\INSIDE SECOND STUPID BASH\itch second.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SaiMfd] D:\Program Files\Saitek\Software\SaiMfd.exe
O4 - HKLM\..\Run: [Profiler] D:\Program Files\Saitek\Software\Profiler.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroCheck] D:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [gcasServ] "D:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [CloneCDTray] "D:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [3f0bff3b.exe] D:\WINNT\system32\3f0bff3b.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Site meal] D:\DOCUME~1\ZEDRYA~1\APPLIC~1\SPAMFL~1\PLAY CLOSE.exe
O4 - Startup: [email protected] 5.03.lnk = D:\Program Files\[email protected]\winfah.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: winjks32 - winjks32.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Crypkey License - Unknown owner - D:\WINNT\SYSTEM32\crypserv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - D:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINNT\system32\nvsvc32.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - D:\WINNT\system32\RioMSC.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)




---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 1:27:04 PM 12/31/2006

+ Scan result:



Nothing found.


::Report end




-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, December 31, 2006 6:27:55 PM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 31/12/2006
Kaspersky Anti-Virus database records: 255330
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 120481
Number of viruses found: 8
Number of infected objects: 14 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:56:00

Infected Object Name / Virus Name / Last Action
C:\IRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.617 skipped
C:\Program Files\System\Morpheus\mymorpheusToolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Program Files\System\Zip Files\DL Applications.zip/Z-NetMircppv1.37.exe/ic4C.cab/mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.603 skipped
C:\Program Files\System\Zip Files\DL Applications.zip/Z-NetMircppv1.37.exe/ic4C.cab Infected: not-a-virus:Client-IRC.Win32.mIRC.603 skipped
C:\Program Files\System\Zip Files\DL Applications.zip/Z-NetMircppv1.37.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.603 skipped
C:\Program Files\System\Zip Files\DL Applications.zip/WarezP2P.exe Infected: not-a-virusownloader.Win32.Agent.h skipped
C:\Program Files\System\Zip Files\DL Applications.zip ZIP: infected - 4 skipped
D:\Documents and Settings\All Users\Application Data\INSIDE SECOND STUPID BASH\itch second.exe Infected: not-a-virus:AdWare.Win32.Lop.bb skipped
D:\Documents and Settings\All Users\Application Data\INSIDE SECOND STUPID BASH\Junk inter mp3 Object is locked skipped
D:\Documents and Settings\Zed Ryan\Application Data\mfcdgrimford\GLOBAL ELSE.exe Infected: Trojan-Downloader.Win32.Swizzor.fg skipped
D:\Documents and Settings\Zed Ryan\Application Data\Mozilla\Firefox\Profiles\ubz62q68.default\cert8.db Object is locked skipped
D:\Documents and Settings\Zed Ryan\Application Data\Mozilla\Firefox\Profiles\ubz62q68.default\history.dat Object is locked skipped
D:\Documents and Settings\Zed Ryan\Application Data\Mozilla\Firefox\Profiles\ubz62q68.default\key3.db Object is locked skipped
D:\Documents and Settings\Zed Ryan\Application Data\Mozilla\Firefox\Profiles\ubz62q68.default\parent.lock Object is locked skipped
D:\Documents and Settings\Zed Ryan\Application Data\Mozilla\Firefox\Profiles\ubz62q68.default\search.sqlite Object is locked skipped
D:\Documents and Settings\Zed Ryan\Application Data\Mozilla\Firefox\Profiles\ubz62q68.default\urlclassifier2.sqlite Object is locked skipped
D:\Documents and Settings\Zed Ryan\Application Data\Spam flag\aznfemci.exe Infected: not-a-virus:AdWare.Win32.Lop.bb skipped
D:\Documents and Settings\Zed Ryan\Application Data\Spam flag\PLAY CLOSE.exe Infected: Trojan-Downloader.Win32.Swizzor.fh skipped
D:\Documents and Settings\Zed Ryan\Cookies\index.dat Object is locked skipped
D:\Documents and Settings\Zed Ryan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\Zed Ryan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\Zed Ryan\Local Settings\Application Data\Mozilla\Firefox\Profiles\ubz62q68.default\Cache\_CACHE_001_ Object is locked skipped
D:\Documents and Settings\Zed Ryan\Local Settings\Application Data\Mozilla\Firefox\Profiles\ubz62q68.default\Cache\_CACHE_002_ Object is locked skipped
D:\Documents and Settings\Zed Ryan\Local Settings\Application Data\Mozilla\Firefox\Profiles\ubz62q68.default\Cache\_CACHE_003_ Object is locked skipped
D:\Documents and Settings\Zed Ryan\Local Settings\Application Data\Mozilla\Firefox\Profiles\ubz62q68.default\Cache\_CACHE_MAP_ Object is locked skipped
D:\Documents and Settings\Zed Ryan\Local Settings\History\History.IE5\index.dat Object is locked skipped
D:\Documents and Settings\Zed Ryan\Local Settings\History\History.IE5\MSHist012006123120070101\index.dat Object is locked skipped
D:\Documents and Settings\Zed Ryan\Local Settings\Temp\2b077c.exe Infected: Trojan-Downloader.Win32.Swizzor.dv skipped
D:\Documents and Settings\Zed Ryan\Local Settings\Temp\sta5D9.exe Infected: Trojan-Downloader.Win32.Swizzor.fh skipped
D:\Documents and Settings\Zed Ryan\Local Settings\Temp\~DF7AFC.tmp Object is locked skipped
D:\Documents and Settings\Zed Ryan\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
D:\Documents and Settings\Zed Ryan\Local Settings\Temporary Internet Files\Content.IE5\WPQRKL6V\upAYB[1].int Infected: Trojan-Downloader.Win32.Swizzor.dv skipped
D:\Documents and Settings\Zed Ryan\NTUSER.DAT Object is locked skipped
D:\Documents and Settings\Zed Ryan\ntuser.dat.LOG Object is locked skipped
D:\Program Files\[email protected]\FAHlog.txt Object is locked skipped
D:\Program Files\[email protected]\work\logfile_01.txt Object is locked skipped
D:\Program Files\[email protected]\work\wudata_01.arc Object is locked skipped
D:\Program Files\[email protected]\work\wudata_01.bed Object is locked skipped
D:\Program Files\[email protected]\work\wudata_01.goe Object is locked skipped
D:\Program Files\[email protected]\work\wudata_01.log Object is locked skipped
D:\Program Files\[email protected]\work\wudata_01.sas Object is locked skipped
D:\Program Files\[email protected]\work\wudata_01.xtc Object is locked skipped
D:\WINNT\AdvPack.log Object is locked skipped
D:\WINNT\CSC\00000001 Object is locked skipped
D:\WINNT\Debug\ipsecpa.log Object is locked skipped
D:\WINNT\Debug\oakley.log Object is locked skipped
D:\WINNT\Debug\PASSWD.LOG Object is locked skipped
D:\WINNT\SchedLgU.Txt Object is locked skipped
D:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
D:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
D:\WINNT\system32\config\default Object is locked skipped
D:\WINNT\system32\config\default.LOG Object is locked skipped
D:\WINNT\system32\config\SAM Object is locked skipped
D:\WINNT\system32\config\SAM.LOG Object is locked skipped
D:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
D:\WINNT\system32\config\SECURITY Object is locked skipped
D:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
D:\WINNT\system32\config\software Object is locked skipped
D:\WINNT\system32\config\software.LOG Object is locked skipped
D:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
D:\WINNT\system32\config\system Object is locked skipped
D:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
D:\WINNT\system32\esnecil.ind Object is locked skipped
D:\WINNT\WindowsUpdate.log Object is locked skipped

