HELP! My Photoshop won't run [Archive]

View Full Version : HELP! My Photoshop won't run

panget

24 Oct 2005, 1:15pm

Forgive my ignorance, but this is probably spyware (or trojan) related:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 7:49:09 PM, 10/24/2005
+ Report-Checksum: DDCB81C3

+ Scan result:

HKLM\SOFTWARE\ISTbar -> Spyware.ISTBar : Error during cleaning
HKLM\SOFTWARE\ISTbar\Historyfiles -> Spyware.ISTBar : Error during cleaning
HKLM\SOFTWARE\ISTbar\Historystring -> Spyware.ISTBar : Error during cleaning
C:\System Volume Information\_restore{C86C1BE7-B824-4166-B2D3-B45AA4C80977}\RP1\A0000008.exe -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup

::Report End

Hijack This log:

Logfile of HijackThis v1.99.1
Scan saved at 7:02:53 PM, on 10/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\sze\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\PROGRAM FILES\EPSON\EPSON WEB-TO-PAGE\EPSON WEB-TO-PAGE.DLL
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\PROGRAM FILES\EPSON\EPSON WEB-TO-PAGE\EPSON WEB-TO-PAGE.DLL
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [EPSON Stylus C43 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C43 Series" /O5 "LPT1:" /M "Stylus C43"
O4 - HKLM\..\Run: [EPSON Stylus C60 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C60 Series" /O5 "LPT1:" /M "Stylus C60"
O4 - HKLM\..\Run: [EPSON Stylus C83 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C83 Series" /O5 "LPT1:" /M "Stylus C83"
O4 - HKLM\..\Run: [EPSON Stylus C65 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3S2.EXE /P23 "EPSON Stylus C65 Series" /O6 "USB001" /M "Stylus C65"
O4 - HKLM\..\Run: [EPSON Stylus Photo R210 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3H2.EXE /P30 "EPSON Stylus Photo R210 Series" /O6 "USB004" /M "Stylus Photo R210"
O4 - HKLM\..\Run: [EPSON Stylus CX3500 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BP.EXE /P26 "EPSON Stylus CX3500 Series" /O6 "USB007" /M "Stylus CX3500"
O4 - HKLM\..\Run: [EPSON Stylus C45 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P23 "EPSON Stylus C45 Series" /O6 "USB013" /M "Stylus C45"
O4 - HKLM\..\Run: [EPSON Stylus CX3500 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BP.EXE /P35 "EPSON Stylus CX3500 Series (Copy 1)" /O6 "USB011" /M "Stylus CX3500"
O4 - HKLM\..\Run: [EPSON Stylus C45 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P32 "EPSON Stylus C45 Series (Copy 1)" /O6 "USB019" /M "Stylus C45"
O4 - HKLM\..\Run: [EPSON Stylus CX6500 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EP.EXE /P35 "EPSON Stylus CX6500 Series (Copy 1)" /O6 "USB040" /M "Stylus CX6500"
O4 - HKLM\..\Run: [EPSON Stylus C45 Series (Copy 2)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P32 "EPSON Stylus C45 Series (Copy 2)" /O6 "USB025" /M "Stylus C45"
O4 - HKLM\..\Run: [EPSON Stylus C67 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAP.EXE /P23 "EPSON Stylus C67 Series" /O6 "USB015" /M "Stylus C67"
O4 - HKLM\..\Run: [EPSON Stylus CX4500 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AP.EXE /P26 "EPSON Stylus CX4500 Series" /O5 "LPT1:" /M "Stylus CX4500"
O4 - HKLM\..\Run: [EPSON Stylus CX4500 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AP.EXE /P35 "EPSON Stylus CX4500 Series (Copy 1)" /O6 "USB040" /M "Stylus CX4500"
O4 - HKLM\..\Run: [EPSON Stylus C45 Series (Copy 7)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P32 "EPSON Stylus C45 Series (Copy 7)" /O6 "USB029" /M "Stylus C45"
O4 - HKLM\..\Run: [EPSON Stylus C45 Series (Copy 6)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P32 "EPSON Stylus C45 Series (Copy 6)" /O6 "USB038" /M "Stylus C45"
O4 - HKLM\..\Run: [EPSON Stylus C45 Series (Copy 5)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P32 "EPSON Stylus C45 Series (Copy 5)" /O6 "USB032" /M "Stylus C45"
O4 - HKLM\..\Run: [EPSON Stylus C45 Series (Copy 4)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P32 "EPSON Stylus C45 Series (Copy 4)" /O6 "USB031" /M "Stylus C45"
O4 - HKLM\..\Run: [EPSON Stylus C45 Series (Copy 3)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P32 "EPSON Stylus C45 Series (Copy 3)" /O6 "USB028" /M "Stylus C45"
O4 - HKLM\..\Run: [EPSON Stylus C45 Series (Copy 8)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P32 "EPSON Stylus C45 Series (Copy 8)" /O6 "USB046" /M "Stylus C45"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe" -quiet
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: OpenOffice.org 1.1.4.lnk = C:\Program Files\OpenOffice.org1.1.4\program\quickstart.exe
O4 - Global Startup: EPSON CardMonitor.lnk = C:\Program Files\EPSON\EPSON CardMonitor\EPSON CardMonitor1.2.exe
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINDOWS\System32\libsys32.exe (file missing)
O23 - Service: O&K Print Watch Service - Unknown owner - C:\Program Files\O&K Print Watch\WatchSrv.exe

When I run Photoshop, by the time the brushes are downloading, photoshop just disappears! Pls. help, and I need it the soonest. Thanks.

P.S. I've never used this pc for internet until a few hours ago. Photoshop was working before that.

DoctorGeo2008

24 Oct 2005, 6:35pm

Please run Adaware and Spybot as described HERE (http://www.short-media.com/forum/showthread.php?t=14915)

Come back and post a new HijackThis (HJT) log. Don't forget to have hidden files viewable. Directions for that are also included in the above link.

panget

26 Oct 2005, 7:06am

I have done as you've instructed. But spybot kept on crashing, even in safe mode. Here is the log:

Logfile of HijackThis v1.99.1
Scan saved at 2:05:00 PM, on 10/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\msinit.exe
C:\Program Files\O&K Print Watch\WatchSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BP.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AP.EXE
C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3H2.EXE
C:\Program Files\OpenOffice.org1.1.4\program\soffice.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\sze\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\PROGRAM FILES\EPSON\EPSON WEB-TO-PAGE\EPSON WEB-TO-PAGE.DLL
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\PROGRAM FILES\EPSON\EPSON WEB-TO-PAGE\EPSON WEB-TO-PAGE.DLL
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [EPSON Stylus C43 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C43 Series" /O5 "LPT1:" /M "Stylus C43"
O4 - HKLM\..\Run: [EPSON Stylus C60 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C60 Series" /O5 "LPT1:" /M "Stylus C60"
O4 - HKLM\..\Run: [EPSON Stylus C83 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C83 Series" /O5 "LPT1:" /M "Stylus C83"
O4 - HKLM\..\Run: [EPSON Stylus C65 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3S2.EXE /P23 "EPSON Stylus C65 Series" /O6 "USB001" /M "Stylus C65"
O4 - HKLM\..\Run: [EPSON Stylus Photo R210 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3H2.EXE /P30 "EPSON Stylus Photo R210 Series" /O6 "USB004" /M "Stylus Photo R210"
O4 - HKLM\..\Run: [EPSON Stylus CX3500 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BP.EXE /P26 "EPSON Stylus CX3500 Series" /O6 "USB007" /M "Stylus CX3500"
O4 - HKLM\..\Run: [EPSON Stylus C45 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P23 "EPSON Stylus C45 Series" /O6 "USB013" /M "Stylus C45"
O4 - HKLM\..\Run: [EPSON Stylus CX3500 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BP.EXE /P35 "EPSON Stylus CX3500 Series (Copy 1)" /O6 "USB011" /M "Stylus CX3500"
O4 - HKLM\..\Run: [EPSON Stylus C45 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P32 "EPSON Stylus C45 Series (Copy 1)" /O6 "USB019" /M "Stylus C45"
O4 - HKLM\..\Run: [EPSON Stylus CX6500 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EP.EXE /P35 "EPSON Stylus CX6500 Series (Copy 1)" /O6 "USB040" /M "Stylus CX6500"
O4 - HKLM\..\Run: [EPSON Stylus C45 Series (Copy 2)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P32 "EPSON Stylus C45 Series (Copy 2)" /O6 "USB025" /M "Stylus C45"
O4 - HKLM\..\Run: [EPSON Stylus C67 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAP.EXE /P23 "EPSON Stylus C67 Series" /O6 "USB015" /M "Stylus C67"
O4 - HKLM\..\Run: [EPSON Stylus CX4500 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AP.EXE /P26 "EPSON Stylus CX4500 Series" /O5 "LPT1:" /M "Stylus CX4500"
O4 - HKLM\..\Run: [EPSON Stylus CX4500 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AP.EXE /P35 "EPSON Stylus CX4500 Series (Copy 1)" /O6 "USB040" /M "Stylus CX4500"
O4 - HKLM\..\Run: [EPSON Stylus C45 Series (Copy 7)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P32 "EPSON Stylus C45 Series (Copy 7)" /O6 "USB029" /M "Stylus C45"
O4 - HKLM\..\Run: [EPSON Stylus C45 Series (Copy 6)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P32 "EPSON Stylus C45 Series (Copy 6)" /O6 "USB038" /M "Stylus C45"
O4 - HKLM\..\Run: [EPSON Stylus C45 Series (Copy 5)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P32 "EPSON Stylus C45 Series (Copy 5)" /O6 "USB032" /M "Stylus C45"
O4 - HKLM\..\Run: [EPSON Stylus C45 Series (Copy 4)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P32 "EPSON Stylus C45 Series (Copy 4)" /O6 "USB031" /M "Stylus C45"
O4 - HKLM\..\Run: [EPSON Stylus C45 Series (Copy 3)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P32 "EPSON Stylus C45 Series (Copy 3)" /O6 "USB028" /M "Stylus C45"
O4 - HKLM\..\Run: [EPSON Stylus C45 Series (Copy 8)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P32 "EPSON Stylus C45 Series (Copy 8)" /O6 "USB046" /M "Stylus C45"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe" -quiet
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: OpenOffice.org 1.1.4.lnk = C:\Program Files\OpenOffice.org1.1.4\program\quickstart.exe
O4 - Global Startup: EPSON CardMonitor.lnk = C:\Program Files\EPSON\EPSON CardMonitor\EPSON CardMonitor1.2.exe
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D508AC6D-A9E7-41B5-915C-44B25EA08A6E}: NameServer = 202.81.160.6 202.81.160.7
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: msinit (Microsoft Scheduling Agent) - Unknown owner - C:\WINDOWS\msinit.exe
O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINDOWS\System32\libsys32.exe (file missing)
O23 - Service: O&K Print Watch Service - Unknown owner - C:\Program Files\O&K Print Watch\WatchSrv.exe

panget

26 Oct 2005, 1:28pm

Btw, before spybot crashed, it revealed that my pc is infected by a concoction of spywares--coolwebsearch, smitfraud, internet optimizer, etc.

