Couple of problems

Comments

• DaanVanheel

  March 2006 edited March 2006

  Okay, I got rid of the one file by searching the forums (and I apologise for not doing that sooner).
  
  But still, if anyone could help me with the security-issues, i'd appreciate it.

  0
• DaanVanheel

  March 2006 edited March 2006

  Okay, yet another problem: after I got the trojan, it seems as though i'm not even a system-admin anymore, I can't install ultramon for example, because it says the administrator blocked the install. I cannot get ctrl+alt+del to work either. :s

  0
• Trogan London, UK

  March 2006 edited March 2006

  Hi, welcome to Short-Media
  
  You have the Look2Me infection.
  
  
  Download L2mfix from one of these two locations:
  
  http://www.atribune.org/downloads/l2mfix.exe
  http://www.downloads.subratam.org/l2mfix.exe
  
  Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.
  
  IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!
  
  if you receive, while running option #1, an error similar like: ''C:\windows\system32\cmd.exe
  C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application.."...then please use option 5 or the web page link in the l2mfix folder to solve this error condition. do not run the fix portion without fixing this first.

  0
• DaanVanheel

  March 2006 edited March 2006

  I already scanned and deleted the L2Minfection with another tool in the sticky on this page, but just to be safe, here's the log:
  
  L2MFIX find log 032106
  These are the registry keys present
  **********************************************************************************
  Winlogon/notify:
  Windows Registry Editor Version 5.00
  
  [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
  
  [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
  "Asynchronous"=dword:00000000
  "Impersonate"=dword:00000000
  "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
  6c,00,00,00
  "Logoff"="ChainWlxLogoffEvent"
  
  [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
  "Asynchronous"=dword:00000000
  "Impersonate"=dword:00000000
  "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
  6c,00,6c,00,00,00
  "Logoff"="CryptnetWlxLogoffEvent"
  
  [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
  "DLLName"="cscdll.dll"
  "Logon"="WinlogonLogonEvent"
  "Logoff"="WinlogonLogoffEvent"
  "ScreenSaver"="WinlogonScreenSaverEvent"
  "Startup"="WinlogonStartupEvent"
  "Shutdown"="WinlogonShutdownEvent"
  "StartShell"="WinlogonStartShellEvent"
  "Impersonate"=dword:00000000
  "Asynchronous"=dword:00000001
  
  [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
  "DLLName"="wlnotify.dll"
  "Logon"="SCardStartCertProp"
  "Logoff"="SCardStopCertProp"
  "Lock"="SCardSuspendCertProp"
  "Unlock"="SCardResumeCertProp"
  "Enabled"=dword:00000001
  "Impersonate"=dword:00000001
  "Asynchronous"=dword:00000001
  
  [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
  "Asynchronous"=dword:00000000
  "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00
  "Impersonate"=dword:00000000
  "StartShell"="SchedStartShell"
  "Logoff"="SchedEventLogOff"
  
  [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
  "Logoff"="WLEventLogoff"
  "Impersonate"=dword:00000000
  "Asynchronous"=dword:00000001
  "DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00
  
  [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
  "DLLName"="WlNotify.dll"
  "Lock"="SensLockEvent"
  "Logon"="SensLogonEvent"
  "Logoff"="SensLogoffEvent"
  "Safe"=dword:00000001
  "MaxWait"=dword:00000258
  "StartScreenSaver"="SensStartScreenSaverEvent"
  "StopScreenSaver"="SensStopScreenSaverEvent"
  "Startup"="SensStartupEvent"
  "Shutdown"="SensShutdownEvent"
  "StartShell"="SensStartShellEvent"
  "PostShell"="SensPostShellEvent"
  "Disconnect"="SensDisconnectEvent"
  "Reconnect"="SensReconnectEvent"
  "Unlock"="SensUnlockEvent"
  "Impersonate"=dword:00000001
  "Asynchronous"=dword:00000001
  
  [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
  "Asynchronous"=dword:00000000
  "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00
  "Impersonate"=dword:00000000
  "Logoff"="TSEventLogoff"
  "Logon"="TSEventLogon"
  "PostShell"="TSEventPostShell"
  "Shutdown"="TSEventShutdown"
  "StartShell"="TSEventStartShell"
  "Startup"="TSEventStartup"
  "MaxWait"=dword:00000258
  "Reconnect"="TSEventReconnect"
  "Disconnect"="TSEventDisconnect"
  
  [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
  "DLLName"="wlnotify.dll"
  "Logon"="RegisterTicketExpiredNotificationEvent"
  "Logoff"="UnregisterTicketExpiredNotificationEvent"
  "Impersonate"=dword:00000001
  "Asynchronous"=dword:00000001
  
  **********************************************************************************
  useragent:
  Windows Registry Editor Version 5.00
  
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
  "sv1"=""
  
  **********************************************************************************
  Shell Extension key:
  Windows Registry Editor Version 5.00
  
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
  "{5464D816-CF16-4784-B9F3-75C0DB52B499}"="Yahoo! Mail"
  "{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"
  "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"
  "{1E9B04FB-F9E5-4718-997B-B8DA88302A48}"="nView Desktop Context Menu"
  "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"="Adobe.Acrobat.ContextMenu"
  "{00020D75-0000-0000-C000-000000000046}"="Microsoft Office Outlook Desktop Icon Handler"
  "{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
  "{0006F045-0000-0000-C000-000000000046}"="Microsoft Office Outlook Custom Icon Handler"
  "{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
  "{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
  "{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
  "{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
  "{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
  "{A70C977A-BF00-412C-90B7-034C51DA2439}"="NvCpl DesktopContext Class"
  "{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
  "{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
  "{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
  "{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
  "{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
  "{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
  "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
  "{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
  "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"="AVG7 Shell Extension"
  "{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}"="AVG7 Find Extension"
  "{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}"="iTunes"
  "{FFB699E0-306A-11d3-8BD1-00104B6F7516}"="Play on my TV helper"
  "{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}"="Shell Icon Handler for Application References"
  "{21569614-B795-46b1-85F4-E737A8DC09AD}"="Shell Search Band"
  "{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
  @=""
  "{6af09ec9-b429-11d4-a1fb-0090960218cb}"="My Bluetooth Places"
  "{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
  "{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
  "{00E7B358-F65B-4dcf-83DF-CD026B94BFD4}"="Autoplay for SlideShow"
  "{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI- en bestandsextractieprogramma voor miniaturen"
  "{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Informatie over de handler voor miniatuurweergaven (DOCFILES)"
  "{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML-extractie voor miniatuurweergaven"
  "{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
  "{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}"="Messenger Sharing Folders"
  "{B8323370-FF27-11D2-97B6-204C4F4F5020}"="SmartFTP Shell Extension DLL"
  "{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
  "{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
  "{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
  "{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"
  "{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO-extensie"
  "{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto-handtekeningextensie"
  
  **********************************************************************************
  HKEY ROOT CLASSIDS:
  **********************************************************************************
  Files Found are not all bad files:
  
  F:\WINDOWS\SYSTEM32\
  comdlg64.dll Thu 30 Mar 2006 19:08:52 A.... 5.096 4,98 K
  ebkp.dll Sun 26 Mar 2006 18:18:40 A.... 25.088 24,50 K
  ir4ql5~1.dll Thu 30 Mar 2006 21:11:18 ..S.R 234.592 229,09 K
  nmh040a.dll Sun 22 Jan 2006 14:01:32 A.... 24.576 24,00 K
  pncrt.dll Wed 25 Jan 2006 12:45:54 A.... 278.528 272,00 K
  senssrv.dll Thu 30 Mar 2006 18:10:28 A.... 57.344 56,00 K
  sirenacm.dll Fri 17 Feb 2006 11:17:14 A.... 60.104 58,70 K
  t28ulc~1.dll Thu 30 Mar 2006 20:59:18 ..... 236.574 231,03 K
  vsdata.dll Thu 16 Mar 2006 11:32:56 A.... 83.736 81,77 K
  vsinit.dll Thu 16 Mar 2006 11:33:08 A.... 141.080 137,77 K
  vsmonapi.dll Thu 16 Mar 2006 11:33:16 A.... 104.216 101,77 K
  vspubapi.dll Thu 16 Mar 2006 11:33:20 A.... 227.096 221,77 K
  vsregexp.dll Thu 16 Mar 2006 11:33:24 A.... 71.448 69,77 K
  vsutil.dll Thu 16 Mar 2006 11:33:36 A.... 382.744 373,77 K
  vsxml.dll Thu 16 Mar 2006 11:33:44 A.... 100.120 97,77 K
  webclnt.dll Wed 4 Jan 2006 5:36:30 A.... 68.096 66,50 K
  wuavideo.dll Thu 30 Mar 2006 18:33:46 ..S.R 236.085 230,55 K
  zlcomm.dll Thu 16 Mar 2006 11:34:04 A.... 79.640 77,77 K
  zlcommdb.dll Thu 16 Mar 2006 11:34:08 A.... 71.448 69,77 K
  
  19 items found: 19 files (2 H/S), 0 directories.
  Total of file sizes: 2.487.611 bytes 2,37 M
  Locate .tmp files:
  
  No matches found.
  **********************************************************************************
  Directory Listing of system files:
  De volumenaam van station F is Applications
  Het volumenummer is C0C2-DFF5
  
  Map van F:\WINDOWS\System32
  
  30/03/2006 21:11 234.592 ir4ql5h51.dll
  30/03/2006 18:33 236.085 wuavideo.dll
  25/01/2006 16:53 <DIR> dllcache
  05/06/2005 12:40 6.144 access.ctl
  11/03/2005 12:29 3.584 Thumbs.db
  23/05/2004 12:40 94.208 msstkprp.dll
  09/04/2004 17:06 <DIR> Microsoft
  5 bestand(en) 574.613 bytes
  2 map(pen) 3.774.345.216 bytes beschikbaar

  0
• Trogan London, UK

  March 2006 edited March 2006

  Close any browsers and programs you have open since this step requires a reboot.
  