Scan process completed.

Download NoLop to your desktop from one of the following links :
1)NoLop© by skate_punk_21
2)NoLop© by skate_punk_21
3)NoLop© by skate_punk_21

Reboot to Safe mode
Restart your computer and begin tapping the F8 key on your keyboard just before Windows starts to load
If done right a Windows Advanced Options menu will appear.
Select the Safe Mode option and press Enter

Double click NoLop.exe to run it
Click the button labelled Search and Destroy
<<your computer will now be scanned for infected files>>
When scanning is finished you will be prompted to reboot only if infected, Click OK
Click the REBOOT Button
A Message should popup from NoLop If not, double click the program again and it will finish
Please Post the contents of the C:\NoLop.log along with a fresh HijackThis log here

NoLop! Log by Skate_Punk_21

Fix running from: D:\Documents and Settings\Zed Ryan\Desktop
[1/1/2007]
[12:56:32 PM]

---Infection Files Found/Removed---
D:\Documents and Settings\Zed Ryan\Application Data\mfcdgrimford\GLOBAL ELSE.exe
D:\Documents and Settings\All Users\Application Data\INSIDE SECOND STUPID BASH\itch second.exe
D:\Documents and Settings\Zed Ryan\Application Data\Spam flag\aznfemci.exe

Beginning Removal...
Rebooting...
Removing Lop's Leftover Files/Folders...
Editing Registry...
**Fix Complete!**