DoctorGeo2008

26 Oct 2005, 1:59pm

Ok, since it mentioned something about Smitfraud I'm going to assume that you have this infection. I want you to follow the instructions HERE (http://www.short-media.com/forum/showthread.php?t=32218&highlight=smitfraud). Be sure to print them out first so you can follow the steps with no problems.

Once you're done, try to run Spybot in safe mode again, run HJT, and post a new log.

panget

27 Oct 2005, 10:29am

smitrem didn't appear to find any smitfraud. I've done as instructed but spybot still crashed. Here's the log from ewido (took me three hours):

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 4:33:13 PM, 10/27/2005
+ Report-Checksum: 3FEE3744

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{F78B32D6-D6D8-4137-A18F-91EBE1A4AEDB}\TreatAs\\ -> Spyware.Need2Find : Cleaned with backup
HKLM\SOFTWARE\Classes\Need2FindBar.SettingsPlugin.1 -> Spyware.Need2Find : Cleaned with backup
HKLM\SOFTWARE\Classes\Need2FindBar.SettingsPlugin.1\CLSID\\ -> Spyware.Need2Find : Cleaned with backup
HKLM\SOFTWARE\Classes\Need2FindBar.ToolbarPlugin.1 -> Spyware.Need2Find : Cleaned with backup
HKLM\SOFTWARE\Classes\Need2FindBar.ToolbarPlugin.1\CLSID\\ -> Spyware.Need2Find : Cleaned with backup
HKLM\SOFTWARE\Classes\TopSearch.TSLink -> Spyware.Altnet : Cleaned with backup
HKLM\SOFTWARE\Classes\TopSearch.TSLink\CLSID -> Spyware.Altnet : Cleaned with backup
HKLM\SOFTWARE\Classes\TopSearch.TSLink\CurVer -> Spyware.Altnet : Cleaned with backup
HKLM\SOFTWARE\Classes\TopSearch.TSLink.1 -> Spyware.Altnet : Cleaned with backup
HKLM\SOFTWARE\ISTbar -> Spyware.ISTBar : Error during cleaning
HKLM\SOFTWARE\ISTbar\Historyfiles -> Spyware.ISTBar : Error during cleaning
HKLM\SOFTWARE\ISTbar\Historystring -> Spyware.ISTBar : Error during cleaning
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{10E42047-DEB9-4535-A118-B3F6EC39B807} -> Spyware.SideFind : Cleaned with backup
HKU\S-1-5-21-1214440339-1960408961-682003330-1003\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{10E42047-DEB9-4535-A118-B3F6EC39B807} -> Spyware.SideFind : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{10E42047-DEB9-4535-A118-B3F6EC39B807} -> Spyware.SideFind : Error during cleaning
C:\motor.exe -> Trojan.LowZones.cq : Cleaned with backup
C:\WINDOWS\SYSTEM32\setup_75117.exe -> Backdoor.SdBot.aad : Cleaned with backup
C:\Program Files\Power Scan -> Spyware.PowerScan : Cleaned with backup
:mozilla.12:C:\Documents and Settings\sze\Application Data\Mozilla\Firefox\Profiles\8cv2zcmv.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.26:C:\Documents and Settings\sze\Application Data\Mozilla\Firefox\Profiles\8cv2zcmv.default\cookies.txt -> Spyware.Cookie.Trafic : Cleaned with backup
:mozilla.27:C:\Documents and Settings\sze\Application Data\Mozilla\Firefox\Profiles\8cv2zcmv.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.28:C:\Documents and Settings\sze\Application Data\Mozilla\Firefox\Profiles\8cv2zcmv.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.29:C:\Documents and Settings\sze\Application Data\Mozilla\Firefox\Profiles\8cv2zcmv.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.30:C:\Documents and Settings\sze\Application Data\Mozilla\Firefox\Profiles\8cv2zcmv.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.31:C:\Documents and Settings\sze\Application Data\Mozilla\Firefox\Profiles\8cv2zcmv.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.32:C:\Documents and Settings\sze\Application Data\Mozilla\Firefox\Profiles\8cv2zcmv.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.33:C:\Documents and Settings\sze\Application Data\Mozilla\Firefox\Profiles\8cv2zcmv.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.34:C:\Documents and Settings\sze\Application Data\Mozilla\Firefox\Profiles\8cv2zcmv.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.45:C:\Documents and Settings\sze\Application Data\Mozilla\Firefox\Profiles\8cv2zcmv.default\cookies.txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
:mozilla.50:C:\Documents and Settings\sze\Application Data\Mozilla\Firefox\Profiles\8cv2zcmv.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.54:C:\Documents and Settings\sze\Application Data\Mozilla\Firefox\Profiles\8cv2zcmv.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.55:C:\Documents and Settings\sze\Application Data\Mozilla\Firefox\Profiles\8cv2zcmv.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup

::Report End

And from HiJack This:

Logfile of HijackThis v1.99.1
Scan saved at 5:16:31 PM, on 10/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\msinit.exe
C:\Program Files\O&K Print Watch\WatchSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BP.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AP.EXE
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3H2.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\ymsgr_tray.exe
C:\Program Files\OpenOffice.org1.1.4\program\soffice.exe
C:\Documents and Settings\sze\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\PROGRAM FILES\EPSON\EPSON WEB-TO-PAGE\EPSON WEB-TO-PAGE.DLL
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\PROGRAM FILES\EPSON\EPSON WEB-TO-PAGE\EPSON WEB-TO-PAGE.DLL
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [EPSON Stylus C43 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C43 Series" /O5 "LPT1:" /M "Stylus C43"
O4 - HKLM\..\Run: [EPSON Stylus C60 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C60 Series" /O5 "LPT1:" /M "Stylus C60"
O4 - HKLM\..\Run: [EPSON Stylus C83 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C83 Series" /O5 "LPT1:" /M "Stylus C83"
O4 - HKLM\..\Run: [EPSON Stylus C65 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3S2.EXE /P23 "EPSON Stylus C65 Series" /O6 "USB001" /M "Stylus C65"
O4 - HKLM\..\Run: [EPSON Stylus Photo R210 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3H2.EXE /P30 "EPSON Stylus Photo R210 Series" /O6 "USB004" /M "Stylus Photo R210"
O4 - HKLM\..\Run: [EPSON Stylus CX3500 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BP.EXE /P26 "EPSON Stylus CX3500 Series" /O6 "USB007" /M "Stylus CX3500"
O4 - HKLM\..\Run: [EPSON Stylus C45 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P23 "EPSON Stylus C45 Series" /O6 "USB013" /M "Stylus C45"
O4 - HKLM\..\Run: [EPSON Stylus CX3500 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BP.EXE /P35 "EPSON Stylus CX3500 Series (Copy 1)" /O6 "USB011" /M "Stylus CX3500"
O4 - HKLM\..\Run: [EPSON Stylus C45 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P32 "EPSON Stylus C45 Series (Copy 1)" /O6 "USB019" /M "Stylus C45"
O4 - HKLM\..\Run: [EPSON Stylus CX6500 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EP.EXE /P35 "EPSON Stylus CX6500 Series (Copy 1)" /O6 "USB040" /M "Stylus CX6500"
O4 - HKLM\..\Run: [EPSON Stylus C45 Series (Copy 2)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P32 "EPSON Stylus C45 Series (Copy 2)" /O6 "USB025" /M "Stylus C45"
O4 - HKLM\..\Run: [EPSON Stylus C67 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAP.EXE /P23 "EPSON Stylus C67 Series" /O6 "USB015" /M "Stylus C67"
O4 - HKLM\..\Run: [EPSON Stylus CX4500 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AP.EXE /P26 "EPSON Stylus CX4500 Series" /O5 "LPT1:" /M "Stylus CX4500"
O4 - HKLM\..\Run: [EPSON Stylus CX4500 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AP.EXE /P35 "EPSON Stylus CX4500 Series (Copy 1)" /O6 "USB040" /M "Stylus CX4500"
O4 - HKLM\..\Run: [EPSON Stylus C45 Series (Copy 7)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P32 "EPSON Stylus C45 Series (Copy 7)" /O6 "USB029" /M "Stylus C45"
O4 - HKLM\..\Run: [EPSON Stylus C45 Series (Copy 6)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P32 "EPSON Stylus C45 Series (Copy 6)" /O6 "USB038" /M "Stylus C45"
O4 - HKLM\..\Run: [EPSON Stylus C45 Series (Copy 5)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P32 "EPSON Stylus C45 Series (Copy 5)" /O6 "USB032" /M "Stylus C45"
O4 - HKLM\..\Run: [EPSON Stylus C45 Series (Copy 4)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P32 "EPSON Stylus C45 Series (Copy 4)" /O6 "USB031" /M "Stylus C45"
O4 - HKLM\..\Run: [EPSON Stylus C45 Series (Copy 3)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P32 "EPSON Stylus C45 Series (Copy 3)" /O6 "USB028" /M "Stylus C45"
O4 - HKLM\..\Run: [EPSON Stylus C45 Series (Copy 8)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P32 "EPSON Stylus C45 Series (Copy 8)" /O6 "USB046" /M "Stylus C45"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: OpenOffice.org 1.1.4.lnk = C:\Program Files\OpenOffice.org1.1.4\program\quickstart.exe
O4 - Global Startup: EPSON CardMonitor.lnk = C:\Program Files\EPSON\EPSON CardMonitor\EPSON CardMonitor1.2.exe
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: msinit (Microsoft Scheduling Agent) - Unknown owner - C:\WINDOWS\msinit.exe
O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINDOWS\System32\libsys32.exe (file missing)
O23 - Service: O&K Print Watch Service - Unknown owner - C:\Program Files\O&K Print Watch\WatchSrv.exe

I've noticed ISTbar refused to die and so is sidefind I think. Please check. Thanks.

DoctorGeo2008

27 Oct 2005, 1:35pm

1. Ok, I want you to run the Panda online scan HERE (http://www.pandasoftware.com/products/ActiveScan.htm).

2. I want you to run Adaware and be sure to have it do a FULL scan.

3. Open task manager (ctrl-alt-del) and stop the following program that is running under processes.

msinit.exe

When this finishes, run HJT and delete the following lines. Don't be concerned if they aren't there, they may be cleaned by the previous steps.