  From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter. It will process then start. Your desktop and icons will disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, it will be ready for a reboot. Press any key to reboot. After the reboot notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.
  
  IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!
  If after the reboot the log does not open double click on it in the l2mfix folder.

  0
• DaanVanheel

  March 2006 edited March 2006

  log.txt:
  L2mfix 032106
  Creating Account.
  De opdracht is voltooid.
  
  Adding Administrative privleges.
  Checking for L2MFix account(0=no 1=yes):
  1
  Granting SeDebugPrivilege to L2MFIX ... successful
  
  Running From:
  F:\WINDOWS\system32
  
  Killing Processes!
  
  Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
  Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
  Killing PID 648 'smss.exe'
  
  Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
  Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
  Killing PID 744 'winlogon.exe'
  (This repeats for literally A BILLION TIMES!!!)
  
  Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
  Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
  Killing PID 1444 'explorer.exe'
  
  Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
  Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
  Killing PID 2028 'rundll32.exe'
  Killing PID 672 'rundll32.exe'
  Restoring Sedebugprivilege:
  Granting SeDebugPrivilege to Administrators ... successful
  
  Scanning First Pass. Please Wait!
  
  First Pass Completed
  
  Second Pass Scanning
  
  Second pass Completed!
  0 bestand(en) gekopieerd.
  0 bestand(en) gekopieerd.
  0 bestand(en) gekopieerd.
  Deleting: F:\WINDOWS\system32\ir4ql5h51.dll
  Successfully Deleted: F:\WINDOWS\system32\ir4ql5h51.dll
  Deleting: F:\WINDOWS\system32\t28ulcl91fq.dll
  Successfully Deleted: F:\WINDOWS\system32\t28ulcl91fq.dll
  Deleting: F:\WINDOWS\system32\wuavideo.dll
  Successfully Deleted: F:\WINDOWS\system32\wuavideo.dll
  
  msg11?.dll
  0 bestand(en) gekopieerd.
  
  
  
  Restoring Windows Update Certificates.:
  
  The following Is the Current Export of the Winlogon notify key:
  ****************************************************************************
  Windows Registry Editor Version 5.00
  
  [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
  
  [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
  "Asynchronous"=dword:00000000
  "Impersonate"=dword:00000000
  "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
  6c,00,00,00
  "Logoff"="ChainWlxLogoffEvent"
  
  [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
  "Asynchronous"=dword:00000000
  "Impersonate"=dword:00000000
  "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
  6c,00,6c,00,00,00
  "Logoff"="CryptnetWlxLogoffEvent"
  
  [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
  "DLLName"="cscdll.dll"
  "Logon"="WinlogonLogonEvent"
  "Logoff"="WinlogonLogoffEvent"
  "ScreenSaver"="WinlogonScreenSaverEvent"
  "Startup"="WinlogonStartupEvent"
  "Shutdown"="WinlogonShutdownEvent"
  "StartShell"="WinlogonStartShellEvent"
  "Impersonate"=dword:00000000
  "Asynchronous"=dword:00000001
  
  [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
  "DLLName"="wlnotify.dll"
  "Logon"="SCardStartCertProp"
  "Logoff"="SCardStopCertProp"
  "Lock"="SCardSuspendCertProp"
  "Unlock"="SCardResumeCertProp"
  "Enabled"=dword:00000001
  "Impersonate"=dword:00000001
  "Asynchronous"=dword:00000001
  
  [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
  "Asynchronous"=dword:00000000
  "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00
  "Impersonate"=dword:00000000
  "StartShell"="SchedStartShell"
  "Logoff"="SchedEventLogOff"
  
  [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
  "Logoff"="WLEventLogoff"
  "Impersonate"=dword:00000000
  "Asynchronous"=dword:00000001
  "DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00
  
  [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
  "DLLName"="WlNotify.dll"
  "Lock"="SensLockEvent"
  "Logon"="SensLogonEvent"
  "Logoff"="SensLogoffEvent"
  "Safe"=dword:00000001
  "MaxWait"=dword:00000258
  "StartScreenSaver"="SensStartScreenSaverEvent"
  "StopScreenSaver"="SensStopScreenSaverEvent"
  "Startup"="SensStartupEvent"
  "Shutdown"="SensShutdownEvent"
  "StartShell"="SensStartShellEvent"
  "PostShell"="SensPostShellEvent"
  "Disconnect"="SensDisconnectEvent"
  "Reconnect"="SensReconnectEvent"
  "Unlock"="SensUnlockEvent"
  "Impersonate"=dword:00000001
  "Asynchronous"=dword:00000001
  
  [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
  "Asynchronous"=dword:00000000
  "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00
  "Impersonate"=dword:00000000
  "Logoff"="TSEventLogoff"
  "Logon"="TSEventLogon"
  "PostShell"="TSEventPostShell"
  "Shutdown"="TSEventShutdown"
  "StartShell"="TSEventStartShell"
  "Startup"="TSEventStartup"
  "MaxWait"=dword:00000258
  "Reconnect"="TSEventReconnect"
  "Disconnect"="TSEventDisconnect"
  
  [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
  "DLLName"="wlnotify.dll"
  "Logon"="RegisterTicketExpiredNotificationEvent"
  "Logoff"="UnregisterTicketExpiredNotificationEvent"
  "Impersonate"=dword:00000001
  "Asynchronous"=dword:00000001
  
  
  The following are the files found:
  ****************************************************************************
  F:\WINDOWS\system32\ir4ql5h51.dll
  F:\WINDOWS\system32\t28ulcl91fq.dll
  F:\WINDOWS\system32\wuavideo.dll
  
  Registry Entries that were Deleted:
  Please verify that the listing looks ok.
  If there was something deleted wrongly there are backups in the backreg folder.
  ****************************************************************************
  REGEDIT4
  
  [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
  REGEDIT4
  
  [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
  "SV1"=""
  ****************************************************************************
  Desktop.ini Contents:
  ****************************************************************************
  
  [.ShellClassInfo]
  IconFile=
  IconIndex=0
  ****************************************************************************
  Checking for L2MFix account(0=no 1=yes):
  0
  Zipping up files for submission:
  zip warning: name not matched: dlls\*.*
  
  zip error: Nothing to do! (backup.zip)
  adding: backregs/notibac.reg (140 bytes security) (deflated 87%)
  
  
  hjt log:
  
  hjt log:
  
  Logfile of HijackThis v1.99.1
  Scan saved at 16:04:54, on 31/03/2006
  Platform: Windows XP SP2 (WinNT 5.01.2600)
  MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
  
  Running processes:
  F:\WINDOWS\System32\smss.exe
  F:\WINDOWS\system32\winlogon.exe
  F:\WINDOWS\system32\services.exe
  F:\WINDOWS\system32\lsass.exe
  F:\WINDOWS\system32\svchost.exe
  F:\WINDOWS\System32\svchost.exe
  F:\WINDOWS\System32\wltrysvc.exe
  F:\WINDOWS\System32\bcmwltry.exe
  F:\WINDOWS\system32\spoolsv.exe
  F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
  F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
  F:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
  F:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
  F:\Program Files\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
  F:\MySQL\mysql-4.1.1a-alpha\bin\mysqld-nt.exe
  F:\WINDOWS\system32\nvsvc32.exe
  F:\WINDOWS\system32\ZoneLabs\vsmon.exe
  F:\Program Files\Pinnacle\Shared Files\Programs\MediaServer\PMSHost.exe
  F:\WINDOWS\system32\wuauclt.exe
  F:\WINDOWS\system32\msiexec.exe
  F:\WINDOWS\Explorer.EXE
  F:\WINDOWS\system32\notepad.exe
  F:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
  F:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
  F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
  F:\WINDOWS\system32\rundll32.exe
  F:\WINDOWS\system32\rundll32.exe
  F:\Program Files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe
  F:\Program Files\Pinnacle\Shared Files\Programs\MediaCenterService\PMC.Service.Main.exe
  F:\Program Files\iTunes\iTunesHelper.exe
  F:\Program Files\iPod\bin\iPodService.exe
  F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
  F:\Program Files\MSN Messenger\msnmsgr.exe
  F:\WINDOWS\system32\ctfmon.exe
  F:\Program Files\WinZip\WZQKPICK.EXE
  F:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
  F:\PROGRA~1\BONECH~1\FIREFOX.EXE
  F:\WINDOWS\System32\svchost.exe
  F:\WINDOWS\System32\wbem\wmiapsrv.exe
  F:\Documents and Settings\PC\Bureaublad\HijackThis.exe
  