---Listing AppData sub directories---

D:\Documents and Settings\All Users\Application Data\Apple Computer
D:\Documents and Settings\All Users\Application Data\Avg7 -- EMPTY Directory
D:\Documents and Settings\All Users\Application Data\Dvd Shrink
D:\Documents and Settings\All Users\Application Data\Microsoft
D:\Documents and Settings\All Users\Application Data\Nview_profiles -- EMPTY Directory
D:\Documents and Settings\All Users\Application Data\Oberon Media
D:\Documents and Settings\All Users\Application Data\Orbnetworks
D:\Documents and Settings\All Users\Application Data\Pure Networks
D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
D:\Documents and Settings\All Users\Application Data\Vmware
D:\Documents and Settings\Default User\Application Data\Microsoft
D:\Documents and Settings\Default User\Application Data\Vmware -- EMPTY Directory
D:\Documents and Settings\Zed Ryan\Application Data\Adobe
D:\Documents and Settings\Zed Ryan\Application Data\Apple Computer
D:\Documents and Settings\Zed Ryan\Application Data\Atari
D:\Documents and Settings\Zed Ryan\Application Data\Azureus
D:\Documents and Settings\Zed Ryan\Application Data\A?ppatch
D:\Documents and Settings\Zed Ryan\Application Data\Divx
D:\Documents and Settings\Zed Ryan\Application Data\Help -- EMPTY Directory
D:\Documents and Settings\Zed Ryan\Application Data\Icq
D:\Documents and Settings\Zed Ryan\Application Data\Identities
D:\Documents and Settings\Zed Ryan\Application Data\Intertrust
D:\Documents and Settings\Zed Ryan\Application Data\Ipodder
D:\Documents and Settings\Zed Ryan\Application Data\Lavasoft
D:\Documents and Settings\Zed Ryan\Application Data\Leadertech
D:\Documents and Settings\Zed Ryan\Application Data\Macromedia
D:\Documents and Settings\Zed Ryan\Application Data\Media Player Classic
D:\Documents and Settings\Zed Ryan\Application Data\Microsoft
D:\Documents and Settings\Zed Ryan\Application Data\Morpheus
D:\Documents and Settings\Zed Ryan\Application Data\Mozilla
D:\Documents and Settings\Zed Ryan\Application Data\Real
D:\Documents and Settings\Zed Ryan\Application Data\Slysoft
D:\Documents and Settings\Zed Ryan\Application Data\Sun
D:\Documents and Settings\Zed Ryan\Application Data\Syntrillium
D:\Documents and Settings\Zed Ryan\Application Data\Talkback
D:\Documents and Settings\Zed Ryan\Application Data\Uniblue
D:\Documents and Settings\Zed Ryan\Application Data\Vmware
D:\Documents and Settings\Zed Ryan\Application Data\Warez
D:\Documents and Settings\Zed Ryan\Application Data\Watchtower




Logfile of HijackThis v1.99.1
Scan saved at 1:04:09 PM, on 1/1/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\spoolsv.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\WINNT\system32\crypserv.exe
D:\WINNT\System32\svchost.exe
D:\WINNT\system32\nvsvc32.exe
D:\WINNT\system32\regsvc.exe
D:\WINNT\system32\RioMSC.exe
D:\WINNT\system32\MSTask.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\Explorer.EXE
D:\WINNT\Mixer.exe
D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\Program Files\Saitek\Software\SaiMfd.exe
D:\Program Files\Saitek\Software\Profiler.exe
D:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
D:\Program Files\[email protected]\winfah.exe
D:\Program Files\[email protected]\FahCore_7a.exe
D:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.amiright.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {FDCD9DC6-B84D-8085-ED3F-072E89B12C0A} - D:\DOCUME~1\ZEDRYA~1\APPLIC~1\MFCDGR~1\GLOBAL ELSE.exe (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SaiMfd] D:\Program Files\Saitek\Software\SaiMfd.exe
O4 - HKLM\..\Run: [Profiler] D:\Program Files\Saitek\Software\Profiler.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroCheck] D:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [gcasServ] "D:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [CloneCDTray] "D:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [3f0bff3b.exe] D:\WINNT\system32\3f0bff3b.exe
O4 - Startup: [email protected] 5.03.lnk = D:\Program Files\[email protected]\winfah.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: winjks32 - winjks32.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Crypkey License - Unknown owner - D:\WINNT\SYSTEM32\crypserv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - D:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINNT\system32\nvsvc32.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - D:\WINNT\system32\RioMSC.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)


I got my desktop background working also. I don't think completely unrelated, but as I should have known earlier as I've had the problem before, I had to go into the registry.

Sorry for the delay !!