O23 - Service: msinit (Microsoft Scheduling Agent) - Unknown owner - C:\WINDOWS\msinit.exe
O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINDOWS\System32\libsys32.exe (file missing)

4. Reboot in safemode and delete this file.

c:\WINDOWS\msinit.exe

5. Reboot in normal mode, run HJT, Click on "Open the Misc Tools section". Next click on "Open uninstall manager".
Press the button 'save list'. It will open a Notepad file. Place the content of that file and of the latest scan in a new post.

panget

28 Oct 2005, 10:24am

I have done as you've instructed, except deleting "C:/Windows/msinit.exe" because I couldn't find it in that folder.

Uninstall files:

"AbiWord 2.2.5 (remove only)"
ABBYY FineReader 5.0 Sprint Plus
ABBYY FineReader 6.0
Ad-Aware SE Personal
Adobe Acrobat 4.0
Adobe Photoshop 7.0
Ahead InCD
Ahead InCD EasyWrite Reader
ALC Screen Saver
Apache HTTP Server 2.0.52
ASUS Live 3.42
ASUS TWAIN DRIVER 1.02
ASUS V3800 Series Display Driver
Audacity 1.2.3
AxCrypt (Remove Only)
Canon S200SP
Canon S200SP
CleanUp!
D-Link DFM-562IS HSFi PCI Modem
Easy Invoice V4.06
EPSON CardMonitor
EPSON CD Direct Print3
EPSON Copy Utility 3
EPSON Photo Print
EPSON PhotoStarter3.1
EPSON Print CD
EPSON PRINT Image Framer Tool2.1
EPSON Printer Software
EPSON Scan
EPSON Smart Panel
EPSON TWAIN 5
EPSON Web-To-Page
ES C43 Problem Solver
ES C82 Problem Solver
ESC65 Reference Guide
ESC65 Software Guide
ESCX3500 Reference Guide
ESCX3500 Software Guide
ESP1290 Problem Solver
ESP790 Problem Solver
ESPR210 Reference Guide
ESPRX630 Software Guide
ewido security suite
HijackThis 1.99.1
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 4
LimeWire 4.9.11
Macromedia Shockwave Player
Microsoft Office 2000 Premium
Mozilla Firefox (1.0.2)
Nero Express
O&K Print Watch
Opera
Panda ActiveScan
PIF DESIGNER2.1
POS 4 BUSINESS v5.17
PowerDVD
Printer Monitor 2.3
ScanToWeb
SiS 900 PCI Fast Ethernet Adapter Driver
Sound Blaster Live!
Spybot - Search & Destroy 1.4
W99683 Dual Mode Camera (2002/08/27)
Wallpaper Changer (Remove only)
Winamp3 (remove only)
WinZip
WMA To MP3 Converter
Yahoo! extras
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger

==================================

HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 5:19:22 PM, on 10/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\O&K Print Watch\WatchSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\ymsgr_tray.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I

3H2.EXE
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\OpenOffice.org1.1.4\program\soffice.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and

Settings\sze\Desktop\hijackthis\HijackThis.exe
C:\WINDOWS\System32\IHSVC.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start

Page = http://mail.yahoo.com/
O2 - BHO: Yahoo! Companion BHO -

{02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM

FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_

7_0.DLL
O2 - BHO: (no name) -

{53707962-6F74-2D53-2644-206D7942484F} - C:\Program

Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: EpsonToolBandKicker Class -

{E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\PROGRAM

FILES\EPSON\EPSON WEB-TO-PAGE\EPSON

WEB-TO-PAGE.DLL
O3 - Toolbar: EPSON Web-To-Page -

{EE5D279F-081B-4404-994D-C6B60AAEBA6D} -

C:\PROGRAM FILES\EPSON\EPSON WEB-TO-PAGE\EPSON

WEB-TO-PAGE.DLL
O3 - Toolbar: &Yahoo! Companion -

{EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM

FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_

7_0.DLL
O3 - Toolbar: &Radio -

{8E718888-423F-11D2-876E-00A0C9082467} -

C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [EPSON Stylus C43 Series]

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10

IC2.EXE /P23 "EPSON Stylus C43 Series" /O5 "LPT1:" /M

"Stylus C43"
O4 - HKLM\..\Run: [EPSON Stylus C60 Series]

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10

IC2.EXE /P23 "EPSON Stylus C60 Series" /O5 "LPT1:" /M

"Stylus C60"
O4 - HKLM\..\Run: [EPSON Stylus C83 Series]

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10

IC2.EXE /P23 "EPSON Stylus C83 Series" /O5 "LPT1:" /M

"Stylus C83"
O4 - HKLM\..\Run: [EPSON Stylus C65 Series]

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I

3S2.EXE /P23 "EPSON Stylus C65 Series" /O6 "USB001" /M

"Stylus C65"
O4 - HKLM\..\Run: [EPSON Stylus Photo R210 Series]

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I

3H2.EXE /P30 "EPSON Stylus Photo R210 Series" /O6

"USB004" /M "Stylus Photo R210"
O4 - HKLM\..\Run: [EPSON Stylus CX3500 Series]

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FAT

I9BP.EXE /P26 "EPSON Stylus CX3500 Series" /O6

"USB007" /M "Stylus CX3500"
O4 - HKLM\..\Run: [EPSON Stylus C45 Series]

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I

3T1.EXE /P23 "EPSON Stylus C45 Series" /O6 "USB013" /M

"Stylus C45"
O4 - HKLM\..\Run: [EPSON Stylus CX3500 Series (Copy 1)]

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FAT

I9BP.EXE /P35 "EPSON Stylus CX3500 Series (Copy 1)" /O6

"USB011" /M "Stylus CX3500"
O4 - HKLM\..\Run: [EPSON Stylus C45 Series (Copy 1)]

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I

3T1.EXE /P32 "EPSON Stylus C45 Series (Copy 1)" /O6

"USB019" /M "Stylus C45"
O4 - HKLM\..\Run: [EPSON Stylus CX6500 Series (Copy 1)]

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FAT

I9EP.EXE /P35 "EPSON Stylus CX6500 Series (Copy 1)" /O6

"USB040" /M "Stylus CX6500"
O4 - HKLM\..\Run: [EPSON Stylus C45 Series (Copy 2)]

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I

3T1.EXE /P32 "EPSON Stylus C45 Series (Copy 2)" /O6

"USB025" /M "Stylus C45"
O4 - HKLM\..\Run: [EPSON Stylus C67 Series]

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FAT

IAAP.EXE /P23 "EPSON Stylus C67 Series" /O6 "USB015"

/M "Stylus C67"
O4 - HKLM\..\Run: [EPSON Stylus CX4500 Series]

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FAT

I9AP.EXE /P26 "EPSON Stylus CX4500 Series" /O5 "LPT1:"

/M "Stylus CX4500"
O4 - HKLM\..\Run: [EPSON Stylus CX4500 Series (Copy 1)]

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FAT

I9AP.EXE /P35 "EPSON Stylus CX4500 Series (Copy 1)" /O6

"USB040" /M "Stylus CX4500"
O4 - HKLM\..\Run: [EPSON Stylus C45 Series (Copy 7)]

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I

3T1.EXE /P32 "EPSON Stylus C45 Series (Copy 7)" /O6

"USB029" /M "Stylus C45"
O4 - HKLM\..\Run: [EPSON Stylus C45 Series (Copy 6)]

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I

3T1.EXE /P32 "EPSON Stylus C45 Series (Copy 6)" /O6

"USB038" /M "Stylus C45"
O4 - HKLM\..\Run: [EPSON Stylus C45 Series (Copy 5)]

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I

3T1.EXE /P32 "EPSON Stylus C45 Series (Copy 5)" /O6

"USB032" /M "Stylus C45"
O4 - HKLM\..\Run: [EPSON Stylus C45 Series (Copy 4)]

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I

3T1.EXE /P32 "EPSON Stylus C45 Series (Copy 4)" /O6

"USB031" /M "Stylus C45"
O4 - HKLM\..\Run: [EPSON Stylus C45 Series (Copy 3)]

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I

3T1.EXE /P32 "EPSON Stylus C45 Series (Copy 3)" /O6

"USB028" /M "Stylus C45"
O4 - HKLM\..\Run: [EPSON Stylus C45 Series (Copy 8)]

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I

3T1.EXE /P32 "EPSON Stylus C45 Series (Copy 8)" /O6

"USB046" /M "Stylus C45"
O4 - HKLM\..\Run: [Internet Help Svc] IHSVC.EXE
O4 - HKLM\..\RunServices: [Internet Help Svc] IHSVC.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRAM

FILES\YAHOO!\MESSENGER\ypager.exe" -quiet
O4 - HKCU\..\Run: [Internet Help Svc] IHSVC.EXE
O4 - HKCU\..\RunServices: [Internet Help Svc] IHSVC.EXE
O4 - Startup: LimeWire On Startup.lnk = C:\Program

Files\LimeWire\LimeWire.exe
O4 - Startup: OpenOffice.org 1.1.4.lnk = C:\Program

Files\OpenOffice.org1.1.4\program\quickstart.exe
O4 - Global Startup: EPSON CardMonitor.lnk = C:\Program

Files\EPSON\EPSON CardMonitor\EPSON

CardMonitor1.2.exe
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program

Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment

Check 2.lnk =

C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\E_SRCV

02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program

Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program

Files\Common Files\Adobe\Calibration\Adobe Gamma

Loader.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1}

(ActiveScan Installer Class) -

http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: EpsonBidirectionalService - Unknown owner -

C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2

(EPSONStatusAgent2) - SEIKO EPSON CORPORATION -

C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks -

C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: msinit (Microsoft Scheduling Agent) - Unknown

owner - C:\WINDOWS\msinit.exe (file missing)
O23 - Service: NT login service (ntlogin32) - Unknown owner -

C:\WINDOWS\System32\libsys32.exe (file missing)
O23 - Service: O&K Print Watch Service - Unknown owner -

C:\Program Files\O&K Print Watch\WatchSrv.exe

=========================================

I have good news. Photoshop has just worked even before I performed your instructions. Nevertheless, I'd still like to get rid of those viruses and spywares before things get worse.