  R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tvtv.nl/cgi-bin/WebObjects/EPGnl.woa
  R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.be/0SENLBE/SAOS01?FORM=TOOLBR
  R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
  R3 - Default URLSearchHook is missing
  F2 - REG:system.ini: UserInit=userinit.exe
  O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
  O4 - HKLM\..\Run: [CTStartup] F:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
  O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
  O4 - HKLM\..\Run: [AVG7_EMC] F:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
  O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
  O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
  O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
  O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
  O4 - HKLM\..\Run: [PinnacleDriverCheck] F:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
  O4 - HKLM\..\Run: [PMCRemote] F:\Program Files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe
  O4 - HKLM\..\Run: [PMCS] "F:\Program Files\Pinnacle\Shared Files\Programs\MediaCenterService\PMC.Service.Main.exe" -host -clearDebug
  O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
  O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
  O4 - HKLM\..\Run: [Zone Labs Client] F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
  O4 - HKCU\..\Run: [msnmsgr] "F:\Program Files\MSN Messenger\msnmsgr.exe" /background
  O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
  O4 - Startup: Bluetooth.lnk = F:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
  O4 - Global Startup: WinZip Quick Pick.lnk = F:\Program Files\WinZip\WZQKPICK.EXE
  O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
  O8 - Extra context menu item: Verzenden naar &Bluetooth - F:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
  O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
  O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
  O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
  O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
  O16 - DPF: {2CFB52FD-7CF2-479C-BF65-B27F8A834F31} (SecureSession Class) - http://www.samsungtechwin.com/include/pki/SecuiTechIE.cab
  O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - https://scan.safety.live.com/resource/download/scanner/en-us/wlscbase7617.cab
  O16 - DPF: {6211AC26-A1B4-422A-AC52-1E70B7D24465} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/nl/filesharingctrl.cab
  O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1092090677218
  O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
  O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1132860717750
  O16 - DPF: {712362BF-E411-4F43-99D2-EB15F80AF1DB} - http://entimg.msn.com/client/msnediag2729.cab
  O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab
  O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
  O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
  O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game11.zylomgames.com/activex/zylomgamesplayer.cab
  O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
  O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} - http://entimg.msn.com/client/msnmusax2729.cab
  O23 - Service: Adobe LM Service - Unknown owner - F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
  O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
  O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
  O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - F:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
  O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
  O23 - Service: iPodService - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
  O23 - Service: MySql - Unknown owner - F:/MySQL/mysql-4.1.1a-alpha/bin/mysqld-nt.exe
  O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
  O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - F:\Program Files\Pinnacle\Shared Files\Programs\MediaServer\PMSHost.exe
  O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - F:\WINDOWS\system32\ZoneLabs\vsmon.exe
  O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - F:\WINDOWS\System32\wltrysvc.exe

  0
• Trogan London, UK

  March 2006 edited March 2006

  Open HijackThis
  - Click the Do a system scan only button
  - Check the following entries (below)
  
  R3 - Default URLSearchHook is missing
  
  - Close ALL open windows
  Click Fix Checked
  ==========
  
  Apart from that, your log is clean.
  
  How are things?

  0
• DaanVanheel

  March 2006 edited March 2006

  It was already alot better, but I still can't get the Windows Security Center to work.. it says it's shut down and I have to reboot it manually?? :s
  
  thanks, btw.

  0
• Trogan London, UK

  March 2006 edited March 2006

  Lets do some other scans.
  
  Panda ActiveScan
  
  - Once you are on the Panda site, click the Scan your PC button
  - A new window will open...click the Check Now button
  - Enter your Country
  - Enter your State/Province
  - Enter your e-mail address and click send
  - Select either Home User or Company
  - Click the big Scan Now button
  - If it wants to install an ActiveX component allow it
  - It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  - When download is complete, click on Local Disks to start the scan
  - When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
  
  Post the contents of the Panda scan report, along with a new HijackThis Log
  
  
  Go here and download then run Silent Runners.vbs. It generates a log, please post the information back in this thread.
  If you have a script blocking program, please allow the file to run. It is not malicious.

  0
• DaanVanheel

  March 2006 edited March 2006

  Incident Status Location
  Adware:Adware/Deskwizz Not disinfected C:\sk02.exe
  Spyware:Cookie/MetriWeb Not disinfected F:\Documents and Settings\PC\Application Data\Mozilla\Firefox\Profiles\iomgoexp.default\cookies.txt[]
  Potentially unwanted tool:Application/Processor Not disinfected F:\Documents and Settings\PC\Bureaublad\lm2fix\l2mfix\Process.exe
  
  
  hjt:
  Logfile of HijackThis v1.99.1
  Scan saved at 20:07:29, on 31/03/2006
  Platform: Windows XP SP2 (WinNT 5.01.2600)
  MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
  
  Running processes:
  F:\WINDOWS\System32\smss.exe
  F:\WINDOWS\system32\winlogon.exe
  F:\WINDOWS\system32\services.exe
  F:\WINDOWS\system32\lsass.exe
  F:\WINDOWS\system32\svchost.exe
  F:\WINDOWS\System32\svchost.exe
  F:\WINDOWS\System32\wltrysvc.exe
  F:\WINDOWS\System32\bcmwltry.exe
  F:\WINDOWS\system32\spoolsv.exe
  F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
  F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
  F:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
  F:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
  F:\Program Files\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
  F:\MySQL\mysql-4.1.1a-alpha\bin\mysqld-nt.exe
  F:\WINDOWS\system32\nvsvc32.exe
  F:\WINDOWS\system32\ZoneLabs\vsmon.exe
  F:\Program Files\Pinnacle\Shared Files\Programs\MediaServer\PMSHost.exe
  F:\WINDOWS\Explorer.EXE
  F:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
  F:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
  F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
  F:\WINDOWS\system32\rundll32.exe
  F:\WINDOWS\system32\rundll32.exe
  F:\Program Files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe
  F:\Program Files\Pinnacle\Shared Files\Programs\MediaCenterService\PMC.Service.Main.exe
  F:\Program Files\iTunes\iTunesHelper.exe
  F:\Program Files\iPod\bin\iPodService.exe
  F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
  F:\Program Files\MSN Messenger\msnmsgr.exe
  F:\WINDOWS\system32\ctfmon.exe
  F:\Program Files\WinZip\WZQKPICK.EXE
  F:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
  F:\WINDOWS\System32\svchost.exe
  F:\PROGRA~1\BONECH~1\FIREFOX.EXE
  F:\Program Files\iTunes\iTunes.exe
  F:\Program Files\Pinnacle\Shared Files\Programs\PclePvr\VideoControl.exe
  F:\Documents and Settings\PC\Bureaublad\HijackThis.exe
  
  R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tvtv.nl/cgi-bin/WebObjects/EPGnl.woa
  R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.be/0SENLBE/SAOS01?FORM=TOOLBR
  R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
  F2 - REG:system.ini: UserInit=userinit.exe
  O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
  O4 - HKLM\..\Run: [CTStartup] F:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
  O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
  O4 - HKLM\..\Run: [AVG7_EMC] F:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
  O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
  O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
  O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
  O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
  O4 - HKLM\..\Run: [PinnacleDriverCheck] F:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
  O4 - HKLM\..\Run: [PMCRemote] F:\Program Files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe
  O4 - HKLM\..\Run: [PMCS] "F:\Program Files\Pinnacle\Shared Files\Programs\MediaCenterService\PMC.Service.Main.exe" -host -clearDebug
  O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
  O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
  O4 - HKLM\..\Run: [Zone Labs Client] F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
  O4 - HKCU\..\Run: [msnmsgr] "F:\Program Files\MSN Messenger\msnmsgr.exe" /background
  O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
  O4 - Startup: Bluetooth.lnk = F:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
  O4 - Global Startup: WinZip Quick Pick.lnk = F:\Program Files\WinZip\WZQKPICK.EXE
  O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
  O8 - Extra context menu item: Verzenden naar &Bluetooth - F:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
  O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
  O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
  O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
  O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
  O16 - DPF: {2CFB52FD-7CF2-479C-BF65-B27F8A834F31} (SecureSession Class) - http://www.samsungtechwin.com/include/pki/SecuiTechIE.cab
  O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - https://scan.safety.live.com/resource/download/scanner/en-us/wlscbase7617.cab
  O16 - DPF: {6211AC26-A1B4-422A-AC52-1E70B7D24465} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/nl/filesharingctrl.cab
  O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1092090677218
  O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
  O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1132860717750
  O16 - DPF: {712362BF-E411-4F43-99D2-EB15F80AF1DB} - http://entimg.msn.com/client/msnediag2729.cab
  O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab
  O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
  O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
  O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
  O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game11.zylomgames.com/activex/zylomgamesplayer.cab
  O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
  O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} - http://entimg.msn.com/client/msnmusax2729.cab
  O23 - Service: Adobe LM Service - Unknown owner - F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
  O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
  O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
  O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - F:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
  O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
  O23 - Service: iPodService - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
  O23 - Service: MySql - Unknown owner - F:/MySQL/mysql-4.1.1a-alpha/bin/mysqld-nt.exe
  O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
  O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - F:\Program Files\Pinnacle\Shared Files\Programs\MediaServer\PMSHost.exe
  O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - F:\WINDOWS\system32\ZoneLabs\vsmon.exe
  O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - F:\WINDOWS\System32\wltrysvc.exe
  
  
  silent runners:
  