Download and Unzip The Avenger© by Swandog46 to your desktop
Copy the entire contents inside the following Quote box to your Clipboard :

files to delete:
D:\Documents and Settings\Zed Ryan\Application Data\A?ppatch
D:\Documents and Settings\Zed Ryan\Application Data\Warez
C:\Program Files\System\Zip Files\DL Applications.zip/WarezP2P.exe
D:\WINNT\system32\3f0bff3b.exe
D:\Documents and Settings\Zed Ryan\Application Data\Spam flag\PLAY CLOSE.exe
D:\Documents and Settings\Zed Ryan\Local Settings\Temp\2b077c.exe
D:\Documents and Settings\Zed Ryan\Local Settings\Temp\sta5D9.exe
D:\Documents and Settings\Zed Ryan\Local Settings\Temporary Internet Files\Content.IE5\WPQRKL6VupAYB[1].int

Click to expand...

Run The Avenger
Double click the Avenger icon on your desktop
Under Script file to execute choose Input Script Manually
Click on the Magnifying Glass icon which will open a new window titled View/edit script
Paste the text you just copied to clipboard into this window by pressing Ctrl+V
Click Done
Now click on the Green Light to begin execution of the script
Answer Yes twice when prompted.
The Avenger will automatically do the following :

•Restart your computer (In cases where the code to execute contains Drivers to Unload, The Avenger will actually restart your system twice)
•On reboot, it will briefly open a black command window on your desktop, this is normal.
•After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
•The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip

Run HijackThis
Scan and when it finishes, put a check mark only next to these following items : (if present)

O2 - BHO: (no name) - {FDCD9DC6-B84D-8085-ED3F-072E89B12C0A} - D:\DOCUME~1\ZEDRYA~1\APPLIC~1\MFCDGR~1\GLOBAL ELSE.exe (file missing)

O4 - HKLM\..\Run: [3f0bff3b.exe] D:\WINNT\system32\3f0bff3b.exe

O20 - Winlogon Notify: winjks32 - winjks32.dll (file missing)

Close all browsers and any open Windows, making sure that only HijackThis is open
Click Fix Checked
Close HijackThis

Run Kaspersky WebScanner again

Post a fresh HijackThis log, the contents of the c:\avenger.txt file and the Kaspersky WebScanner log here

Let me know how your system is running !!??

I had problems with the avenger program. When the log came up it said it couldn't open becuase the program was being used by another process, or something to that effect. Anyway, nothing was written in the log. Additionally, the only thing in the backup is something called 'backup.reg'. I ran the program twice and got the same results both times.

Other than that everything seems to be running fine, nothing unusual I can detect on hand. However from looking at the kaspersky scan, if there is something on here, whether it's spyware or a virus, I'd like to get it all clean if possible. Thanks.

Logfile of HijackThis v1.99.1
Scan saved at 1:02:26 PM, on 1/3/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\spoolsv.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\WINNT\system32\crypserv.exe
D:\WINNT\System32\svchost.exe
D:\WINNT\system32\nvsvc32.exe
D:\WINNT\system32\regsvc.exe
D:\WINNT\system32\RioMSC.exe
D:\WINNT\system32\MSTask.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\Explorer.EXE
D:\WINNT\Mixer.exe
D:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
D:\Program Files\Saitek\Software\SaiMfd.exe
D:\Program Files\Saitek\Software\Profiler.exe
D:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
D:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.amiright.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - D:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O2 - BHO: (no name) - {FDCD9DC6-B84D-8085-ED3F-072E89B12C0A} - D:\DOCUME~1\ZEDRYA~1\APPLIC~1\MFCDGR~1\GLOBAL ELSE.exe (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SaiMfd] D:\Program Files\Saitek\Software\SaiMfd.exe
O4 - HKLM\..\Run: [Profiler] D:\Program Files\Saitek\Software\Profiler.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroCheck] D:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [gcasServ] "D:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [CloneCDTray] "D:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [3f0bff3b.exe] D:\WINNT\system32\3f0bff3b.exe
O4 - Startup: [email protected] 5.03.lnk = D:\Program Files\[email protected]\winfah.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: winjks32 - winjks32.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Crypkey License - Unknown owner - D:\WINNT\SYSTEM32\crypserv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - D:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINNT\system32\nvsvc32.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - D:\WINNT\system32\RioMSC.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)





-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, January 03, 2007 3:03:31 PM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 3/01/2007
Kaspersky Anti-Virus database records: 255813
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 121940
Number of viruses found: 8
Number of infected objects: 12 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:54:30