DoctorGeo2008

28 Oct 2005, 5:47pm

Are you able to run SpyBot now?

panget

29 Oct 2005, 10:56am

panget

29 Oct 2005, 11:48am

Logfile of HijackThis v1.99.1
Scan saved at 6:29:33 PM, on 10/29/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\O&K Print Watch\WatchSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\soff.pif
C:\WINDOWS\System32\IEXPL0RE.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\ymsgr_tray.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\OpenOffice.org1.1.4\program\soffice.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I

3H2.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I

3H2.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I

3S2.EXE
C:\Documents and

Settings\sze\Desktop\hijackthis\HijackThis.exe
C:\WINDOWS\System32\IHSVC.EXE
C:\WINDOWS\System32\IHSVC.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start

Page = http://mail.yahoo.com/
O2 - BHO: Yahoo! Companion BHO -

{02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM

FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_

7_0.DLL
O2 - BHO: (no name) -

{53707962-6F74-2D53-2644-206D7942484F} - C:\Program

Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: EpsonToolBandKicker Class -

{E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\PROGRAM

FILES\EPSON\EPSON WEB-TO-PAGE\EPSON

WEB-TO-PAGE.DLL
O3 - Toolbar: EPSON Web-To-Page -

{EE5D279F-081B-4404-994D-C6B60AAEBA6D} -

C:\PROGRAM FILES\EPSON\EPSON WEB-TO-PAGE\EPSON

WEB-TO-PAGE.DLL
O3 - Toolbar: &Yahoo! Companion -

{EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM

FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_

7_0.DLL
O3 - Toolbar: &Radio -

{8E718888-423F-11D2-876E-00A0C9082467} -

C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [EPSON Stylus C43 Series]

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10

IC2.EXE /P23 "EPSON Stylus C43 Series" /O5 "LPT1:" /M

"Stylus C43"
O4 - HKLM\..\Run: [EPSON Stylus C60 Series]

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10

IC2.EXE /P23 "EPSON Stylus C60 Series" /O5 "LPT1:" /M

"Stylus C60"
O4 - HKLM\..\Run: [EPSON Stylus C83 Series]

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10

IC2.EXE /P23 "EPSON Stylus C83 Series" /O5 "LPT1:" /M

"Stylus C83"
O4 - HKLM\..\Run: [EPSON Stylus C65 Series]

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I

3S2.EXE /P23 "EPSON Stylus C65 Series" /O6 "USB001" /M

"Stylus C65"
O4 - HKLM\..\Run: [EPSON Stylus Photo R210 Series]

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I

3H2.EXE /P30 "EPSON Stylus Photo R210 Series" /O6

"USB004" /M "Stylus Photo R210"
O4 - HKLM\..\Run: [EPSON Stylus CX3500 Series]

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FAT

I9BP.EXE /P26 "EPSON Stylus CX3500 Series" /O6

"USB007" /M "Stylus CX3500"
O4 - HKLM\..\Run: [EPSON Stylus C45 Series]

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I

3T1.EXE /P23 "EPSON Stylus C45 Series" /O6 "USB013" /M

"Stylus C45"
O4 - HKLM\..\Run: [EPSON Stylus CX3500 Series (Copy 1)]

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FAT

I9BP.EXE /P35 "EPSON Stylus CX3500 Series (Copy 1)" /O6

"USB011" /M "Stylus CX3500"
O4 - HKLM\..\Run: [EPSON Stylus C45 Series (Copy 1)]

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I

3T1.EXE /P32 "EPSON Stylus C45 Series (Copy 1)" /O6

"USB019" /M "Stylus C45"
O4 - HKLM\..\Run: [EPSON Stylus CX6500 Series (Copy 1)]

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FAT

I9EP.EXE /P35 "EPSON Stylus CX6500 Series (Copy 1)" /O6

"USB040" /M "Stylus CX6500"
O4 - HKLM\..\Run: [EPSON Stylus C45 Series (Copy 2)]

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I

3T1.EXE /P32 "EPSON Stylus C45 Series (Copy 2)" /O6

"USB025" /M "Stylus C45"
O4 - HKLM\..\Run: [EPSON Stylus C67 Series]

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FAT

IAAP.EXE /P23 "EPSON Stylus C67 Series" /O6 "USB015"

/M "Stylus C67"
O4 - HKLM\..\Run: [EPSON Stylus CX4500 Series]

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FAT

I9AP.EXE /P26 "EPSON Stylus CX4500 Series" /O5 "LPT1:"

/M "Stylus CX4500"
O4 - HKLM\..\Run: [EPSON Stylus CX4500 Series (Copy 1)]

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FAT

I9AP.EXE /P35 "EPSON Stylus CX4500 Series (Copy 1)" /O6

"USB040" /M "Stylus CX4500"
O4 - HKLM\..\Run: [EPSON Stylus C45 Series (Copy 7)]

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I

3T1.EXE /P32 "EPSON Stylus C45 Series (Copy 7)" /O6

"USB029" /M "Stylus C45"
O4 - HKLM\..\Run: [EPSON Stylus C45 Series (Copy 6)]

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I

3T1.EXE /P32 "EPSON Stylus C45 Series (Copy 6)" /O6

"USB038" /M "Stylus C45"
O4 - HKLM\..\Run: [EPSON Stylus C45 Series (Copy 5)]

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I

3T1.EXE /P32 "EPSON Stylus C45 Series (Copy 5)" /O6

"USB032" /M "Stylus C45"
O4 - HKLM\..\Run: [EPSON Stylus C45 Series (Copy 4)]

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I

3T1.EXE /P32 "EPSON Stylus C45 Series (Copy 4)" /O6

"USB031" /M "Stylus C45"
O4 - HKLM\..\Run: [EPSON Stylus C45 Series (Copy 3)]

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I

3T1.EXE /P32 "EPSON Stylus C45 Series (Copy 3)" /O6

"USB028" /M "Stylus C45"
O4 - HKLM\..\Run: [EPSON Stylus C45 Series (Copy 8)]

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I

3T1.EXE /P32 "EPSON Stylus C45 Series (Copy 8)" /O6

"USB046" /M "Stylus C45"
O4 - HKLM\..\Run: [Internet Help Svc] IHSVC.EXE
O4 - HKLM\..\Run: [Microsoftf DDEs Control] soff.pif
O4 - HKLM\..\Run: [Micrsoft Internet Explorer]

IEXPL0RE.EXE
O4 - HKLM\..\RunServices: [Internet Help Svc] IHSVC.EXE
O4 - HKLM\..\RunServices: [Microsoftf DDEs Control] soff.pif
O4 - HKLM\..\RunServices: [Micrsoft Internet Explorer]

IEXPL0RE.EXE
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot

- Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRAM

FILES\YAHOO!\MESSENGER\ypager.exe" -quiet
O4 - HKCU\..\Run: [Internet Help Svc] IHSVC.EXE
O4 - HKCU\..\Run: [Micrsoft Internet Explorer]

IEXPL0RE.EXE
O4 - HKCU\..\RunServices: [Internet Help Svc] IHSVC.EXE
O4 - HKCU\..\RunServices: [Micrsoft Internet Explorer]

IEXPL0RE.EXE
O4 - Startup: LimeWire On Startup.lnk = C:\Program

Files\LimeWire\LimeWire.exe
O4 - Startup: OpenOffice.org 1.1.4.lnk = C:\Program

Files\OpenOffice.org1.1.4\program\quickstart.exe
O4 - Global Startup: EPSON CardMonitor.lnk = C:\Program

Files\EPSON\EPSON CardMonitor\EPSON

CardMonitor1.2.exe
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program

Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment

Check 2.lnk =

C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\E_SRCV

02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program

Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program

Files\Common Files\Adobe\Calibration\Adobe Gamma

Loader.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1}

(ActiveScan Installer Class) -

http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: EpsonBidirectionalService - Unknown owner -

C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2

(EPSONStatusAgent2) - SEIKO EPSON CORPORATION -

C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks -

C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: msinit (Microsoft Scheduling Agent) - Unknown

owner - C:\WINDOWS\msinit.exe (file missing)
O23 - Service: NT login service (ntlogin32) - Unknown owner -

C:\WINDOWS\System32\libsys32.exe (file missing)
O23 - Service: O&K Print Watch Service - Unknown owner -

C:\Program Files\O&K Print Watch\WatchSrv.exe

DoctorGeo2008

31 Oct 2005, 1:30am

Yes, but there are a few objects that spybot was unable to clean:

CoolWWWSearch.BadZoneMap
CoolWWWSearch.Leftover
CoolWWWSearch.Mupdate
CoolWWWSearch.Toolband
CoolWWWSearch.WinRes
CoolWWWSearch.SideFind
LSA
Need Edware
Smitfraud-C

Give me a moment. My hjt could not save a log.

Did it give you the option to remove these on a reboot? If so, did you do that and are they still there?

It's still showing that you have Smitfraud so run the cleaning as I described earlier in this thread.

panget

31 Oct 2005, 2:29am

Yes, it did. But Spybot failed and the program you gave me to get rid of smitfraud didn't work. By the way, Happy Halloween.

DoctorGeo2008

31 Oct 2005, 1:05pm

Yes, it did. But Spybot failed and the program you gave me to get rid of smitfraud didn't work. By the way, Happy Halloween.

Hmmmm.... I'm at a loss here. :scratch: I'm going to get someone else to take a look at this and see if I'm missing anything. Stay tuned!

Crunchie

31 Oct 2005, 1:21pm

Any reason why you have so many entries for epson? It may not be correctly installed.

==

You have worms, but I have some medication for them :D.

Can you please do the following.

===============

We'll need to unload Spybot's Teatimer before we begin. To do this can you start Spybot and go to Tools > Resident and uncheck the box next to Tea-Timer. Make sure that the icon in the system tray is no longer there. If it is, just right click on it and select "Exit". Do not forget to re-enable it when we are done :).

===============

Next, Open a command prompt by:

1. Clicking "Start", then "Run...".
2. Enter "cmd" (without the quotes).
3. Enter "services.msc" (without the quotes).

-

Now, locate and 'stop' the following services, if present:

msinit (Microsoft Scheduling Agent) unknown owner ... (C:\WINDOWS\msinit.exe)

Look carefully, since the name of the service (above) can be anywhere in the entry; also be careful not to 'stop' any required system services. Once stopped, set this service to disabled.

===============

Run HiJackThis then:

1. Click "Open the Misc Tools Section"
2. Click "Open Process manager"

-

Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:

C:\WINDOWS\msinit.exe

Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain.

===============

Still in HiJackThis, click "Scan", then check(tick) the following, if present:

O23 - Service: msinit (Microsoft Scheduling Agent) - Unknown owner - C:\WINDOWS\msinit.exe
O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINDOWS\System32\libsys32.exe

Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure you are able to view system and hidden files/ folders: (http://www.xtra.co.nz/help/0,,4155-1916458,00.html)

files...

C:\WINDOWS\msinit.exe
C:\WINDOWS\System32\libsys32.exe

-

Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in "Safe Mode (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam)".

-

Reboot.

===============

After rebooting, rescan with hijackthis and post back a new log. Please let me know how your pc is now.

EDIT. Please make sure your log is formatted correctly after you have posted. It is almost impossible to read with all those spaces.

panget

3 Nov 2005, 4:02am

Hello. Sorry for the delay. I followed the instructions you posted but failed to execute the following:

Now, locate and 'stop' the following services, if present:

msinit (Microsoft Scheduling Agent) unknown owner ... (C:\WINDOWS\msinit.exe)

Look carefully, since the name of the service (above) can be anywhere in the entry; also be careful not to 'stop' any required system services. Once stopped, set this service to disabled.

There is msinit.exe but I cannot make it "stop". So I disabled it.

Run HiJackThis then:

1. Click "Open the Misc Tools Section"
2. Click "Open Process manager"

-

Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:

C:\WINDOWS\msinit.exe

Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain.