  "Silent Runners.vbs", revision 44, http://www.silentrunners.org/
  Operating System: Windows XP SP2
  Output limited to non-default values, except where indicated by "{++}"
  
  
  Startup items buried in registry:

  ---

  
  HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
  "msnmsgr" = ""F:\Program Files\MSN Messenger\msnmsgr.exe" /background" [MS]
  "ctfmon.exe" = "F:\WINDOWS\system32\ctfmon.exe" [MS]
  
  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
  "NvCplDaemon" = "RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
  "CTStartup" = "F:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run" ["Creative Technology Ltd."]
  "AVG7_CC" = "F:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
  "AVG7_EMC" = "F:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."]
  "NvMediaCenter" = "RUNDLL32.EXE F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]
  "SunJavaUpdateSched" = "F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" ["Sun Microsystems, Inc."]
  "BluetoothAuthenticationAgent" = "rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent" [MS]
  "nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
  "PinnacleDriverCheck" = "F:\WINDOWS\system32\PSDrvCheck.exe -CheckReg" [empty string]
  "PMCRemote" = "F:\Program Files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe" ["Pinnacle Systems"]
  "PMCS" = ""F:\Program Files\Pinnacle\Shared Files\Programs\MediaCenterService\PMC.Service.Main.exe" -host -clearDebug" [null data]
  "iTunesHelper" = ""F:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Computer, Inc."]
  "QuickTime Task" = ""F:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
  "WindowsUpdate" = "*r" (unwritable string) [file not found]
  "Zone Labs Client" = "F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" ["Zone Labs, LLC"]
  
  HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
  "{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
  -> {HKLM...CLSID} = "YMailShellExt Class"
  \InProcServer32\(Default) = "F:\PROGRA~1\Yahoo!\Common\ymmapi.dll" [file not found]
  "{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
  -> {HKLM...CLSID} = "Desktop Explorer"
  \InProcServer32\(Default) = "F:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
  "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
  -> {HKLM...CLSID} = (no title provided)
  \InProcServer32\(Default) = "F:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
  "{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
  -> {HKLM...CLSID} = "nView Desktop Context Menu"
  \InProcServer32\(Default) = "F:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
  "{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
  -> {HKLM...CLSID} = "Microsoft Office Outlook"
  \InProcServer32\(Default) = "F:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
  "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
  -> {HKLM...CLSID} = "Outlook File Icon Extension"
  \InProcServer32\(Default) = "F:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
  "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
  -> {HKLM...CLSID} = (no title provided)
  \InProcServer32\(Default) = "F:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
  "{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
  -> {HKLM...CLSID} = "DesktopContext Class"
  \InProcServer32\(Default) = "F:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
  "{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
  -> {HKLM...CLSID} = "Portable Media Devices"
  \InProcServer32\(Default) = "F:\WINDOWS\System32\Audiodev.dll" [MS]
  "{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
  -> {HKLM...CLSID} = "Portable Media Devices Menu"
  \InProcServer32\(Default) = "F:\WINDOWS\System32\Audiodev.dll" [MS]
  "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
  -> {HKLM...CLSID} = "AVG7 Shell Extension Class"
  \InProcServer32\(Default) = "F:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
  "{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
  -> {HKLM...CLSID} = "AVG7 Find Extension Class"
  \InProcServer32\(Default) = "F:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
  "{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
  -> {HKLM...CLSID} = "iTunes"
  \InProcServer32\(Default) = "F:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
  "{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
  -> {HKLM...CLSID} = "NVIDIA CPL Extension"
  \InProcServer32\(Default) = "F:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
  "{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}" = "Shell Icon Handler for Application References"
  -> {HKLM...CLSID} = "Shell Icon Handler for Application References"
  \InProcServer32\(Default) = "F:\WINDOWS\system32\dfshim.dll" [MS]
  "{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
  -> {HKLM...CLSID} = "Shell Search Band"
  \InProcServer32\(Default) = "F:\WINDOWS\system32\browseui.dll" [MS]
  "{6af09ec9-b429-11d4-a1fb-0090960218cb}" = "My Bluetooth Places"
  -> {HKLM...CLSID} = "Mijn Bluetooth-locaties"
  \InProcServer32\(Default) = "F:\WINDOWS\system32\btneighborhood.dll" ["Broadcom Corporation."]
  "{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
  -> {HKLM...CLSID} = "Mijn Gedeelde mappen"
  \InProcServer32\(Default) = "F:\PROGRA~1\MSNMES~1\fsshext.dll" [MS]
  "{B8323370-FF27-11D2-97B6-204C4F4F5020}" = "SmartFTP Shell Extension DLL"
  -> {HKLM...CLSID} = "SmartFTP Shell Extension DLL"
  \InProcServer32\(Default) = "F:\Program Files\SmartFTP Client 2.0\smarthook.dll" ["SmartFTP"]
  "{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
  -> {HKLM...CLSID} = "WinZip"
  \InProcServer32\(Default) = "F:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
  "{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
  -> {HKLM...CLSID} = "WinZip"
  \InProcServer32\(Default) = "F:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
  "{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
  -> {HKLM...CLSID} = "WinZip"
  \InProcServer32\(Default) = "F:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
  "{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
  -> {HKLM...CLSID} = "WinZip"
  \InProcServer32\(Default) = "F:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
  
  HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
  "0aMCPClient" = "{F5DF91F9-15E9-416B-A7C3-7519B11ECBFC}"
  -> {HKLM...CLSID} = "MCPShellInstantiator Class"
  \InProcServer32\(Default) = "F:\Program Files\Common Files\Stardock\MCPCore.dll" ["Stardock"]
  
  HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
  INFECTION WARNING! "AppInit_DLLs" = "wbsys.dll" ["Stardock.Net, Inc"]
  
  HKLM\Software\Classes\PROTOCOLS\Filter\
  INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
  -> {HKLM...CLSID} = (no title provided)
  \InProcServer32\(Default) = "F:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]
  
  HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
  {F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
  -> {HKLM...CLSID} = "PDF Shell Extension"
  \InProcServer32\(Default) = "F:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]
  
  HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
  AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
  -> {HKLM...CLSID} = "AVG7 Shell Extension Class"
  \InProcServer32\(Default) = "F:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
  WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
  -> {HKLM...CLSID} = "WinZip"
  \InProcServer32\(Default) = "F:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
  Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}"
  -> {HKLM...CLSID} = "YMailShellExt Class"
  \InProcServer32\(Default) = "F:\PROGRA~1\Yahoo!\Common\ymmapi.dll" [file not found]
  
  HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
  WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
  -> {HKLM...CLSID} = "WinZip"
  \InProcServer32\(Default) = "F:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
  
  HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
  AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
  -> {HKLM...CLSID} = "AVG7 Shell Extension Class"
  \InProcServer32\(Default) = "F:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
  WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
  -> {HKLM...CLSID} = "WinZip"
  \InProcServer32\(Default) = "F:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
  
  
  Default executables:

  ---

  
  HKCU\Software\Classes\.bat\(Default) = (value not set)
  
  HKCU\Software\Classes\.cmd\(Default) = (value not set)
  
  HKCU\Software\Classes\.com\(Default) = (value not set)
  
  HKCU\Software\Classes\.exe\(Default) = (value not set)
  
  HKCU\Software\Classes\.hta\(Default) = (value not set)
  
  
  Active Desktop and Wallpaper:

  ---

  
  Active Desktop is disabled at this entry:
  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
  
  HKCU\Control Panel\Desktop\
  "Wallpaper" = "F:\Documents and Settings\PC\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"
  
  
  Startup items in "PC" & "All Users" startup folders:

  ---

  
  F:\Documents and Settings\PC\Menu Start\Programma's\Opstarten
  "Bluetooth" -> shortcut to: "F:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe" ["Broadcom Corporation."]
  
