Spyware Issue caused by MSN messenger

HansDogg · April 2005

Logfile of HijackThis v1.99.1
Scan saved at 3:50:10 PM, on 4/18/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\rramln.exe
C:\windows\system32\bxadfsv.exe
C:\WINDOWS\System32\msnmessag.exe
C:\Program Files\Tyopfe\Mfnkaom.exe
C:\temp\salm.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\windows\system32\packager.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Warez P2P Client\warez.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\KEVDADDY\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F3 - REG:win.ini: load=C:\Program Files\WAFFLEz\mlg1.exe
O2 - BHO: PynixObj Class - {00000000-DD60-0064-6EC2-6E0100000000} - C:\WINDOWS\Pynix.dll
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\rramln.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [bxadfsv] c:\windows\system32\bxadfsv.exe
O4 - HKLM\..\Run: [MSN Messages] msnmessag.exe
O4 - HKLM\..\Run: [Tivzxo] C:\Program Files\Tyopfe\Mfnkaom.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitednv32.exe
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [pujgr] C:\WINDOWS\pujgr.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\RunServices: [MSN Messages] msnmessag.exe
O4 - HKCU\..\Run: [warez] "C:\Program Files\Warez P2P Client\warez.exe" -h
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MSN Messages] msnmessag.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\RunServices: [MSN Messages] msnmessag.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

Buckeye_Sam · April 2005

You've got a lot going on in your log. This will likely take a few steps.

Please remove these entries from Add/Remove Programs in the Control Panel(if present):

Media Pass
Media Access

Please download CWShredder but don't run it yet.
http://cwshredder.net/bin/CWSInstall.exe

Download Ad-aware SE 1.05 from: http://www.majorgeeks.com/download506.html
Install the program and launch it. First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files. Exit Adaware for now.

Make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F3 - REG:win.ini: load=C:\Program Files\WAFFLEz\mlg1.exe
O2 - BHO: PynixObj Class - {00000000-DD60-0064-6EC2-6E0100000000} - C:\WINDOWS\Pynix.dll
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\rramln.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [bxadfsv] c:\windows\system32\bxadfsv.exe
O4 - HKLM\..\Run: [MSN Messages] msnmessag.exe
O4 - HKLM\..\Run: [Tivzxo] C:\Program Files\Tyopfe\Mfnkaom.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitednv32.exe
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [pujgr] C:\WINDOWS\pujgr.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\RunServices: [MSN Messages] msnmessag.exe
O4 - HKCU\..\Run: [MSN Messages] msnmessag.exe
O4 - HKCU\..\RunServices: [MSN Messages] msnmessag.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

Reboot your computer into Safe Mode

Now run CWShredder, making sure to click "Fix".

Then delete these files or directories (Do not be concerned if they do not exist)

C:\WINDOWS\Pynix.dll
C:\WINDOWS\nem220.dll
C:\WINDOWS\systb.dll
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\pujgr.exe
C:\WINDOWS\farmmext.exe
C:\WINDOWS\System32\rramln.exe
c:\windows\system32\bxadfsv.exe
C:\WINDOWS\System32\msnmessag.exe
C:\windows\system32\elitednv32.exe
C:\Program Files\Media Access
C:\Program Files\Tyopfe
C:\Program Files\WAFFLEz

Run a full scan with Adaware.

Reboot your computer to go back to normal mode and post a new log.

HansDogg · April 2005

Thanks, here is what I have after the safe-mode scan.

Logfile of HijackThis v1.99.1
Scan saved at 12:15:03 PM, on 4/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\System32\rramln.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\KEVDADDY\Desktop\HijackThis.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitednv32.exe
O4 - HKLM\..\Run: [bxadfsv] c:\windows\system32\bxadfsv.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\rramln.exe
O4 - HKCU\..\Run: [warez] "C:\Program Files\Warez P2P Client\warez.exe" -h
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe

Buckeye_Sam · April 2005

Looks much better! Good job! Still some issues though.

Download rkfiles.zip
http://skads.org/special/rkfiles.zip
Unzip the contents to a permanent folder.

Reboot your computer into Safe Mode

Doubleclick rkfiles.bat
It will scan for a while, so please be patient.
Wait till the DOS window closes and reboot back to normal mode.