It refused to be deleted. I went to safe mode but the item to be deleted wasn't there.

Still in HiJackThis, click "Scan", then check(tick) the following, if present:

O23 - Service: msinit (Microsoft Scheduling Agent) - Unknown owner - C:\WINDOWS\msinit.exe
O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINDOWS\System32\libsys32.exe

Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

Only "O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINDOWS\System32\libsys32.exe" was present. I "Fix checked" it but it reappeared when I rescanned.

Locate and delete the following item(s), if present. Make sure you are able to view system and hidden files/ folders:

files...

C:\WINDOWS\msinit.exe
C:\WINDOWS\System32\libsys32.exe

-

Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in "Safe Mode".

I only saw the program "C:\WINDOWS\msinit.exe". I got rid of it ;D but couldn't locate "libsys32.exe".

Btw, I found

"O4 - HKLM\..\RunServices: [Internet Help Svc] IHSVC.EXE

O4 - HKCU\..\Run: [Internet Help Svc] IHSVC.EXE
O4 - HKCU\..\RunServices: [Internet Help Svc] IHSVC.EXE"

in my hjt log. I don't remember installing it. Is it spyware?

And here's my log:

Logfile of HijackThis v1.99.1
Scan saved at 11:17:07 AM, on 11/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\O&K Print Watch\WatchSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\OpenOffice.org1.1.4\program\soffice.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3S2.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3S2.EXE
C:\WINDOWS\System32\devldr32.exe
C:\Documents and Settings\sze\Desktop\hijackthis\HijackThis.exe
C:\WINDOWS\System32\IHSVC.EXE
C:\WINDOWS\System32\IHSVC.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Internet Help Svc] IHSVC.EXE
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [EPSON Stylus C45 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P23 "EPSON Stylus C45 Series" /O6 "USB013" /M "Stylus C45"
O4 - HKLM\..\Run: [EPSON Stylus C45 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P32 "EPSON Stylus C45 Series (Copy 1)" /O6 "USB019" /M

"Stylus C45"
O4 - HKLM\..\RunServices: [Internet Help Svc] IHSVC.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe" -quiet
O4 - HKCU\..\Run: [Internet Help Svc] IHSVC.EXE
O4 - HKCU\..\RunServices: [Internet Help Svc] IHSVC.EXE
O4 - Startup: OpenOffice.org 1.1.4.lnk = C:\Program Files\OpenOffice.org1.1.4\program\quickstart.exe
O4 - Global Startup: EPSON CardMonitor.lnk = C:\Program Files\EPSON\EPSON CardMonitor\EPSON CardMonitor1.2.exe
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINDOWS\System32\libsys32.exe (file missing)
O23 - Service: O&K Print Watch Service - Unknown owner - C:\Program Files\O&K Print Watch\WatchSrv.exe

======================

And lastly, the epson drivers were installed in purpose. It's for our business.

Crunchie

3 Nov 2005, 9:44am

Download Killbox v2.0.0.175 (http://www.downloads.subratam.org/KillBox.zip) and unzip the file to your Desktop and have it ready to use.

-

Save all the below files to a text document (notepad) to be used shortly.

C:\WINDOWS\System32\IHSVC.EXE
C:\WINDOWS\System32\libsys32.exe

-

Reboot into safe mode following the instructions here. (http://www.xtra.co.nz/help/0,,6156-1377929,00.html)

==

Got to

Start>>Run and type regedit
Press enter.
Navigate to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NT login service (ntlogin32)

If NT login service (ntlogin32) exists , right click on it and choose delete from the menu.

Now navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NT login service (ntlogin32)

If LEGACY_NT login service (ntlogin32) exists then right click on it and choose delete from the menu.

==

Scan with hijackthis and tick the boxes next to all the following entries, then close all browser and explorer windows and hit the "Fix checked" button.

O4 - HKLM\..\Run: [Internet Help Svc] IHSVC.EXE
O4 - HKLM\..\RunServices: [Internet Help Svc] IHSVC.EXE
O4 - HKCU\..\Run: [Internet Help Svc] IHSVC.EXE
O4 - HKCU\..\RunServices: [Internet Help Svc] IHSVC.EXE

Open the text file you saved previously and right click and drag your cursor over the files to highlight them and then use Control+C to copy them to the clipboard..
Open KILLBOX and go to File...."Paste From Clipboard". All the files should now appear in the box (click on the Tab and check to make sure that only the files I have identified as malware and marked for deletion are there) . Then checkmark the "Delete on Reboot" box..and click the red X. You will get a message saying "File will be deleted on next reboot" , Process and Reboot now?" Click "Yes" and post a new log when you have rebooted.

panget

4 Nov 2005, 4:58am

Killbox failed to locate these files:

C:\WINDOWS\System32\IHSVC.EXE
C:\WINDOWS\System32\libsys32.exe

I also tried "Paste from Clipboard" but nothing came out.

As for regedit, the files you mentioned aren't there. There's "libsys32", yes but not "NT login service (ntlogin32)"

I was only successful in getting rid of IHSVC in hjt. Here's my log:

Logfile of HijackThis v1.99.1
Scan saved at 12:34:17 PM, on 11/4/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\msib32.exe
C:\WINDOWS\mspathfinder
C:\Program Files\O&K Print Watch\WatchSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE
C:\WINDOWS\System32\shost32.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\OpenOffice.org1.1.4\program\soffice.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3H2.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3S2.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3S2.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3S2.EXE
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\sze\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [EPSON Stylus C45 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P23 "EPSON Stylus C45 Series" /O6 "USB013" /M "Stylus C45"
O4 - HKLM\..\Run: [EPSON Stylus C45 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P32 "EPSON Stylus C45 Series (Copy 1)" /O6 "USB019" /M

"Stylus C45"
O4 - HKLM\..\Run: [shost32] C:\WINDOWS\System32\shost32.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe" -quiet
O4 - Startup: OpenOffice.org 1.1.4.lnk = C:\Program Files\OpenOffice.org1.1.4\program\quickstart.exe
O4 - Global Startup: EPSON CardMonitor.lnk = C:\Program Files\EPSON\EPSON CardMonitor\EPSON CardMonitor1.2.exe
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: msib32 - Unknown owner - C:\WINDOWS\msib32.exe
O23 - Service: Microsoft Path Finder Service (mspathfinder) - Unknown owner - C:\WINDOWS\mspathfinder
O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINDOWS\System32\libsys32.exe (file missing)
O23 - Service: O&K Print Watch Service - Unknown owner - C:\Program Files\O&K Print Watch\WatchSrv.exe

Crunchie

4 Nov 2005, 5:04am

You have more worms. I have to go out, but I will respond ASAP. In the meantime, delete the entries for libsys32 in regedit.
Is your pc online all the time? You really need to install an anti-virus program and a decent firewall or you will be back on a regular basis to get cleaned up :).

Crunchie

4 Nov 2005, 6:56am

Can you please do the following.

Please visit at least two of the following sites for an online virus scan:

BitDefender Free Online Virus Scan
http://www.bitdefender.com/scan/licence.php
Make sure you tick AutoClean under Scan Options.

Panda ActiveScan
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
Make sure you tick Disinfect automatically under Scan Options.

Housecall at TrendMicro
http://housecall.trendmicro.com/housecall/start_corp.asp
Make sure you tick Auto Clean.

eTrust Antivirus Web Scanner
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx

===============

Open a command prompt by:

1. Clicking "Start", then "Run...".
2. Enter "cmd" (without the quotes).
3. Enter "services.msc" (without the quotes).

-

Now, locate and 'stop' the following services, if present:

msib32 owner ... (C:\WINDOWS\msib32.exe)

Look carefully, since the name of the service (above) can be anywhere in the entry; also be careful not to 'stop' any required system services. Once stopped, set this service to disabled.

===============

Run HiJackThis then:

1. Click "Open the Misc Tools Section"
2. Click "Open Process manager"

-

Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:

C:\WINDOWS\msib32.exe
C:\WINDOWS\System32\shost32.exe

Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain.

===============

Still in HiJackThis, click "Scan", then check(tick) the following, if present:

O4 - HKLM\..\Run: [shost32] C:\WINDOWS\System32\shost32.exe

O23 - Service: msib32 - Unknown owner - C:\WINDOWS\msib32.exe
O23 - Service: Microsoft Path Finder Service (mspathfinder) - Unknown owner - C:\WINDOWS\mspathfinder
O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINDOWS\System32\libsys32.exe (file missing)

Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure you are able to view system and hidden files/ folders: (http://www.xtra.co.nz/help/0,,4155-1916458,00.html)

files...

C:\WINDOWS\msib32.exe
C:\WINDOWS\System32\shost32.exe

-

Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in "Safe Mode (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam)".

-

Reboot.

===============

After rebooting, rescan with hijackthis and post back a new log. Please let me know how your pc is now.

Please do get a firewall and anti-virus :).

panget

5 Nov 2005, 8:07am

Can I run the scanners at the same time?

Crunchie

5 Nov 2005, 8:19am

Would be best done one at a time so that they do not possibly encounter any conflicts.

panget

6 Nov 2005, 9:25am

Hello. I got rid of msib.exe, but couldn't find shost32.exe. Here's the log from bitdefender:

<HTML>
<HEAD>
<TITLE>BitDefender Online Scanner -Scan Report</TITLE>
****** HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
****** name="generator" content="Namo WebEditor v5.0(Trial)">
</HEAD>
<BODY BGCOLOR=#FFFFFF leftmargin="10" marginwidth="0" topmargin="20" marginheight="0" >

<table align="center" border="0" cellpadding="0" cellspacing="0" width="90%">
<tr>
<td width="458">
BitDefender
Online Scanner
</td>
<td width="40%">
 
</td>
<td width="10%">
 
</td>
</tr>
<tr>
<td colspan="3" width="912">
Scan report generated
at: Sat, Nov 05, 2005 - 20:43:33
</td>
</tr>

<tr>
<td width="458">
 
</td>
<td width="40%">
 
</td>
<td width="10%">
 
</td>
</tr>

<tr>
<td width="458">
Scan
path: A:\;C:\;D:\;
</td>
<td width="40%">
 
</td>
<td width="10%">
 
</td>
</tr>

<tr>
<td width="458">
 
</td>
<td width="40%">
 
</td>
<td width="10%">
 
</td>
</tr>

<tr>
<td width="458">
<table border="1" cellspacing="0" bordercolordark="white" bordercolorlight="black" width="100%">
<tr>
<td width="451" colspan="2" bgcolor="#CCCCCC">
Statistics
</td>
</tr>
<tr>
<td width="57%">
Time
</td>
<td width="43%" align="right">
00:23:51
</td>
</tr>
<tr>
<td width="57%">
Files
</td>
<td width="43%" align="right">
160235
</td>
</tr>
<tr>
<td width="57%">
Folders
</td>
<td width="43%" align="right">
4405
</td>
</tr>
<tr>
<td width="57%">
Boot Sectors
</td>
<td width="43%" align="right">
2
</td>
</tr>
<tr>
<td width="57%">
Archives
</td>
<td width="43%" align="right">
1092
</td>
</tr>
<tr>
<td width="57%">
Packed Files
</td>
<td width="43%" align="right">
26281
</td>
</tr>
</table>
</td>
<td width="40%">
 