  F:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten
  "WinZip Quick Pick" -> shortcut to: "F:\Program Files\WinZip\WZQKPICK.EXE" ["WinZip Computing LP"]
  
  
  Enabled Scheduled Tasks:

  ---

  
  "ShowShifter Regular ShowGuide Update" -> launches: "F:\Program Files\Home Media Networks Limited\ShowShifter\Launch.exe /Unattended /Background /ShowGuide" [file not found]
  
  
  Winsock2 Service Provider DLLs:

  ---

  
  Namespace Service Providers
  
  HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
  000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
  000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
  000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
  000000000004\LibraryPath = "%SystemRoot%\system32\wshbth.dll" [MS]
  
  Transport Service Providers
  
  HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
  0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
  %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 30
  %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
  
  
  Toolbars, Explorer Bars, Extensions:

  ---

  
  Explorer Bars
  
  HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
  {21569614-B795-46B1-85F4-E737A8DC09AD}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "Shell Search Band"
  \InProcServer32\(Default) = "F:\WINDOWS\system32\browseui.dll" [MS]
  
  
  Running Services (Display Name, Service Name, Path {Service DLL}):

  ---

  
  AVG7 Alert Manager Server, Avg7Alrt, "F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
  AVG7 Update Service, Avg7UpdSvc, "F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
  Bluetooth Service, btwdins, "F:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe" ["Broadcom Corporation."]
  Bluetooth Support Service, BthServ, "F:\WINDOWS\system32\svchost.exe -k bthsvcs" {"F:\WINDOWS\System32\bthserv.dll" [MS]}
  Broadcom Wireless LAN Tray Service, wltrysvc, "F:\WINDOWS\System32\wltrysvc.exe F:\WINDOWS\System32\bcmwltry.exe" [null data]
  iPodService, iPodService, "F:\Program Files\iPod\bin\iPodService.exe" ["Apple Computer, Inc."]
  Machine Debug Manager, MDM, ""F:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]
  Messenger Sharing USN Journal Reader service, usnsvc, "F:\WINDOWS\System32\svchost.exe -k usnsvc" {"F:\Program Files\MSN Messenger\usnsvc.dll" [MS]}
  MSSQL$PINNACLESYS, MSSQL$PINNACLESYS, "F:\Program Files\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe -sPINNACLESYS" [MS]
  MySql, MySql, "F:/MySQL/mysql-4.1.1a-alpha/bin/mysqld-nt.exe" [null data]
  NVIDIA Display Driver Service, NVSvc, "F:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
  Pinnacle Systems Media Service, PinnacleSys.MediaServer, ""F:\Program Files\Pinnacle\Shared Files\Programs\MediaServer\PMSHost.exe"" [null data]
  TrueVector Internet Monitor, vsmon, "F:\WINDOWS\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs, LLC"]
  Windows User Mode Driver Framework, UMWdf, "F:\WINDOWS\System32\wdfmgr.exe" [MS]
  
  
  Print Monitors:

  ---

  
  HKLM\System\CurrentControlSet\Control\Print\Monitors\
  Bluetooth-printerpoort\Driver = "bthcrp.dll" ["Broadcom Corporation."]
  Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]
  PrimoMon\Driver = "Primomonnt.dll" [null data]
  
  

  ---

  + This report excludes default entries except where indicated.
  + To see *everywhere* the script checks and *everything* it finds,
  launch it from a command prompt or a shortcut with the -all parameter.
  + To search all directories of local fixed drives for DESKTOP.INI
  DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
  use the -supp parameter or answer "No" at the first message box.

  ---

  (total run time: 29 seconds, including 12 seconds for message boxes)

  0
• Trogan London, UK

  March 2006 edited March 2006

  Download ATF (Atribune Temp File) Cleaner© by Atribune
  http://www.atribune.org/ccount/click.php?id=1
  It is a stand-alone program that does not need to be "installed". Save it to a convenient location and make a shortcut on your desktop.
  
  Run ATF Cleaner
  Double-click ATF Cleaner.exe
  Under Main choose:
  Windows Temp
  Current User Temp
  All Users Temp
  Cookies
  Temporary Internet Files
  Prefetch
  *The other boxes are optional*
  Then click the Empty Selected button.
  
  Firefox:
  Click Firefox at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
  
  Opera:
  Click Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
  
  Click Exit on the Main menu to close the program.
  
  For Technical Support, double-click the e-mail address located at the bottom of each menu
  
  ================================================================
  
  Please download Ad-Aware SE and install it. If you already have Ad-Aware SE, please configure it as indicated below. If you have a previous version of Ad-Aware, please uninstall your current version and install the newest version SE 1.06.
  
  1) Run Ad-Aware, and click Check for updates now.
  
  2) Select Configurations (click the Gear wheel at the top) as follows:

  • General Button > Safety & Settings: Check (Green) all three.
  • Tweak Button > Cleaning Engine > UNcheck "Always try to unload modules before deletion".

  Click Proceed.
  
  3) To start the scan, Click > "Scan Now" at left

  • Deselect "Search for negligible risk entries" as negligible risk entries (MRU's) are not considered to be a threat.
  • Select "Search for low-risk threats"
  • Select "Perform full system scan"
  • Click Next

  4) When the scan has completed, select Next.

  • In the Scanning Results window, select the "Critical Objects" tab.
  • Right-click on the screen and choose "Select all objects"
  • Click Next to remove the infections found, and click OK to the prompt.
  • Restart the computer.

  After scanning with Ad-Aware, please scan with SpyBot - Search & Destroy
  
  
  Download Spybot - Search & Destroy from here.

  1. Download and Install Spybot S&D (if you haven't already), accept the Default Settings
     
  2. In the Menu Bar at the top of the Spybot window you will see 'Mode'.
     Make certain that 'default mode' has a check mark beside it.
     
  3. Close ALL windows except Spybot S&D
     
  4. Click the button to ‘Search for Updates’ then download and install the updates.
     
  5. Next click the button ‘Check for Problems'
     
  6. When Spybot is complete, it will be showing 'RED' entries, bold 'BLACK' entries and 'GREEN' entries in the window
     
  7. Make certain there is a check mark beside all of the RED entries ONLY.
     
  8. Choose ‘Fix Selected Problems’ and allow Spybot to fix the RED entries.
     
  9. REBOOT normally to complete the scan and clear memory.

  
  
  Let me know how things are.

  0
• DaanVanheel

  March 2006 edited March 2006

  Alright, I scanned, nothing came up in those programs; AVG however noticed about 30 trojans etc while scanning, and I healed all of them, except for one which didn't have the "heal" button, so I quarantined it.
  
  After a reboot I still can't access my Security Center, and it still freezes for about thirty seconds before getting connected to the internet.
  
  weird, thanks alot though.

  0
• Trogan London, UK

  March 2006 edited March 2006

  Please download the trial version of Ewido Security Suite here:
  http://www.ewido.net/en/download/
  When installing the program, under "Additonal Options" uncheck..

  • Install background guard
  • Install scan via context menu

  Once installed, update the definitions to the newest files. Do NOT run a scan yet.
  Next, please reboot your computer in Safe Mode by doing the following:
  1) Restart your computer
  2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  3) Instead of Windows loading as normal, a menu should appear
  4) Select the first option, to run Windows in Safe Mode.
  
  For additional help in booting into Safe Mode, see the following site:
  http://www.pchell.com/support/safemode.shtml
  
  Once in Safe Mode, please run Ewido
  (Do not use the computer while Ewido is scanning)
  

  • Click on scanner
  • Click Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.
  • You will need to step through the process of cleaning files one-by-one.
  • If ewido detects a file you KNOW to be legitimate, select none as the action.
  • DO NOT select "Perform action on all infections"
  • If you are unsure of any entry found select none for now.
  • When the scan is finished, click the Save report button at the bottom of the screen.
  • Save the report to your desktop

  Close Ewido
  
  Restart your computer in normal mode and post the log from Ewido.

  0
• DaanVanheel

  April 2006 edited April 2006

  ---

  ewido anti-malware - Scan rapport

  ---

  
  + Gemaakt op: 11:52:47, 1/04/2006
  + Rapport samenvatting: 2DCB651F
  
  + Scan resultaten:
  
  HKLM\SOFTWARE\Classes\CLSID\{3FDE0CB5-619F-4227-8961-F2D7ED15B88E} -> Adware.CramToolbar : Schoongemaakt met een backup
  HKLM\SOFTWARE\Ran Geva -> Adware.URLBlaze : Schoongemaakt met een backup
  HKU\S-1-5-21-1390067357-1202660629-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3FDE0CB5-619F-4227-8961-F2D7ED15B88E} -> Adware.CramToolbar : Schoongemaakt met een backup
  F:\Program Files\Microsoft AntiSpyware\Quarantine\B95B0640-EAC6-4C85-B51F-D9858E\170D9376-8775-4493-802B-B70218 -> Adware.Softomate : Schoongemaakt met een backup
  F:\WINDOWS\system32\comdlg64.dll -> Rootkit.Agent.bk : Schoongemaakt met een backup
  F:\WINDOWS\system32\kernels8.exe -> Downloader.Tibs.dp : Schoongemaakt met een backup
  F:\WINDOWS\system32\shellbn.exe -> Proxy.Small.bo : Schoongemaakt met een backup
  F:\WINDOWS\toolbar.exe -> Downloader.Adload.ai : Schoongemaakt met een backup
  
  
  ::Einde rapport
  
  
  still got the logon-problem though.