Post the contents of C:\log.txt in your next reply.

Please download FindQoologic from here:
http://forums.net-integration.net/index.php?act=Attach&type=post&id=134981
Save it to the desktop and run Find-Qoologic2.bat. This will generate a log file; please post the entire contents of the log file here for me to see.

HansDogg · April 2005

Here is the rkfiles log...

C:\Documents and Settings\KEVDADDY\Desktop\rkfiles

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............

C:\WINDOWS\system32\nnopq.dll: UPX!
C:\WINDOWS\system32\ppehbge.dll: UPX!
C:\WINDOWS\system32\qqgby.dat: UPX!
C:\WINDOWS\system32\rramln.exe: UPX!
C:\WINDOWS\system32\winup2date.dll: UPX!
C:\WINDOWS\system32\wmconfig.cpl: UPX!
C:\WINDOWS\system32\eliteaak32.exe: FSG!
C:\WINDOWS\system32\elitecav32.exe: FSG!
C:\WINDOWS\system32\elitednv32.exe: FSG!
C:\WINDOWS\system32\elitegfk32.exe: FSG!
C:\WINDOWS\system32\elitegsb32.exe: FSG!
C:\WINDOWS\system32\elitehom32.exe: FSG!
C:\WINDOWS\system32\elitehxt32.exe: FSG!
C:\WINDOWS\system32\eliteinf32.exe: FSG!
C:\WINDOWS\system32\elitekjh32.exe: FSG!
C:\WINDOWS\system32\elitekpz32.exe: FSG!
C:\WINDOWS\system32\elitelsh32.exe: FSG!
C:\WINDOWS\system32\elitemlm32.exe: FSG!
C:\WINDOWS\system32\elitepbd32.exe: FSG!
C:\WINDOWS\system32\elitesop32.exe: FSG!
C:\WINDOWS\system32\elitesoz32.exe: FSG!
C:\WINDOWS\system32\elitetcu32.exe: FSG!
C:\WINDOWS\system32\elitetfj32.exe: FSG!
C:\WINDOWS\system32\elitevpl32.exe: FSG!
C:\WINDOWS\system32\elitexxg32.exe: FSG!
C:\WINDOWS\system32\elitezwf32.exe: FSG!
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213
C:\WINDOWS\system32\DivX.dll: PEC2

Files Found in all users startup Folder............

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ddup.exe: UPX!
Files Found in all users windows Folder............

C:\WINDOWS\daemon.dll: UPX!
C:\WINDOWS\farmmext.exe: UPX!
C:\WINDOWS\wupdsnff.exe: UPX!
Finished
bye

and here is the qoologic log....

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x77f75fae

Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
ddup.exe
desktop.ini
Microsoft Office.lnk
WinZip Quick Pick.lnk

User Startup:
C:\Documents and Settings\KEVDADDY\Start Menu\Programs\Startup
.
..
desktop.ini
Webshots.lnk

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ggstkqsy
<NO NAME> REG_SZ {c864d04a-760d-40c9-839a-d77a4a0f2f14}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
<NO NAME> REG_SZ {750fdf0e-2a26-11d1-a3ea-080036587f03}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
<NO NAME> REG_SZ {09799AFB-AD67-11d1-ABCD-00C04FC30936}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
<NO NAME> REG_SZ {A470F8CF-A1E8-4f65-8335-227475AA5C46}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
<NO NAME> REG_SZ {B41DB860-8EE4-11D2-9906-E49FADC173CA}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
<NO NAME> REG_SZ {E0D79304-84BE-11CE-9641-444553540000}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
<NO NAME> REG_SZ Start Menu Pin

»»»»»»»»»»»»»»»»»»»»»»»»» Active setup »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

"Find activesetup", version1, launched at: 20:19
Operating System: Windows XP

HKLM\Software\Microsoft\Active Setup\Installed Components\
"3a307100-05e7-4af6-9927-ef221670b143\(Default)" = ""
\StubPath = "C:\WINDOWS\System32\ccxrqox.exe" [null data]
">{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\(Default)" = "Microsoft Windows Media Player"
\StubPath = "C:\WINDOWS\inf\unregmp2.exe /ShowWMP" [MS]

I hope that's what you needed.