Infected Object Name / Virus Name / Last Action
C:\IRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.617 skipped
C:\Program Files\System\Morpheus\mymorpheusToolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Program Files\System\Zip Files\DL Applications.zip/Z-NetMircppv1.37.exe/ic4C.cab/mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.603 skipped
C:\Program Files\System\Zip Files\DL Applications.zip/Z-NetMircppv1.37.exe/ic4C.cab Infected: not-a-virus:Client-IRC.Win32.mIRC.603 skipped
C:\Program Files\System\Zip Files\DL Applications.zip/Z-NetMircppv1.37.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.603 skipped
C:\Program Files\System\Zip Files\DL Applications.zip/WarezP2P.exe Infected: not-a-virusownloader.Win32.Agent.h skipped
C:\Program Files\System\Zip Files\DL Applications.zip ZIP: infected - 4 skipped
D:\Documents and Settings\Zed Ryan\Application Data\Mozilla\Firefox\Profiles\ubz62q68.default\cert8.db Object is locked skipped
D:\Documents and Settings\Zed Ryan\Application Data\Mozilla\Firefox\Profiles\ubz62q68.default\formhistory.dat Object is locked skipped
D:\Documents and Settings\Zed Ryan\Application Data\Mozilla\Firefox\Profiles\ubz62q68.default\history.dat Object is locked skipped
D:\Documents and Settings\Zed Ryan\Application Data\Mozilla\Firefox\Profiles\ubz62q68.default\key3.db Object is locked skipped
D:\Documents and Settings\Zed Ryan\Application Data\Mozilla\Firefox\Profiles\ubz62q68.default\parent.lock Object is locked skipped
D:\Documents and Settings\Zed Ryan\Application Data\Mozilla\Firefox\Profiles\ubz62q68.default\search.sqlite Object is locked skipped
D:\Documents and Settings\Zed Ryan\Application Data\Mozilla\Firefox\Profiles\ubz62q68.default\urlclassifier2.sqlite Object is locked skipped
D:\Documents and Settings\Zed Ryan\Cookies\index.dat Object is locked skipped
D:\Documents and Settings\Zed Ryan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\Zed Ryan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\Zed Ryan\Local Settings\Application Data\Mozilla\Firefox\Profiles\ubz62q68.default\Cache\4A44DF24d01 Infected: Exploit.HTML.Agent.c skipped
D:\Documents and Settings\Zed Ryan\Local Settings\Application Data\Mozilla\Firefox\Profiles\ubz62q68.default\Cache\_CACHE_001_ Object is locked skipped
D:\Documents and Settings\Zed Ryan\Local Settings\Application Data\Mozilla\Firefox\Profiles\ubz62q68.default\Cache\_CACHE_002_ Object is locked skipped
D:\Documents and Settings\Zed Ryan\Local Settings\Application Data\Mozilla\Firefox\Profiles\ubz62q68.default\Cache\_CACHE_003_ Object is locked skipped
D:\Documents and Settings\Zed Ryan\Local Settings\Application Data\Mozilla\Firefox\Profiles\ubz62q68.default\Cache\_CACHE_MAP_ Object is locked skipped
D:\Documents and Settings\Zed Ryan\Local Settings\History\History.IE5\index.dat Object is locked skipped
D:\Documents and Settings\Zed Ryan\Local Settings\History\History.IE5\MSHist012007010320070104\index.dat Object is locked skipped
D:\Documents and Settings\Zed Ryan\Local Settings\Temp\~DF7C05.tmp Object is locked skipped
D:\Documents and Settings\Zed Ryan\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
D:\Documents and Settings\Zed Ryan\NTUSER.DAT Object is locked skipped
D:\Documents and Settings\Zed Ryan\ntuser.dat.LOG Object is locked skipped
D:\NoLopBackups\Aznfemci.exe.04.infected Infected: not-a-virus:AdWare.Win32.Lop.bb skipped
D:\NoLopBackups\Global Else.exe.01.infected Infected: Trojan-Downloader.Win32.Swizzor.fg skipped
D:\NoLopBackups\Itch Second.exe.02.infected Infected: not-a-virus:AdWare.Win32.Lop.bb skipped
D:\NoLopBackups\Play Close.exe.06.infected Infected: Trojan-Downloader.Win32.Swizzor.fh skipped
D:\WINNT\AdvPack.log Object is locked skipped
D:\WINNT\CSC\00000001 Object is locked skipped
D:\WINNT\Debug\ipsecpa.log Object is locked skipped
D:\WINNT\Debug\oakley.log Object is locked skipped
D:\WINNT\Debug\PASSWD.LOG Object is locked skipped
D:\WINNT\SchedLgU.Txt Object is locked skipped
D:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
D:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
D:\WINNT\system32\config\default Object is locked skipped
D:\WINNT\system32\config\default.LOG Object is locked skipped
D:\WINNT\system32\config\SAM Object is locked skipped
D:\WINNT\system32\config\SAM.LOG Object is locked skipped
D:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
D:\WINNT\system32\config\SECURITY Object is locked skipped
D:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
D:\WINNT\system32\config\software Object is locked skipped
D:\WINNT\system32\config\software.LOG Object is locked skipped
D:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
D:\WINNT\system32\config\system Object is locked skipped
D:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
D:\WINNT\system32\esnecil.ind Object is locked skipped
D:\WINNT\WindowsUpdate.log Object is locked skipped

Scan process completed.