  0
• Trogan London, UK

  April 2006 edited April 2006

  Please print out this instructions as you should have all open windows and programs closed when running the scan.
  
  Step 1.
  ==========
  - Please download F-Secure's trial Blacklight from here
  - Print out the help page for guidance. It will be found here
  - Click the "I Accept" button at the the license agreement
  - Click the "Download" button to start the download
  - Save it to your Desktop
  
  Step 2.
  ==========
  - Double-click the blbeta.exe file on your Desktop
  - Select the "I Accept the agreement" at the license agreement, then click "Next"
  - Make sure all open programs and windows are closed (including this IE window) before clicking the "Scan" button
  - Click "Scan
  - When the animated graphics, in the bottom right-hand corner, disappears, click "Next"
  - A text log file will appear on your Desktop when the scan is complete. It will start with fsbl-xxxxxx.txt (ie: fsbl-20051017165931.log)
  - Paste the contents of that log back here.

  0
• DaanVanheel

  April 2006 edited April 2006

  Didn't find anything...
  
  04/01/06 19:26:53 [Info]: BlackLight Engine 1.0.33 initialized
  04/01/06 19:26:53 [Info]: OS: 5.1 build 2600 (Service Pack 2)
  04/01/06 19:26:53 [Note]: 7019 4
  04/01/06 19:26:53 [Note]: 7005 0
  04/01/06 19:27:33 [Note]: 7007 0

  0
• Trogan London, UK

  April 2006 edited April 2006

  Yeah, that looks fine. Can you do this scan please.
  
  Kaspersky Online Virus Scan
  - Click on the Kaspersky Online Scanner button
  - On the new window that opens, click the Accept button
  - Kaspersky will check if you have the ActiveX installed. If not, you will be prompted to download it. Please do - it is perfectly safe.
  - After accepting to install the ActiveX, you will need to click Accept again
  - Kaspersky will then install the ActiveX and download the latest Anti-Virus files from their database. Please be patient, it may take several mintues to download the latest files. Click Next when done
  - Select My Computer
  Please do NOT use the internet while Kaspersky is scanning
  - When the scan is complete, click the Save as Text button. Call it Virus Results and save the report to your desktop.
  - Open the file and paste the entire contents here

  0
• DaanVanheel

  April 2006 edited April 2006

  ---

  KASPERSKY ON-LINE SCANNER REPORT
  Sunday, April 02, 2006 1:28:13 AM
  Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
  Kaspersky On-line Scanner version: 5.0.78.0
  Kaspersky Anti-Virus database last update: 2/04/2006
  Kaspersky Anti-Virus database records: 174254

  ---

  
  Scan Settings:
  Scan using the following antivirus database: standard
  Scan Archives: true
  Scan Mail Bases: true
  
  Scan Target - My Computer:
  A:\
  C:\
  D:\
  E:\
  F:\
  I:\
  
  Scan Statistics:
  Total number of scanned objects: 107649
  Number of viruses found: 11
  Number of infected objects: 25
  Number of suspicious objects: 2
  Duration of the scan process: 01:42:55
  
  Infected Object Name / Virus Name / Last Action
  C:\System Volume Information\_restore{9178C9EF-B248-4F18-9478-6CDDE70B05EA}\RP767\A0225330.dll Infected: Trojan-Spy.Win32.Delf.cb skipped
  F:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC4.zip/svchost.exe Suspicious: Password-protected-EXE skipped
  F:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC4.zip ZIP: suspicious - 1 skipped
  F:\System Volume Information\_restore{C103E055-12CD-4A46-AB7B-970F524795BC}\RP822\A0244854.dll Infected: Trojan-Clicker.Win32.Small.jf skipped
  F:\System Volume Information\_restore{C103E055-12CD-4A46-AB7B-970F524795BC}\RP822\A0244864.dll Infected: Backdoor.Win32.Agent.xb skipped
  F:\System Volume Information\_restore{C103E055-12CD-4A46-AB7B-970F524795BC}\RP822\A0244871.exe Infected: Trojan-PSW.Win32.Agent.fv skipped
  F:\System Volume Information\_restore{C103E055-12CD-4A46-AB7B-970F524795BC}\RP822\A0245903.exe Infected: Trojan-Downloader.Win32.CWS.s skipped
  F:\System Volume Information\_restore{C103E055-12CD-4A46-AB7B-970F524795BC}\RP822\A0245917.exe Infected: Email-Worm.Win32.Locksky.aj skipped
  F:\System Volume Information\_restore{C103E055-12CD-4A46-AB7B-970F524795BC}\RP822\A0245918.exe Infected: Trojan-Downloader.Win32.CWS.s skipped
  F:\System Volume Information\_restore{C103E055-12CD-4A46-AB7B-970F524795BC}\RP822\A0245930.dll Infected: Backdoor.Win32.Agent.xb skipped
  F:\System Volume Information\_restore{C103E055-12CD-4A46-AB7B-970F524795BC}\RP822\A0245932.exe Infected: Email-Worm.Win32.Locksky.aj skipped
  F:\System Volume Information\_restore{C103E055-12CD-4A46-AB7B-970F524795BC}\RP822\A0245939.dll Infected: Backdoor.Win32.Agent.xb skipped
  F:\System Volume Information\_restore{C103E055-12CD-4A46-AB7B-970F524795BC}\RP824\A0246040.dll Infected: Backdoor.Win32.Agent.xb skipped
  F:\System Volume Information\_restore{C103E055-12CD-4A46-AB7B-970F524795BC}\RP825\A0246159.dll Infected: Backdoor.Win32.Agent.xb skipped
  F:\System Volume Information\_restore{C103E055-12CD-4A46-AB7B-970F524795BC}\RP826\A0246191.dll Infected: Backdoor.Win32.Agent.xb skipped
  F:\System Volume Information\_restore{C103E055-12CD-4A46-AB7B-970F524795BC}\RP826\A0246211.dll Infected: Backdoor.Win32.Agent.xb skipped
  F:\System Volume Information\_restore{C103E055-12CD-4A46-AB7B-970F524795BC}\RP826\A0246222.dll Infected: Backdoor.Win32.Agent.xb skipped
  F:\System Volume Information\_restore{C103E055-12CD-4A46-AB7B-970F524795BC}\RP826\A0246234.dll Infected: Backdoor.Win32.Agent.xb skipped
  F:\System Volume Information\_restore{C103E055-12CD-4A46-AB7B-970F524795BC}\RP826\A0246244.exe Infected: Backdoor.Win32.Agent.xb skipped
  F:\System Volume Information\_restore{C103E055-12CD-4A46-AB7B-970F524795BC}\RP826\A0246247.exe Infected: Trojan.Win32.StartPage.adi skipped
  F:\System Volume Information\_restore{C103E055-12CD-4A46-AB7B-970F524795BC}\RP826\A0246249.exe Infected: Trojan-Proxy.Win32.Small.bo skipped
  F:\System Volume Information\_restore{C103E055-12CD-4A46-AB7B-970F524795BC}\RP826\A0249617.exe Infected: Trojan-Downloader.Win32.Tibs.dp skipped
  F:\System Volume Information\_restore{C103E055-12CD-4A46-AB7B-970F524795BC}\RP826\A0249618.exe Infected: Trojan-Proxy.Win32.Small.bo skipped
  F:\System Volume Information\_restore{C103E055-12CD-4A46-AB7B-970F524795BC}\RP826\A0249619.exe Infected: Trojan-Downloader.Win32.Adload.ai skipped
  F:\WINDOWS\OEM.exe Infected: Trojan-PSW.Win32.Agent.fv skipped
  F:\WINDOWS\OEM.exe.bak Infected: Trojan-PSW.Win32.Agent.fv skipped
  F:\WINDOWS\system\svchost.dll Infected: Backdoor.Win32.Agent.xb skipped
  
  Scan process completed.
  
  
  I think this might be something... the svchost file is the one that goes to 99% at startup...?

  0
• Trogan London, UK

  April 2006 edited April 2006

  Print these instructions or save them to a convenient location as you will have no internet connection. Can you do the following:
  
  Please reboot your computer in SafeMode by doing the following:

  1. Restart your computer
  2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  3. Instead of Windows loading as normal, a menu should appear
  4. Select the first option, to run Windows in Safe Mode.

  
  Once in Safe Mode, you need to View hidden files and folders.
  

  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.

  
  Next, find and delete the following file:
  
  F:\WINDOWS\system\svchost.dll << this file
  
  
  Reboot back into Normal Mode and do the following:
  

  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan" box on the top of the page:
  • F:\WINDOWS\OEM.exe
  • Click on the submit button
  • Please post the results in your next reply.

  
  Do the same for this file: F:\WINDOWS\OEM.exe.bak

  0
• DaanVanheel

  April 2006 edited April 2006

  after deleting svchost.dll the startup problems still occur. Maybe it's just old deleted apps trying to launch or something?
  