Buckeye_Sam · April 2005

Download the attached file and extract fix2.reg to your desktop. Double click on it and OK the prompt.

Download Killbox from here.
http://www.downloads.subratam.org/KillBox.zip

Run KillBox, select the option: Replace on Reboot
Then, in the Full Path of File to Delete box, copy and paste this entry:

C:\WINDOWS\system32\nnopq.dll

Select the option: Use Dummy
Press the button with a red circle and a white X (Delete File button)
Click Yes at the Replace on Reboot confirmation prompt.
Click No at the request to reboot.

Do the exact same as above for each and every one of the files that follow, and select No at the request to reboot!

C:\WINDOWS\system32\ppehbge.dll
C:\WINDOWS\system32\qqgby.dat
C:\WINDOWS\system32\rramln.exe
C:\WINDOWS\system32\winup2date.dll
C:\WINDOWS\system32\wmconfig.cpl
C:\WINDOWS\system32\eliteaak32.exe
C:\WINDOWS\system32\elitecav32.exe
C:\WINDOWS\system32\elitednv32.exe
C:\WINDOWS\system32\elitegfk32.exe
C:\WINDOWS\system32\elitegsb32.exe
C:\WINDOWS\system32\elitehom32.exe
C:\WINDOWS\system32\elitehxt32.exe
C:\WINDOWS\system32\eliteinf32.exe
C:\WINDOWS\system32\elitekjh32.exe
C:\WINDOWS\system32\elitekpz32.exe
C:\WINDOWS\system32\elitelsh32.exe
C:\WINDOWS\system32\elitemlm32.exe
C:\WINDOWS\system32\elitepbd32.exe
C:\WINDOWS\system32\elitesop32.exe
C:\WINDOWS\system32\elitesoz32.exe
C:\WINDOWS\system32\elitetcu32.exe
C:\WINDOWS\system32\elitetfj32.exe
C:\WINDOWS\system32\elitevpl32.exe
C:\WINDOWS\system32\elitexxg32.exe
C:\WINDOWS\system32\elitezwf32.exe
C:\WINDOWS\farmmext.exe
C:\WINDOWS\wupdsnff.exe

Finally, in the Full Path of File to Delete, copy and paste the following:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ddup.exe

Press the button with a red circle and a white X.
Click Yes at the Replace on Reboot prompt.
Click Yes at the request to reboot.

On this last file, close KillBox and Notepad, and Reboot the computer!!

Now let's see what's left. Please post a new hijackthis log, rkfiles log, and findqoologic log.

HansDogg · April 2005

First we have the rkfiles log...

C:\Documents and Settings\KEVDADDY\Desktop\rkfiles

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............

C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213
C:\WINDOWS\system32\DivX.dll: PEC2

Files Found in all users startup Folder............

Files Found in all users windows Folder............

C:\WINDOWS\daemon.dll: UPX!
Finished
bye

Next, we have the Hijack this log.....

Logfile of HijackThis v1.99.1
Scan saved at 7:11:05 PM, on 4/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\KEVDADDY\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitednv32.exe
O4 - HKLM\..\Run: [bxadfsv] c:\windows\system32\bxadfsv.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\rramln.exe
O4 - HKCU\..\Run: [warez] "C:\Program Files\Warez P2P Client\warez.exe" -h
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: ddup.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe

and finally...the qoologic log...

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x77f75fae

Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
ddup.exe
desktop.ini
Microsoft Office.lnk
WinZip Quick Pick.lnk

User Startup:
C:\Documents and Settings\KEVDADDY\Start Menu\Programs\Startup
.
..
desktop.ini
Webshots.lnk

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ggstkqsy
<NO NAME> REG_SZ {c864d04a-760d-40c9-839a-d77a4a0f2f14}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
<NO NAME> REG_SZ {750fdf0e-2a26-11d1-a3ea-080036587f03}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
<NO NAME> REG_SZ {09799AFB-AD67-11d1-ABCD-00C04FC30936}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
<NO NAME> REG_SZ {A470F8CF-A1E8-4f65-8335-227475AA5C46}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
<NO NAME> REG_SZ {B41DB860-8EE4-11D2-9906-E49FADC173CA}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
<NO NAME> REG_SZ {E0D79304-84BE-11CE-9641-444553540000}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
<NO NAME> REG_SZ Start Menu Pin

»»»»»»»»»»»»»»»»»»»»»»»»» Active setup »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

"Find activesetup", version1, launched at: 19:20
Operating System: Windows XP

HKLM\Software\Microsoft\Active Setup\Installed Components\
">{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\(Default)" = "Microsoft Windows Media Player"
\StubPath = "C:\WINDOWS\inf\unregmp2.exe /ShowWMP" [MS]

I believe that is it. Thank you.