OK, I don't think Avenger ran right !
You can Uninstall Avenger

Open HiJackThis
Click on the Config... button on the bottom right
Click on the Misc Tools tab
Click on Delete File on Reboot
Navigate to this file :

D:\Documents and Settings\Zed Ryan\Application Data\A?ppatch

Double click on that file
HJT asks you if you want to reboot, Click no
Do that for the following files also :

D:\Documents and Settings\Zed Ryan\Application Data\A?ppatch
D:\Documents and Settings\Zed Ryan\Application Data\Warez
C:\Program Files\System\Zip Files\DL Applications.zip/WarezP2P.exe
D:\WINNT\system32\3f0bff3b.exe
D:\Documents and Settings\Zed Ryan\Application Data\Spam flag\PLAY CLOSE.exe
D:\Documents and Settings\Zed Ryan\Local Settings\Temp\2b077c.exe
D:\Documents and Settings\Zed Ryan\Local Settings\Temp\sta5D9.exe
D:\Documents and Settings\Zed Ryan\Local Settings\Temporary Internet Files\Content.IE5\WPQRKL6VupAYB[1].int

When you get to the last one, click yes when HJT asks you to reboot

After Reboot :

Run HijackThis
Scan and when it finishes, put a check mark only next to these following items : (if present)

O2 - BHO: (no name) - {FDCD9DC6-B84D-8085-ED3F-072E89B12C0A} - D:\DOCUME~1\ZEDRYA~1\APPLIC~1\MFCDGR~1\GLOBAL ELSE.exe (file missing)

O4 - HKLM\..\Run: [3f0bff3b.exe] D:\WINNT\system32\3f0bff3b.exe

O20 - Winlogon Notify: winjks32 - winjks32.dll (file missing)

Close all browsers and any open Windows, making sure that only HijackThis is open
Click Fix Checked
Close HijackThis

Run Kaspersky WebScanner again

Post a fresh HijackThis log and the Kaspersky WebScanner log here

A few problems.


D:\Documents and Settings\Zed Ryan\Application Data\A?ppatch
D:\Documents and Settings\Zed Ryan\Application Data\A?ppatch
D:\Documents and Settings\Zed Ryan\Application Data\Warez
These are directories that HJT can't delete, and actually A?ppatch doesn't have the ? in it.


C:\Program Files\System\Zip Files\DL Applications.zip/WarezP2P.exe
This is in a zip file and is a P2P program as the name suggests. I could delete it by itself but not through HJT without deleting the entire zip file, which is something I really don't want to do.


D:\Documents and Settings\Zed Ryan\Application Data\Spam flag\PLAY CLOSE.exe
D:\Documents and Settings\Zed Ryan\Local Settings\Temp\2b077c.exe
D:\Documents and Settings\Zed Ryan\Local Settings\Temp\sta5D9.exe
D:\Documents and Settings\Zed Ryan\Local Settings\Temporary Internet Files\Content.IE5\WPQRKL6VupAYB[1].int
Non of these files exist on here. I've unhidden and searched through the computer and I can't find any of them. And the folder Spam Flag doesn't exist either.


O2 - BHO: (no name) - {FDCD9DC6-B84D-8085-ED3F-072E89B12C0A} - D:\DOCUME~1\ZEDRYA~1\APPLIC~1\MFCDGR~1\GLOBAL ELSE.exe (file missing)
O4 - HKLM\..\Run: [3f0bff3b.exe] D:\WINNT\system32\3f0bff3b.exe
O20 - Winlogon Notify: winjks32 - winjks32.dll (file missing)
I forgot to mention but I deleted these the last time you told me. They don't show up in the HJT log anymore.