  File: OEM.exe
  Status: POSSIBLY INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database) (Note: this file was only flagged as malware by heuristic detection(s). This might be a false positive. Therefore, results of this scan will not be stored in the database)
  MD5 b29dbbf7c68faea64a9a68b7f7a32bfc
  Packers detected: PE_PATCH.PECOMPACT, PECBUNDLE, PECOMPACT
  Scanner results
  AntiVir Found nothing
  ArcaVir Found nothing
  Avast Found nothing
  AVG Antivirus Found nothing
  BitDefender Found Generic.Malware.M.183A79BB (probable variant)
  ClamAV Found nothing
  Dr.Web Found nothing
  F-Prot Antivirus Found nothing
  Fortinet Found nothing
  Kaspersky Anti-Virus Found nothing
  NOD32 Found nothing
  Norman Virus Control Found nothing
  UNA Found nothing
  VirusBuster Found nothing
  VBA32 Found nothing
  
  
  File: OEM.exe.bak
  Status: POSSIBLY INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database) (Note: this file was only flagged as malware by heuristic detection(s). This might be a false positive. Therefore, results of this scan will not be stored in the database)
  MD5 b29dbbf7c68faea64a9a68b7f7a32bfc
  Packers detected: PE_PATCH.PECOMPACT, PECBUNDLE, PECOMPACT
  Scanner results
  AntiVir Found nothing
  ArcaVir Found nothing
  Avast Found nothing
  AVG Antivirus Found nothing
  BitDefender Found Generic.Malware.M.183A79BB (probable variant)
  ClamAV Found nothing
  Dr.Web Found nothing
  F-Prot Antivirus Found nothing
  Fortinet Found nothing
  Kaspersky Anti-Virus Found nothing
  NOD32 Found nothing
  Norman Virus Control Found nothing
  UNA Found nothing
  VirusBuster Found nothing
  VBA32 Found nothing

  0
• Trogan London, UK

  April 2006 edited April 2006

  Check and see if you have the following files. Make sure you can view hidden files and folders.
  
  F:\WINDOWS\system\svchost.exe << this file
  F:\WINDOWS\system\svchosthook.dll << this file
  
  Let me know.

  0
• DaanVanheel

  April 2006 edited April 2006

  I don't. I have svchost.exe in the system32 folder, and also svcpack.dll in the same folder.

  0
• Trogan London, UK

  April 2006 edited April 2006

  Can you go here and have these files scanned please. Post back the results.
  
  F:\WINDOWS\OEM.exe
  F:\WINDOWS\OEM.exe.bak

  0
• DaanVanheel

  April 2006 edited April 2006

  This is a report processed by VirusTotal on 04/03/2006 at 20:06:54 (CET) after scanning the file "OEM.exe" file.
  Antivirus Version Update Result
  AntiVir 6.34.0.14 04.03.2006 no virus found
  Avast 4.6.695.0 04.03.2006 no virus found
  AVG 386 04.03.2006 no virus found
  Avira 6.34.0.54 04.03.2006 no virus found
  BitDefender 7.2 04.03.2006 Generic.Malware.M.183A79BB
  CAT-QuickHeal 8.00 03.31.2006 (Suspicious) - DNAScan
  ClamAV devel-20060202 04.03.2006 no virus found
  DrWeb 4.33 04.03.2006 Trojan.Spambot
  eTrust-InoculateIT 23.71.118 04.02.2006 no virus found
  eTrust-Vet 12.4.2146 04.03.2006 no virus found
  Ewido 3.5 04.03.2006 no virus found
  Fortinet 2.71.0.0 04.03.2006 no virus found
  F-Prot 3.16c 03.30.2006 no virus found
  Ikarus 0.2.59.0 04.03.2006 no virus found
  Kaspersky 4.0.2.24 04.03.2006 Trojan-PSW.Win32.Agent.fv
  McAfee 4732 04.03.2006 no virus found
  NOD32v2 1.1467 04.02.2006 no virus found
  Norman 5.90.15 04.03.2006 no virus found
  Panda 9.0.0.4 04.03.2006 Suspicious file
  Sophos 4.04.0 04.03.2006 no virus found
  Symantec 8.0 04.03.2006 no virus found
  TheHacker 5.9.7.124 04.03.2006 no virus found
  UNA 1.83 04.03.2006 no virus found
  VBA32 3.10.5 04.03.2006 no virus found
  
  
  a
  This is a report processed by VirusTotal on 04/03/2006 at 20:18:53 (CET) after scanning the file "OEM.exe.bak" file.
  Antivirus Version Update Result
  AntiVir 6.34.0.14 04.03.2006 no virus found
  Avast 4.6.695.0 04.03.2006 no virus found
  AVG 386 04.03.2006 no virus found
  Avira 6.34.0.54 04.03.2006 no virus found
  BitDefender 7.2 04.03.2006 Generic.Malware.M.183A79BB
  CAT-QuickHeal 8.00 03.31.2006 (Suspicious) - DNAScan
  ClamAV devel-20060202 04.03.2006 no virus found
  DrWeb 4.33 04.03.2006 Trojan.Spambot
  eTrust-InoculateIT 23.71.118 04.02.2006 no virus found
  eTrust-Vet 12.4.2146 04.03.2006 no virus found
  Ewido 3.5 04.03.2006 no virus found
  Fortinet 2.71.0.0 04.03.2006 no virus found
  F-Prot 3.16c 03.30.2006 no virus found
  Ikarus 0.2.59.0 04.03.2006 no virus found
  Kaspersky 4.0.2.24 04.03.2006 Trojan-PSW.Win32.Agent.fv
  McAfee 4732 04.03.2006 no virus found
  NOD32v2 1.1467 04.02.2006 no virus found
  Norman 5.90.15 04.03.2006 no virus found
  Panda 9.0.0.4 04.03.2006 Suspicious file
  Sophos 4.04.0 04.03.2006 no virus found
  Symantec 8.0 04.03.2006 no virus found
  TheHacker 5.9.7.124 04.03.2006 no virus found
  UNA 1.83 04.03.2006 no virus found
  VBA32 3.10.5 04.03.2006 no virus found

  0
• Trogan London, UK

  April 2006 edited April 2006

  Update Ewido but do not run a scan yet.
  
  Go back into Safe Mode and delete these files
  
  F:\WINDOWS\OEM.exe << this file
  F:\WINDOWS\OEM.exe.bak << this file
  
  Run Ewido and save a log.
  
  Reboot and post the log here, along with a new HJT log please.

  0
• DaanVanheel

  April 2006 edited April 2006

  Ewido found nothing!
  
  Logfile of HijackThis v1.99.1
  Scan saved at 23:43:25, on 3/04/2006
  Platform: Windows XP SP2 (WinNT 5.01.2600)
  MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
  
  Running processes:
  F:\WINDOWS\System32\smss.exe
  F:\WINDOWS\system32\winlogon.exe
  F:\WINDOWS\system32\services.exe
  F:\WINDOWS\system32\lsass.exe
  F:\WINDOWS\system32\svchost.exe
  F:\WINDOWS\System32\svchost.exe
  F:\WINDOWS\System32\wltrysvc.exe
  F:\WINDOWS\System32\bcmwltry.exe
  F:\WINDOWS\system32\spoolsv.exe
  F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
  F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
  F:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
  F:\Program Files\ewido anti-malware\ewidoctrl.exe
  F:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
  F:\Program Files\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
  F:\WINDOWS\system32\nvsvc32.exe
  F:\WINDOWS\system32\ZoneLabs\vsmon.exe
  F:\Program Files\Pinnacle\Shared Files\Programs\MediaServer\PMSHost.exe
  F:\WINDOWS\Explorer.EXE
  F:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
  F:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
  F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
  F:\WINDOWS\system32\rundll32.exe
  F:\Program Files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe
  F:\Program Files\Pinnacle\Shared Files\Programs\MediaCenterService\PMC.Service.Main.exe
  F:\WINDOWS\system32\rundll32.exe
  F:\Program Files\iTunes\iTunesHelper.exe
  F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
  F:\Program Files\UltraMon\UltraMon.exe
  F:\Program Files\MSN Messenger\msnmsgr.exe
  F:\WINDOWS\system32\ctfmon.exe
  F:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
  F:\Program Files\UltraMon\UltraMonTaskbar.exe
  F:\WINDOWS\system32\wuauclt.exe
  I:\Downloads\HijackThis.exe
  F:\WINDOWS\system32\msiexec.exe
  F:\Program Files\iPod\bin\iPodService.exe
  F:\WINDOWS\System32\wbem\wmiapsrv.exe
  F:\PROGRA~1\BONECH~1\FIREFOX.EXE
  