</td>
<td width="10%">
 
</td>
</tr>

<tr>
<td width="458">
<table border="1" cellspacing="0" bordercolordark="white" bordercolorlight="black" width="100%">
<tr>
<td width="451" colspan="2" bgcolor="#CCCCCC">
Results
</td>
</tr>
<tr>
<td width="57%">
Identified Viruses 
</td>
<td width="43%" align="right">
8
</td>
</tr>
<tr>
<td width="57%">
Infected Files 
</td>
<td width="43%" align="right">
15
</td>
</tr>
<tr>
<td width="57%">
Suspect Files 
</td>
<td width="43%" align="right">
0
</td>
</tr>
<tr>
<td width="57%">
Warnings
</td>
<td width="43%" align="right">
0
</td>
</tr>
<tr>
<td width="57%">
Disinfected
</td>
<td width="43%" align="right">
0
</td>
</tr>
<tr>
<td width="57%">
Deleted Files
</td>
<td width="43%" align="right">
14
</td>
</tr>
</table>
</td>
<td width="40%">
 
</td>
<td width="10%">
 
</td>
</tr>

<tr>
<td width="458">
<table border="1" cellspacing="0" bordercolordark="white" bordercolorlight="black" width="100%">
<tr>
<td width="451" colspan="2" bgcolor="#CCCCCC">
Engines Info
</td>
</tr>
<tr>
<td width="57%">
Virus Definitions
</td>
<td width="43%" align="right">
232683
</td>
</tr>
<tr>
<td width="57%">
Engine build
</td>
<td width="43%" align="right">
AVCORE v1.0 (build 2292) (i386) (Mar 3 2005 11:57:29)
</td>
</tr>
<tr>
<td width="57%">
Scan plugins
</td>
<td width="43%" align="right">
13
</td>
</tr>
<tr>
<td width="57%">
Archive plugins
</td>
<td width="43%" align="right">
39
</td>
</tr>
<tr>
<td width="57%">
Unpack plugins
</td>
<td width="43%" align="right">
4
</td>
</tr>
<tr>
<td width="57%">
E-mail plugins
</td>
<td width="43%" align="right">
6
</td>
</tr>
<tr>
<td width="57%">
System plugins
</td>
<td width="43%" align="right">
1
</td>
</tr>
</table>
</td>
<td width="40%">
 
</td>
<td width="10%">
 
</td>
</tr>

<tr>
<td width="458">
<table border="1" cellspacing="0" bordercolordark="white" bordercolorlight="black" width="100%">
<tr>
<td width="451" colspan="2" bgcolor="#CCCCCC">
Scan Settings
</td>
</tr>
<tr>
<td width="57%">
First Action
</td>
<td width="43%" align="right">
Disinfect
</td>
</tr>
<tr>
<td width="57%">
Second Action
</td>
<td width="43%" align="right">
Delete
</td>
</tr>
<tr>
<td width="57%">
Heuristics
</td>
<td width="43%" align="right">
Yes
</td>
</tr>
<tr>
<td width="57%">
Enable Warnings
</td>
<td width="43%" align="right">
Yes
</td>
</tr>
<tr>
<td width="57%">
Scanned Extensions
</td>
<td width="43%" align="right">
exe;com;dll;ocx;scr;bin;dat;386;vxd;sys;wdm;cla;class;ovl;ole;hlp;doc;dot;xls;ppt;wbk;wiz;pot;ppa;xla;xlt;vbs;vbe;mdb;rtf;htm;hta;html;xml;xtp;php;asp;js;shs;chm;lnk;pif;prc;url;smm;pfd;msi;ini;csc;cmd;bas;
</td>
</tr>

<tr>
<td width="57%">
Exclude Extensions
</td>
<td width="43%" align="right">
 
</td>
</tr>
<tr>
<td width="57%">
Scan Emails
</td>
<td width="43%" align="right">
Yes
</td>
</tr>
<tr>
<td width="57%">
Scan Archives
</td>
<td width="43%" align="right">
Yes
</td>
</tr>
<tr>
<td width="57%">
Scan Packed
</td>
<td width="43%" align="right">
Yes
</td>
</tr>
<tr>
<td width="57%">
Scan Files
</td>
<td width="43%" align="right">
Yes
</td>
</tr>
<tr>
<td width="57%">
Scan Boot
</td>
<td width="43%" align="right">
Yes
</td>
</tr>
</table>
</td>
<td width="40%">
 
</td>
<td width="10%">
 
</td>
</tr>

<tr>
<td colspan=2>  
<table border="1" cellspacing="0" bordercolordark="white" bordercolorlight="black" width="100%">
<tr>
<td width="252" bgcolor="#CCCCCC">
Scanned File
</td>
<td width="195" bgcolor="#CCCCCC" align="right">
 Status
</td>
</tr>
<tr>
<td width="57%">
C:\WINDOWS\SYSTEM32\shost32.exe
</td>
<td width="43%" align="left">
Infected with: Trojan.Proxy.Ranky.Gen 
</td>
</tr><tr>
<td width="57%">
C:\WINDOWS\SYSTEM32\shost32.exe
</td>
<td width="43%" align="left">
Disinfection failed
</td>
</tr><tr>
<td width="57%">
C:\WINDOWS\SYSTEM32\shost32.exe
</td>
<td width="43%" align="left">
Delete failed
</td>
</tr><tr>
<td width="57%">
C:\WINDOWS\SYSTEM32\eraseme_82320.exe
</td>
<td width="43%" align="left">
Infected with: Backdoor.SDBot.XD
</td>
</tr><tr>
<td width="57%">
C:\WINDOWS\SYSTEM32\eraseme_82320.exe
</td>
<td width="43%" align="left">
Disinfection failed
</td>
</tr><tr>
<td width="57%">
C:\WINDOWS\SYSTEM32\eraseme_82320.exe
</td>
<td width="43%" align="left">
Deleted
</td>
</tr><tr>
<td width="57%">
C:\WINDOWS\msib32.exe
</td>
<td width="43%" align="left">
Infected with: Backdoor.SDBot.6E2373D1
</td>
</tr><tr>
<td width="57%">
C:\WINDOWS\msib32.exe
</td>
<td width="43%" align="left">
Deleted
</td>
</tr><tr>
<td width="57%">
C:\ppel.exe
</td>
<td width="43%" align="left">
Infected with: Trojan.Proxy.Ranky.Gen 
</td>
</tr><tr>
<td width="57%">
C:\ppel.exe
</td>
<td width="43%" align="left">
Deleted
</td>
</tr><tr>
<td width="57%">
C:\emoticon.exe
</td>
<td width="43%" align="left">
Infected with: Dropped:Trojan.Purityad.E
</td>
</tr><tr>
<td width="57%">
C:\emoticon.exe
</td>
<td width="43%" align="left">
Disinfection failed
</td>
</tr><tr>
<td width="57%">
C:\emoticon.exe
</td>
<td width="43%" align="left">
Deleted
</td>
</tr><tr>
<td width="57%">
C:\Documents and Settings\sze\Local Settings\Temporary Internet Files\Content.IE5\6H89QLSR\bhsv[1].dll
</td>
<td width="43%" align="left">
Infected with: Backdoor.SDBot.AHX
</td>
</tr><tr>
<td width="57%">
C:\Documents and Settings\sze\Local Settings\Temporary Internet Files\Content.IE5\6H89QLSR\bhsv[1].dll
</td>
<td width="43%" align="left">
Disinfection failed
</td>
</tr><tr>
<td width="57%">
C:\Documents and Settings\sze\Local Settings\Temporary Internet Files\Content.IE5\6H89QLSR\bhsv[1].dll
</td>
<td width="43%" align="left">
Deleted
</td>
</tr><tr>
<td width="57%">
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\UPWRGBO7\prx[1].exe
</td>
<td width="43%" align="left">
Infected with: Trojan.Proxy.Ranky.Gen 
</td>
</tr><tr>
<td width="57%">
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\UPWRGBO7\prx[1].exe
</td>
<td width="43%" align="left">
Deleted
</td>
</tr><tr>
<td width="57%">
C:\System Volume Information\_restore{C86C1BE7-B824-4166-B2D3-B45AA4C80977}\RP11\A0006357.pif
</td>
<td width="43%" align="left">
Infected with: Backdoor.Rbot.XE
</td>
</tr><tr>
<td width="57%">
C:\System Volume Information\_restore{C86C1BE7-B824-4166-B2D3-B45AA4C80977}\RP11\A0006357.pif
</td>
<td width="43%" align="left">
Disinfection failed
</td>
</tr><tr>
<td width="57%">
C:\System Volume Information\_restore{C86C1BE7-B824-4166-B2D3-B45AA4C80977}\RP11\A0006357.pif
</td>
<td width="43%" align="left">
Deleted
</td>
</tr><tr>
<td width="57%">
C:\System Volume Information\_restore{C86C1BE7-B824-4166-B2D3-B45AA4C80977}\RP13\A0006370.EXE
</td>
<td width="43%" align="left">
Infected with: Exploit.Based.Worm.Gen
</td>
</tr><tr>
<td width="57%">
C:\System Volume Information\_restore{C86C1BE7-B824-4166-B2D3-B45AA4C80977}\RP13\A0006370.EXE
</td>
<td width="43%" align="left">
Disinfection failed
</td>
</tr><tr>
<td width="57%">
C:\System Volume Information\_restore{C86C1BE7-B824-4166-B2D3-B45AA4C80977}\RP13\A0006370.EXE
</td>
<td width="43%" align="left">
Deleted
</td>
</tr><tr>
<td width="57%">
C:\System Volume Information\_restore{C86C1BE7-B824-4166-B2D3-B45AA4C80977}\RP18\A0008845.EXE
</td>
<td width="43%" align="left">
Infected with: Backdoor.RBot.FGB
</td>
</tr><tr>
<td width="57%">
C:\System Volume Information\_restore{C86C1BE7-B824-4166-B2D3-B45AA4C80977}\RP18\A0008845.EXE
</td>
<td width="43%" align="left">
Disinfection failed
</td>
</tr><tr>
<td width="57%">
C:\System Volume Information\_restore{C86C1BE7-B824-4166-B2D3-B45AA4C80977}\RP18\A0008845.EXE
</td>
<td width="43%" align="left">
Deleted
</td>
</tr><tr>
<td width="57%">
C:\System Volume Information\_restore{C86C1BE7-B824-4166-B2D3-B45AA4C80977}\RP18\A0008885.exe
</td>
<td width="43%" align="left">
Infected with: Trojan.Proxy.Ranky.Gen 
</td>
</tr><tr>
<td width="57%">
C:\System Volume Information\_restore{C86C1BE7-B824-4166-B2D3-B45AA4C80977}\RP18\A0008885.exe
</td>
<td width="43%" align="left">
Deleted
</td>
</tr><tr>
<td width="57%">
C:\System Volume Information\_restore{C86C1BE7-B824-4166-B2D3-B45AA4C80977}\RP20\A0009004.EXE
</td>
<td width="43%" align="left">
Infected with: Backdoor.SDBot.AHX
</td>
</tr><tr>
<td width="57%">
C:\System Volume Information\_restore{C86C1BE7-B824-4166-B2D3-B45AA4C80977}\RP20\A0009004.EXE
</td>
<td width="43%" align="left">
Disinfection failed
</td>
</tr><tr>
<td width="57%">
C:\System Volume Information\_restore{C86C1BE7-B824-4166-B2D3-B45AA4C80977}\RP20\A0009004.EXE
</td>
<td width="43%" align="left">
Deleted
</td>
</tr><tr>
<td width="57%">
C:\System Volume Information\_restore{C86C1BE7-B824-4166-B2D3-B45AA4C80977}\RP20\A0009018.exe
</td>
<td width="43%" align="left">
Infected with: Backdoor.SDBot.6E2373D1
</td>
</tr><tr>
<td width="57%">
C:\System Volume Information\_restore{C86C1BE7-B824-4166-B2D3-B45AA4C80977}\RP20\A0009018.exe
</td>
<td width="43%" align="left">
Deleted
</td>
</tr><tr>
<td width="57%">
C:\System Volume Information\_restore{C86C1BE7-B824-4166-B2D3-B45AA4C80977}\RP20\A0009019.exe
</td>
<td width="43%" align="left">
Infected with: Trojan.Proxy.Ranky.Gen 
</td>
</tr><tr>
<td width="57%">
C:\System Volume Information\_restore{C86C1BE7-B824-4166-B2D3-B45AA4C80977}\RP20\A0009019.exe
</td>
<td width="43%" align="left">
Deleted
</td>
</tr><tr>
<td width="57%">
C:\System Volume Information\_restore{C86C1BE7-B824-4166-B2D3-B45AA4C80977}\RP20\A0009020.exe
</td>
<td width="43%" align="left">
Infected with: Dropped:Trojan.Purityad.E
</td>
</tr><tr>
<td width="57%">
C:\System Volume Information\_restore{C86C1BE7-B824-4166-B2D3-B45AA4C80977}\RP20\A0009020.exe
</td>
<td width="43%" align="left">
Disinfection failed
</td>
</tr><tr>
<td width="57%">
C:\System Volume Information\_restore{C86C1BE7-B824-4166-B2D3-B45AA4C80977}\RP20\A0009020.exe
</td>
<td width="43%" align="left">
Deleted
</td>
</tr>
</table>
</td>