Oh and Avenger didn't install. When I extracted it from the zip file it was just a stand alone executable. Not sure if that means anything to you.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, January 04, 2007 10:22:37 PM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 5/01/2007
Kaspersky Anti-Virus database records: 256152
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 122244
Number of viruses found: 8
Number of infected objects: 12 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:51:31

Infected Object Name / Virus Name / Last Action
C:\IRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.617 skipped
C:\Program Files\System\Morpheus\mymorpheusToolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Program Files\System\Zip Files\DL Applications.zip/Z-NetMircppv1.37.exe/ic4C.cab/mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.603 skipped
C:\Program Files\System\Zip Files\DL Applications.zip/Z-NetMircppv1.37.exe/ic4C.cab Infected: not-a-virus:Client-IRC.Win32.mIRC.603 skipped
C:\Program Files\System\Zip Files\DL Applications.zip/Z-NetMircppv1.37.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.603 skipped
C:\Program Files\System\Zip Files\DL Applications.zip/WarezP2P.exe Infected: not-a-virusownloader.Win32.Agent.h skipped
C:\Program Files\System\Zip Files\DL Applications.zip ZIP: infected - 4 skipped
D:\Documents and Settings\Zed Ryan\Cookies\index.dat Object is locked skipped
D:\Documents and Settings\Zed Ryan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\Zed Ryan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\Zed Ryan\Local Settings\Application Data\Mozilla\Firefox\Profiles\ubz62q68.default\Cache\4A44DF24d01 Infected: Exploit.HTML.Agent.c skipped
D:\Documents and Settings\Zed Ryan\Local Settings\History\History.IE5\index.dat Object is locked skipped
D:\Documents and Settings\Zed Ryan\Local Settings\History\History.IE5\MSHist012007010420070105\index.dat Object is locked skipped
D:\Documents and Settings\Zed Ryan\Local Settings\Temp\~DF7739.tmp Object is locked skipped
D:\Documents and Settings\Zed Ryan\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
D:\Documents and Settings\Zed Ryan\NTUSER.DAT Object is locked skipped
D:\Documents and Settings\Zed Ryan\ntuser.dat.LOG Object is locked skipped
D:\NoLopBackups\Aznfemci.exe.04.infected Infected: not-a-virus:AdWare.Win32.Lop.bb skipped
D:\NoLopBackups\Global Else.exe.01.infected Infected: Trojan-Downloader.Win32.Swizzor.fg skipped
D:\NoLopBackups\Itch Second.exe.02.infected Infected: not-a-virus:AdWare.Win32.Lop.bb skipped
D:\NoLopBackups\Play Close.exe.06.infected Infected: Trojan-Downloader.Win32.Swizzor.fh skipped
D:\WINNT\AdvPack.log Object is locked skipped
D:\WINNT\CSC\00000001 Object is locked skipped
D:\WINNT\Debug\ipsecpa.log Object is locked skipped
D:\WINNT\Debug\oakley.log Object is locked skipped
D:\WINNT\Debug\PASSWD.LOG Object is locked skipped
D:\WINNT\SchedLgU.Txt Object is locked skipped
D:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
D:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
D:\WINNT\system32\config\default Object is locked skipped
D:\WINNT\system32\config\default.LOG Object is locked skipped
D:\WINNT\system32\config\SAM Object is locked skipped
D:\WINNT\system32\config\SAM.LOG Object is locked skipped
D:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
D:\WINNT\system32\config\SECURITY Object is locked skipped
D:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
D:\WINNT\system32\config\software Object is locked skipped
D:\WINNT\system32\config\software.LOG Object is locked skipped
D:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
D:\WINNT\system32\config\system Object is locked skipped
D:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
D:\WINNT\system32\esnecil.ind Object is locked skipped
D:\WINNT\WindowsUpdate.log Object is locked skipped

Scan process completed.




Logfile of HijackThis v1.99.1
Scan saved at 10:22:52 PM, on 1/4/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\spoolsv.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\WINNT\system32\crypserv.exe
D:\WINNT\System32\svchost.exe
D:\WINNT\system32\nvsvc32.exe
D:\WINNT\system32\regsvc.exe
D:\WINNT\system32\RioMSC.exe
D:\WINNT\system32\MSTask.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\Explorer.EXE
D:\WINNT\Mixer.exe
D:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
D:\Program Files\Saitek\Software\SaiMfd.exe
D:\Program Files\Saitek\Software\Profiler.exe
D:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
D:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.amiright.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - D:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SaiMfd] D:\Program Files\Saitek\Software\SaiMfd.exe
O4 - HKLM\..\Run: [Profiler] D:\Program Files\Saitek\Software\Profiler.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroCheck] D:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [gcasServ] "D:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [CloneCDTray] "D:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - Startup: [email protected] 5.03.lnk = D:\Program Files\[email protected]\winfah.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Crypkey License - Unknown owner - D:\WINNT\SYSTEM32\crypserv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - D:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINNT\system32\nvsvc32.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - D:\WINNT\system32\RioMSC.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. You may continue to use P2P sharing at your own risk; however, please keep in mind that this practice may be the source of your current problem.
Additional information on the safety of Peer to Peer programs themselves is here :

Clean/Infected P2P Programs

Having said that :

Your log seems to be OK now !!