  R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tvtv.nl/cgi-bin/WebObjects/EPGnl.woa
  R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.be/0SENLBE/SAOS01?FORM=TOOLBR
  R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
  F2 - REG:system.ini: UserInit=userinit.exe
  O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
  O4 - HKLM\..\Run: [CTStartup] F:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
  O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
  O4 - HKLM\..\Run: [AVG7_EMC] F:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
  O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
  O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
  O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
  O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
  O4 - HKLM\..\Run: [PinnacleDriverCheck] F:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
  O4 - HKLM\..\Run: [PMCRemote] F:\Program Files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe
  O4 - HKLM\..\Run: [PMCS] "F:\Program Files\Pinnacle\Shared Files\Programs\MediaCenterService\PMC.Service.Main.exe" -host -clearDebug
  O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
  O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
  O4 - HKLM\..\Run: [Zone Labs Client] F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
  O4 - HKLM\..\Run: [UltraMon] "F:\Program Files\UltraMon\UltraMon.exe" /auto
  O4 - HKCU\..\Run: [msnmsgr] "F:\Program Files\MSN Messenger\msnmsgr.exe" /background
  O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
  O4 - Startup: Bluetooth.lnk = F:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
  O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
  O8 - Extra context menu item: Verzenden naar &Bluetooth - F:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
  O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
  O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
  O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
  O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
  O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
  O16 - DPF: {2CFB52FD-7CF2-479C-BF65-B27F8A834F31} (SecureSession Class) - http://www.samsungtechwin.com/include/pki/SecuiTechIE.cab
  O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - https://scan.safety.live.com/resource/download/scanner/en-us/wlscbase7617.cab
  O16 - DPF: {6211AC26-A1B4-422A-AC52-1E70B7D24465} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/nl/filesharingctrl.cab
  O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1092090677218
  O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
  O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1132860717750
  O16 - DPF: {712362BF-E411-4F43-99D2-EB15F80AF1DB} - http://entimg.msn.com/client/msnediag2729.cab
  O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab
  O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
  O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
  O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
  O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game11.zylomgames.com/activex/zylomgamesplayer.cab
  O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
  O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} - http://entimg.msn.com/client/msnmusax2729.cab
  O23 - Service: Adobe LM Service - Unknown owner - F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
  O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
  O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
  O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - F:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
  O23 - Service: ewido security suite control - ewido networks - F:\Program Files\ewido anti-malware\ewidoctrl.exe
  O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
  O23 - Service: iPodService - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
  O23 - Service: MySql - Unknown owner - F:/MySQL/mysql-4.1.1a-alpha/bin/mysqld-nt.exe (file missing)
  O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
  O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - F:\Program Files\Pinnacle\Shared Files\Programs\MediaServer\PMSHost.exe
  O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - F:\WINDOWS\system32\ZoneLabs\vsmon.exe
  O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - F:\WINDOWS\System32\wltrysvc.exe
  
  
  
  I'm starting to think the startup problem (which occurs just before the wireless-software starts up) might just be a compatibility issue between the recent drivers and some old ones (the machine is 3,5 years old)

  0
• Trogan London, UK

  April 2006 edited April 2006

  I'm starting to think the startup problem (which occurs just before the wireless-software starts up) might just be a compatibility issue between the recent drivers and some old ones (the machine is 3,5 years old)

  It could be. Your computer seems to be free of malware.
  
  
  Can you access the Security Centre now?
  
  What about svchost reaching 100%?

  0
• DaanVanheel

  April 2006 edited April 2006

  Security Center is still a no-go, and the svchost still reaches 100% while starting up.. it's odd.
  
  thanks anyway.

  0
• Trogan London, UK

  April 2006 edited April 2006

  Could you do this last thing please?
  

  • Open HJT
  • Press Open the Misc Tools section
  • On the left, press Open Uninstall Manager
  • Click on Save list... and save the contents to your desktop
  • Post the entire contents here

  0
• DaanVanheel

  April 2006 edited April 2006

  Adaptec ASPI XP v4.6 (1021)
  Ad-Aware SE Personal
  Adobe Photoshop CS
  Adobe Reader 7.0.7
  Ahead Nero Burning ROM
  AOpen Multimedia Utilities
  AOpen WDM Capture Drivers
  AVG Free Edition
  Belkin Wireless Utility
  Beveiligingsupdate for Windows Media Player 10 (KB911565)
  Beveiligingsupdate voor Windows Media Player (KB911564)
  Beveiligingsupdate voor Windows XP (KB883939)
  Beveiligingsupdate voor Windows XP (KB890046)
  Beveiligingsupdate voor Windows XP (KB893756)
  Beveiligingsupdate voor Windows XP (KB896358)
  Beveiligingsupdate voor Windows XP (KB896422)
  Beveiligingsupdate voor Windows XP (KB896423)
  Beveiligingsupdate voor Windows XP (KB896424)
  Beveiligingsupdate voor Windows XP (KB896428)
  Beveiligingsupdate voor Windows XP (KB896688)
  Beveiligingsupdate voor Windows XP (KB899587)
  Beveiligingsupdate voor Windows XP (KB899588)
  Beveiligingsupdate voor Windows XP (KB899589)
  Beveiligingsupdate voor Windows XP (KB899591)
  Beveiligingsupdate voor Windows XP (KB900725)
  Beveiligingsupdate voor Windows XP (KB901017)
  Beveiligingsupdate voor Windows XP (KB901214)
  Beveiligingsupdate voor Windows XP (KB902400)
  Beveiligingsupdate voor Windows XP (KB903235)
  Beveiligingsupdate voor Windows XP (KB904706)
  Beveiligingsupdate voor Windows XP (KB905414)
  Beveiligingsupdate voor Windows XP (KB905749)
  Beveiligingsupdate voor Windows XP (KB905915)
  Beveiligingsupdate voor Windows XP (KB908519)
  Beveiligingsupdate voor Windows XP (KB911927)
  Beveiligingsupdate voor Windows XP (KB912919)
  Beveiligingsupdate voor Windows XP (KB913446)
  Bon Echo (2.0a1)
  Crimson Editor (remove only)
  DivX
  ewido anti-malware
  FL Studio 5
  floAt's Mobile Agent 2
  Grand Master Chess OnLine
  HighMAT-uitbreiding voor de wizard Cd branden van Microsoft Windows XP
  HijackThis 1.99.1
  Indeo® software
  Intel A/V Codecs V2.0
  Intel Application Accelerator
  iPod for Windows 2006-03-23
  iScrobbler
  iTunes
  J2SE Runtime Environment 5.0 Update 4
  J2SE Runtime Environment 5.0 Update 6
  Java 2 Runtime Environment, SE v1.4.2_04
  Kaspersky On-line Scanner
  LimeWire PRO 4.9.28
  Macromedia Flash Player 8
  Macromedia Shockwave Player
  Messenger Beta
  Microsoft "Indigo" Beta 2
  Microsoft .NET Framework 1.1
  Microsoft .NET Framework 1.1
  Microsoft .NET Framework 1.1 Dutch Language Pack
  Microsoft .NET Framework 1.1 Hotfix (KB886903)
  Microsoft .NET Framework 2.0 Beta 2
  Microsoft Data Access Components KB870669
  Microsoft Office Professional Edition 2003
  Microsoft SQL Server Desktop Engine (PINNACLESYS)
  MSN Screen Saver (Beta)
  MSXML 4.0 SP2 Parser and SDK
  MSXML 6.0 Parser and SDK
  NVIDIA Display Driver
  NVIDIA Drivers
  Panda ActiveScan
  Picasa 2
  Pinnacle MediaCenter
  Pinnacle MediaServer
  PowerDVD
  PrimoPDF
  Quick Screen Recorder 1.5
  QuickTime
  Roller Coaster Tycoon 2
  Shockwave
  SmartFTP
  SmartFTP Client 2.0
  Sonic Foundry ACID 4.0
  Sonic Foundry Sound Forge 6.0
  Sound Blaster Audigy
  Spybot - Search & Destroy 1.4
  SpywareBlaster v3.5.1
  StepMania (remove only)
  UltraMon
  Update voor Windows XP (KB894391)
  Update voor Windows XP (KB896727)
  Update voor Windows XP (KB898461)
  Update voor Windows XP (KB910437)
  VobSub v2.23 (Remove Only)
  WIDCOMM Bluetooth Software
  Windows Installer 3.1 (KB893803)
  Windows Installer 3.1 (KB893803)
  Windows Live Safety scanner
  Windows Media Format Runtime
  Windows Media Player 10
  Windows Presentation Foundation September CTP v6.0.5215.50818
  Windows Workflow Foundation
  Windows XP Hotfix - KB834707
  Windows XP Hotfix - KB867282
  Windows XP Hotfix - KB873333
  Windows XP Hotfix - KB873339
  Windows XP Hotfix - KB885250
  Windows XP Hotfix - KB885835
  Windows XP Hotfix - KB885836
  Windows XP Hotfix - KB885884
  Windows XP Hotfix - KB886185
  Windows XP Hotfix - KB887742
  Windows XP Hotfix - KB888113
  Windows XP Hotfix - KB888302
  Windows XP Hotfix - KB890047
  Windows XP Hotfix - KB890175
  Windows XP Hotfix - KB890859
  Windows XP Hotfix - KB890923
  Windows XP Hotfix - KB891781
  Windows XP Hotfix - KB893066
  Windows XP Hotfix - KB893086
  Windows XP Service Pack 2
  WinFX Runtime Components 3.0 Beta 2 - ENU
  WinFX Runtime Components 3.0 Beta 2 - ENU
  WinZip
  XviD MPEG-4 Video Codec
  ZoneAlarm

  0