<td width="10%">
 
</td>
</tr>

<tr>
<td width="458">
 
</td>
<td width="40%">
 
</td>
<td width="10%">
 
</td>
</tr>

<tr>
<td width="458">
 
</td>
<td width="40%">
 
</td>
<td width="10%">
 
</td>
</tr>

</table>
 

</body>
</html>

=======================================

From Panda:

Incident Status Location

Virus:W32/Sdbot.ftp Disinfected C:\WINDOWS\SYSTEM32\i
Virus:Trj/Ranky.JE Disinfected C:\WINDOWS\SYSTEM32\shost32.exe
Virus:W32/Sdbot.FLI.worm Disinfected C:\WINDOWS\SYSTEM32\eraseme_80852.exe
Virus:W32/Sdbot.FOS.worm Disinfected C:\WINDOWS\SYSTEM32\eraseme_62554.exe
Virus:W32/Sdbot.FOS.worm Disinfected C:\WINDOWS\msib32.exe
Virus:W32/Sdbot.FMF.worm Disinfected C:\WINDOWS\mspathfinder
Adware:adware/twain-tech No disinfected C:\WINDOWS\smdat32m.sys
Virus:W32/Sdbot.FLI.worm Disinfected C:\System Volume Information\_restore{C86C1BE7-B824-4166-B2D3-B45AA4C80977}\RP3\A0004986.EXE
Virus:W32/Sdbot.FLI.worm Disinfected C:\System Volume Information\_restore{C86C1BE7-B824-4166-B2D3-B45AA4C80977}\RP18\A0008838.exe
Virus:Trj/Ranky.JE Disinfected C:\System Volume Information\_restore{C86C1BE7-B824-4166-B2D3-B45AA4C80977}\RP20\A0009037.EXE
Virus:W32/Sdbot.FLI.worm Disinfected C:\System Volume Information\_restore{C86C1BE7-B824-4166-B2D3-B45AA4C80977}\RP20\A0009038.exe

=============================================

My latest log:

Logfile of HijackThis v1.99.1
Scan saved at 5:22:04 PM, on 11/6/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\O&K Print Watch\WatchSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I

3T1.EXE
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\OpenOffice.org1.1.4\program\soffice.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10

IC2.EXE
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Adobe\Photoshop 7.0\Photoshop.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_DPP

E03.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\sze\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =http://mail.yahoo.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program
Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [EPSON Stylus C45 Series]C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P23 "EPSON Stylus C45 Series" /O6 "USB013" /M "Stylus C45"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe" -quiet
O4 - Startup: OpenOffice.org 1.1.4.lnk = C:\Program Files\OpenOffice.org1.1.4\program\quickstart.exe
O4 - Global Startup: EPSON CardMonitor.lnk = C:\Program Files\EPSON\EPSON CardMonitor\EPSON CardMonitor1.2.exe
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk =
C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} -
%windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) -
http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) -
http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D508AC6D-A9E7-41B5-915C-44B25EA08A6E}: NameServer = 202.81.160.6 202.81.160.7
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Microsoft Path Finder Service (mspathfinder) - Unknown owner - C:\WINDOWS\mspathfinder (file missing)
O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINDOWS\System32\libsys32.exe (file missing)
O23 - Service: O&K Print Watch Service - Unknown owner - C:\Program Files\O&K Print Watch\WatchSrv.exe

panget

6 Nov 2005, 9:30am

That's strange. I thought I already got rid of the files

O23 - Service: Microsoft Path Finder Service (mspathfinder) - Unknown owner - C:\WINDOWS\mspathfinder (file missing)
O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINDOWS\System32\libsys32.exe (file missing)

......they came back.
:scratch:

Crunchie

6 Nov 2005, 9:49am

Go to;

Start>>Run and type regedit
Press enter.
Navigate to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Microsoft Path Finder Service (mspathfinder)

If Microsoft Path Finder Service (mspathfinder) exists , right click on it and choose delete from the menu.

Now navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_Microsoft Path Finder Service (mspathfinder)

If LEGACY_Microsoft Path Finder Service (mspathfinder) exists then right click on it and choose delete from the menu.

If not there, try the file name mspathfinder instead.

Do the same for NT login service (ntlogin32)

==

Locate and delete C:\WINDOWS\smdat32m.sys

Post another log when done.

panget

7 Nov 2005, 9:24am

Hello. I got rid of everything except HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\R oot\LEGACY_Microsoft Path Finder Service (mspathfinder)

and

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\R oot\LEGACY_ntlogin32.

Here's my latest log:

Logfile of HijackThis v1.99.1
Scan saved at 5:23:28 PM, on 11/7/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\O&K Print Watch\WatchSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE
C:\WINDOWS\System32\msupdate32.exe
C:\noxl.exe
C:\WINDOWS\System32\devldr32.exe
C:\PROGRAM FILES\YAHOO!\MESSENGER\ymsgr_tray.exe
C:\Program Files\OpenOffice.org1.1.4\program\soffice.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\mspathfinder
C:\Documents and Settings\sze\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [EPSON Stylus C45 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P23 "EPSON Stylus C45 Series" /O6 "USB013" /M "Stylus C45"
O4 - HKLM\..\Run: [microsft Updates] msupdate32.exe
O4 - HKLM\..\Run: [Windows Automatic Updates] C:\noxl.exe
O4 - HKLM\..\RunServices: [microsft Updates] msupdate32.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe" -quiet
O4 - Startup: OpenOffice.org 1.1.4.lnk = C:\Program Files\OpenOffice.org1.1.4\program\quickstart.exe
O4 - Global Startup: EPSON CardMonitor.lnk = C:\Program Files\EPSON\EPSON CardMonitor\EPSON CardMonitor1.2.exe
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D508AC6D-A9E7-41B5-915C-44B25EA08A6E}: NameServer = 202.81.160.6 202.81.160.7
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Microsoft Path Finder Service (mspathfinder) - Unknown owner - C:\WINDOWS\mspathfinder
O23 - Service: O&K Print Watch Service - Unknown owner - C:\Program Files\O&K Print Watch\WatchSrv.exe

Crunchie

7 Nov 2005, 9:50am

I believe that until you install a good Anti-Virus program and a good firewall, you are going to continue to be infected!

==============

Can you please do the following.

===============

Let's look for, and delete, any program segments (prefetches) that might be present, and are associated with the 'problems' we're trying to remove from your PC. To do this, let's:

1) Click "Start | Search", then search for each of these program's base name(s), in all files and folders:

msupdate32.exe*
mspathfinder*

2) Then if any are found in the 'prefetch' folder, delete them.

Look closely, since the 'base' name will have a bunch of random numbers and letters attached to it.

===============

Next, Open a command prompt by:

1. Clicking "Start", then "Run...".
2. Enter "cmd" (without the quotes).
3. Enter "services.msc" (without the quotes).

-

Now, locate and 'stop' the following services, if present:

microsft Updates ... (msupdate32.exe)
Microsoft Path Finder Service (mspathfinder)...(mspathfinder)

Look carefully, since the name of the service (above) can be anywhere in the entry; also be careful not to 'stop' any required system services. Once stopped, set this service to disabled.

===============

Run HiJackThis then:

1. Click "Open the Misc Tools Section"
2. Click "Open Process manager"

-

Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:

C:\WINDOWS\System32\msupdate32.exe
C:\noxl.exe
mspathfinder

Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain.

===============

Still in HiJackThis, click "Scan", then check(tick) the following, if present:

O4 - HKLM\..\Run: [microsft Updates] msupdate32.exe
O4 - HKLM\..\Run: [Windows Automatic Updates] C:\noxl.exe
O4 - HKLM\..\RunServices: [microsft Updates] msupdate32.exe

O23 - Service: Microsoft Path Finder Service (mspathfinder) - Unknown owner - C:\WINDOWS\mspathfinder

Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure you are able to view system and hidden files/ folders: (http://www.xtra.co.nz/help/0,,4155-1916458,00.html)

files...