Just one more thing :
**Turn off System Restore**
On the Desktop, right-click My Computer
Click Properties
Click the System Restore tab.
Check "Turn off System Restore"
Click Apply, then click OK and Reboot

**Turn ON System Restore**
On the Desktop, right-click My Computer
Click Properties
Click the System Restore tab.
UN-Check "Turn off System Restore"
Click Apply, then click OK and Reboot

How is your system running now ??

Here are a few tools and tips that I recommend for protecting your system and reduce the risk of infection again !!

~ Make Your Internet Explorer More Secure ~
This can be done by following these simple instructions :
From within Internet Explorer click on the Tools menu and then click on Options
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the "Download signed ActiveX controls" to Prompt
Change the Download unsigned ActiveX controls" to Disable
Change the "Initialize and script ActiveX controls not marked as safe" to Disable
Change the "Installation of desktop items" to Prompt
Change the "Launching programs and files in an IFRAME" to Prompt
Change the "Navigate sub-frames across different domains" to Prompt
Change the "Allow paste operations via script" to Disable
When all these settings have been made, click on the OK button
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

~ Real Time Prevention ~
SpywareBlaster© by Javacool Software :
*Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests
*Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
*Restrict the actions of potentially dangerous sites in Internet Explorer.
*Consumes no system resources
*Download, run, check for updates, download updates, select all, protect against checked. All done
*Check for updates every couple of weeks. If you have any errors running the program like a missing file see the link at the bottom of the javacool page
IESpyad© by EHowes : This will add several hundred Restricted Sites to the Restricted Site Zone in IE.

~ Download and Install a HOSTS File ~
A Hosts file is a plain text file which prevents your computer from inadvertently connecting to malware, spyware and adware sites by redirecting the connection request back to your own machine address (127.0.0.1)
If you use a proxy server, or if you are on AOL, or if you use Norton to scan e-mail, be sure to read the special instructions

If you download and install BlueTack's HOSTS Manager first, you can use it to handle your HOSTS file download, edits, and most any other HOSTS issue

Download and Read an excellent instruction about HOSTS files (the Bluetack version) HERE
**Please note that a large HOSTS file (over 135 kb) may slow down the machine. This only occurs in W2K and XP.
To fix this:
Go to Start, Run, type in services.msc then hit OK
Scroll down to DNS Client, Right-click and select: Properties
Click the drop-down arrow for Startup type
Select: Manual, click Apply/Ok and restart**

You can download the MVPS HOSTS file and see another HOSTS file tutorial HERE
The BlueTack version is more aggressive than the MVPS and targets adware sites as well as more dangerous ones
If you have ZoneAlarm, you will have to give permission to Unlock the present default HOSTS file before you copy / install the new one.
(ZoneAlarm resets the "lock" after each reboot.)

~ File Cleaners (temp, prefetch, cookie, etc) ~
2000/XP Only
ATF (Atribune Temp File) Cleaner© by Atribune
All Windows
CCleaner© by CCleaner.com

~ Spyware Scanners ~
Some FREE Spyware Scanners for Home use, that will detect and remove trojans, dialers, malware, browser hijackers, tracking components and other forms of Spyware :
SUPERAntiSpyware Home© by SUPERAntiSpyware.com
Ad-aware SE© by Lavasoft
Spybot S&D© by Safer-Networking

~ Good Free Antivirus Programs ~
AVG© by Grisoft
AntiVir© by H+BEDV Datentechnik GmbH
Avast© by ALWIL Software
NOTE:Remember always have just 1 antivirus program running at a time. Having more than one running causes a conflict between the programs !! You can use one as a backup to run manually

~ Windows Update ~
It's also very important to keep your system up to date to avoid unnecessary security risks
Windows Update

~ Firewalls ~
If you have an "always on" internet connection, such as DSL or Cable, I recommend a Firewall.
A firewall will make your pc invisible to the outside world and will filter the outgoing and incoming traffic on your pc.
For a good idea of how vulnerable your system(s) are go to GRC
Scroll down to "Shields Up" Click on "Proceed" Then click on "Common Ports"to scan your ports.
Free Personal Firewalls :
Sunbelt Kerio Personal Firewall© by Sunbelt
Jetico Personal Firewall© by Jetico, Inc.
Comodo Personal Firewall© by Comodo Group (XP & 2000 only)

Always keep your Antivirus & Spyware Removal Tools current with the latest definitions and updates !!

Using these tools and keeping them updated will reduce the risk of future infections!!

Do you have any questions??