C:\WINDOWS\System32\msupdate32.exe
C:\noxl.exe
C:\WINDOWS\mspathfinder

-

Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in "Safe Mode (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam)".

-

Reboot.

===============

After rebooting, rescan with hijackthis and post back a new log. Please let me know how your pc is now.

panget

8 Nov 2005, 3:42am

I've just finished performing your instructions. Here is my log:

Logfile of HijackThis v1.99.1
Scan saved at 11:10:05 AM, on 11/8/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\O&K Print Watch\WatchSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE
C:\WINDOWS\System32\devldr32.exe
C:\PROGRAM FILES\YAHOO!\MESSENGER\ymsgr_tray.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\OpenOffice.org1.1.4\program\soffice.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Documents and Settings\sze\Desktop\hijackthis\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [EPSON Stylus C45 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P23 "EPSON Stylus C45 Series" /O6 "USB013" /M "Stylus C45"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe" -quiet
O4 - Startup: OpenOffice.org 1.1.4.lnk = C:\Program Files\OpenOffice.org1.1.4\program\quickstart.exe
O4 - Global Startup: EPSON CardMonitor.lnk = C:\Program Files\EPSON\EPSON CardMonitor\EPSON CardMonitor1.2.exe
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: O&K Print Watch Service - Unknown owner - C:\Program Files\O&K Print Watch\WatchSrv.exe

=======================

I'm sorry not to comply with your instructions of installing an antivirus and firewall. The ones available in the market are too pricey and are way beyond our budget, such as McAffee, Norton, and PCcillin. I also don't want to use pirated copies of these programs.

panget

8 Nov 2005, 7:59am

I have just installed antivir. Here's an hjt update:

Logfile of HijackThis v1.99.1
Scan saved at 3:57:46 PM, on 11/8/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\O&K Print Watch\WatchSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVPersonal\AVGNT.EXE
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\OpenOffice.org1.1.4\program\soffice.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\sze\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [EPSON Stylus C45 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P23 "EPSON Stylus C45 Series" /O6 "USB013" /M "Stylus C45"
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\Run: [EPSON Stylus C45 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P32 "EPSON Stylus C45 Series (Copy 1)" /O6 "USB019" /M "Stylus C45"
O4 - HKLM\..\Run: [EPSON Stylus C45 Series (Copy 2)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P32 "EPSON Stylus C45 Series (Copy 2)" /O6 "USB029" /M "Stylus C45"
O4 - HKLM\..\Run: [EPSON Stylus Photo R210 Series (Copy 2)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3H2.EXE /P39 "EPSON Stylus Photo R210 Series (Copy 2)" /O6 "USB032" /M "Stylus Photo R210"
O4 - HKLM\..\Run: [EPSON Stylus Photo R210 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3H2.EXE /P39 "EPSON Stylus Photo R210 Series (Copy 1)" /O6 "USB004" /M "Stylus Photo R210"
O4 - HKLM\..\Run: [EPSON Stylus Photo R210 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3H2.EXE /P30 "EPSON Stylus Photo R210 Series" /O6 "USB010" /M "Stylus Photo R210"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe" -quiet
O4 - Startup: OpenOffice.org 1.1.4.lnk = C:\Program Files\OpenOffice.org1.1.4\program\quickstart.exe
O4 - Global Startup: EPSON CardMonitor.lnk = C:\Program Files\EPSON\EPSON CardMonitor\EPSON CardMonitor1.2.exe
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D508AC6D-A9E7-41B5-915C-44B25EA08A6E}: NameServer = 202.81.160.6 202.81.160.7
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: O&K Print Watch Service - Unknown owner - C:\Program Files\O&K Print Watch\WatchSrv.exe

Crunchie

8 Nov 2005, 9:33am

AntiVir is an excellent, free AV. That's the one I use and have no problems with.

==

Congratulations! Your log looks clean - good work!

===============

Now that your PC is clean you need to follow these easy steps to keeping it this way:

Secure your Internet Explorer by going here (http://bshagnasty.home.att.net/browsersettings.htm) and following the instructions there.

Better yet, use an alternative browser! Download FireFox (http://www.mozilla.org/products/firefox/) and give it a run. It is far more secure than Internet Explorer. Or, you can get Opera (http://www.opera.com/download/) which in my opinion, is better still.

Use a firewall to help prevent your PC's control being usurped by undesireables. There is a link to a good, free firewall in my signature.

Install and keep updated, Ad-Aware SE, (http://www.lavasoftusa.com/software/adaware/) and Spybot S&D. (http://www.computercops.biz/zx/phoenix22/spybotsd13.zip)
Run them both on a regular basis, following the manufacturer's recommendations.

Install an anti-virus. There are some good, free AV's available today. Make sure that it is updated regularly and have it scan your system often.

Check for Windows Updates. (http://windowsupdate.microsoft.com/) Microsoft regularly post updates for your systems safe running. Make sure to take advantage of this. Reboot when installed and return to make sure there are no others.

Clear your Temp folders.
Clear out your Temporary internet files and other temp files.
Go to Start > Settings > Control Panel >Internet Options.
Under the General tab click the Delete temporary internet files,
delete all Offline content as well. Clear out Cookies.

Also, go to Start > Find/search > Files or folders > in the named box, type: *.tmp and choose Edit > select all -> File > delete.

Empty/delete the entire contents of the C:\Windows\temp folder and C:\temp folder, if you have one. (Contents but not the folder itself.)

C:\Documents and Settings\username\Local Settings\Temp\

In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here. (http://www.xtra.co.nz/help/0,,4155-1916458,00.html)

Empty the Recycle Bin.

For XP users.
After something like this it is a good idea to Flush the Restore Points and start fresh.
To flush the XP system Restore Points.

Go to Start>Run and type msconfig. Press enter.

When msconfig opens, click the Launch System Restore Button.
On the next page, click the System Restore Settings link on the left.

Check the box labelled 'Turn off System restore'.

Reboot. Go back in and Turn System Restore Back on. A new Restore Point will be created.

Note that all previous restore points will be lost.

===============

If you have any more problems, post back.

-

Happy surfing,

crunchie.

panget

9 Nov 2005, 1:03pm

I scanned using spybot again. For some reason, it stopped working. I don't know if www.coolwebsearch is still in the system or not. Meanwhile, hijack this isn't working.

Crunchie

9 Nov 2005, 1:05pm

I suggest that you uninstall then reinstall Spybot making sure to have the latest (1.4) version.
What happens when you try to run hijackthis? Try moving it to a different folder and run it again.

panget

9 Nov 2005, 1:22pm

Here's my log:

Logfile of HijackThis v1.99.1
Scan saved at 9:18:26 PM, on 11/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\O&K Print Watch\WatchSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE
C:\Program Files\AVPersonal\AVGNT.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE
C:\WINDOWS\System32\devldr32.exe
C:\PROGRAM FILES\YAHOO!\MESSENGER\ymsgr_tray.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\OpenOffice.org1.1.4\program\soffice.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\sze\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [EPSON Stylus C45 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P23 "EPSON Stylus C45 Series" /O6 "USB013" /M "Stylus C45"
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\Run: [EPSON Stylus C45 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P32 "EPSON Stylus C45 Series (Copy 1)" /O6 "USB019" /M

"Stylus C45"
O4 - HKLM\..\Run: [EPSON Stylus C45 Series (Copy 2)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P32 "EPSON Stylus C45 Series (Copy 2)" /O6 "USB029" /M

"Stylus C45"
O4 - HKLM\..\Run: [EPSON Stylus Photo R210 Series (Copy 2)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3H2.EXE /P39 "EPSON Stylus Photo R210 Series (Copy 2)" /O6

"USB032" /M "Stylus Photo R210"
O4 - HKLM\..\Run: [EPSON Stylus Photo R210 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3H2.EXE /P39 "EPSON Stylus Photo R210 Series (Copy 1)" /O6

"USB004" /M "Stylus Photo R210"
O4 - HKLM\..\Run: [EPSON Stylus Photo R210 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3H2.EXE /P30 "EPSON Stylus Photo R210 Series" /O6 "USB010" /M

"Stylus Photo R210"
O4 - HKLM\..\Run: [EPSON Stylus C45 Series (Copy 3)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P32 "EPSON Stylus C45 Series (Copy 3)" /O6 "USB034" /M

"Stylus C45"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe" -quiet
O4 - Startup: OpenOffice.org 1.1.4.lnk = C:\Program Files\OpenOffice.org1.1.4\program\quickstart.exe
O4 - Global Startup: EPSON CardMonitor.lnk = C:\Program Files\EPSON\EPSON CardMonitor\EPSON CardMonitor1.2.exe
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: O&K Print Watch Service - Unknown owner - C:\Program Files\O&K Print Watch\WatchSrv.exe

=====================================

Crunchie

9 Nov 2005, 9:08pm

Here's my log:

Still clean :).

panget

10 Nov 2005, 3:03am

I ran Ad-Aware and it has detected 3 istbar objects :(. Unless it's a bug of Ad-Aware. Otherwise, I don't have any problems with the computer.

Crunchie

10 Nov 2005, 10:11am

Try Symantecs tool for it's removal.

http://securityresponse.symantec.com/avcenter/venc/data/adware.istbar.html

panget

11 Nov 2005, 12:10pm

It didn't find anything. Could it be a bug from Ad-Aware?

Crunchie

11 Nov 2005, 1:06pm

Where are the 3 istbar objects found?

panget

13 Nov 2005, 5:28am

I rescanned and adaware found only 1 istbar object. It's located here:
HKEY_LOCAL_MACHINE:software\istbar\

Crunchie

13 Nov 2005, 5:36am

panget

14 Nov 2005, 5:58am

Copy the following to notepad, and copy/paste all the blue REGEDIT below to it
Save in: Desktop
File Name: fixme.reg
Save as Type: All files
Click: Save

[-HKEY_LOCAL_MACHINE\software\istbar]

Close all browser windows and double click on the file to merge it with your registry. When asked if you want it merged, answer yes.

Reboot and see if it still gets found by adaware.

When I add it into the registry, a box appears with this message:

"Cannot import C:\DOCUME~1\sze\Desktop\fixme.reg: The specified file is not a registry script. You can only import binary registry files from within the registry editor."

Crunchie

14 Nov 2005, 9:40am

Did you save it as 'all files'? Did you have that ':' after it? I have uploaded it for you, so unzip it from the file and double click to run it. Make sure all other applications are closed. ie; Windows explorer windows and Internet Explorer windows.

panget

17 Nov 2005, 10:39am

Yes, I did what you've instructed. But the istbar bugger is still there, even though I deleted it in ad-aware.

Crunchie

17 Nov 2005, 12:42pm

Do you have the latest Adaware version? Are the definitions up-to-date? If that is just an orphaned registry entry, I would not be too concerned with it.