Buckeye_Sam · April 2005

We're getting close now.

Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:

O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitednv32.exe
O4 - HKLM\..\Run: [bxadfsv] c:\windows\system32\bxadfsv.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\rramln.exe
O4 - Global Startup: ddup.exe

Reboot your computer into Safe Mode

Then delete these files or directories (Do not be concerned if they do not exist):

C:\windows\system32\elitednv32.exe
c:\windows\system32\bxadfsv.exe
C:\WINDOWS\System32\rramln.exe
ddup.exe

Reboot your computer to go back to normal mode and post a new log.

HansDogg · April 2005

Thank you. Here is the Hijackthis file log...

Logfile of HijackThis v1.99.1
Scan saved at 9:17:11 PM, on 4/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\KEVDADDY\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitednv32.exe
O4 - HKLM\..\Run: [bxadfsv] c:\windows\system32\bxadfsv.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\rramln.exe
O4 - HKCU\..\Run: [warez] "C:\Program Files\Warez P2P Client\warez.exe" -h
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe

Buckeye_Sam · April 2005

Reboot your computer into Safe Mode

Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:

O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitednv32.exe
O4 - HKLM\..\Run: [bxadfsv] c:\windows\system32\bxadfsv.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\rramln.exe

Reboot back to normal mode and post a new hijackthis log.

HansDogg · April 2005

Here ya go...

Logfile of HijackThis v1.99.1
Scan saved at 5:21:51 PM, on 4/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\KEVDADDY\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitednv32.exe
O4 - HKLM\..\Run: [bxadfsv] c:\windows\system32\bxadfsv.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\rramln.exe
O4 - HKLM\..\Run: [checkrun] c:\windows\system32\elitemuc32.exe
O4 - HKCU\..\Run: [warez] "C:\Program Files\Warez P2P Client\warez.exe" -h
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe

...thanks.

Buckeye_Sam · April 2005

Please copy this text to notepad and save it as fix.reg Make sure to select type as All files.

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"etbrun"=-
"bxadfsv"=-
"KavSvc"=-

Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:

O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitednv32.exe
O4 - HKLM\..\Run: [bxadfsv] c:\windows\system32\bxadfsv.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\rramln.exe
O4 - HKLM\..\Run: [checkrun] c:\windows\system32\elitemuc32.exe

Reboot your computer into Safe Mode

Double click fix.reg that you saved earlier. OK the prompt.

Then delete these files or directories (Do not be concerned if they do not exist):

C:\windows\system32\elitednv32.exe
c:\windows\system32\bxadfsv.exe
C:\WINDOWS\System32\rramln.exe
c:\windows\system32\elitemuc32.exe

Reboot your computer to go back to normal mode and post a new log.

HansDogg · April 2005

Here is the log. The "fix.reg" file didn't do anything when i opened it in safe mode. But here is the log anyway.

Logfile of HijackThis v1.99.1
Scan saved at 9:34:00 PM, on 4/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\KEVDADDY\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitemuc32.exe
O4 - HKCU\..\Run: [warez] "C:\Program Files\Warez P2P Client\warez.exe" -h
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe

Buckeye_Sam · April 2005

The reg file worked perfectly. It just does it all very quickly.

You still have one stinker still showing up in your log. Please go to this site and have an online virus scan done. When it is complete you should get a log of what was found that will include files that the scan didn't remove. Please post that log here.

http://www.pandasoftware.com/activescan/com/activescan_principal.htm

HansDogg · May 2005

Here is the panda scan log...it was a little long so it's in two parts.

Incident Status Location

Adware:Adware/ClkOptimizer No disinfected C:\!Submit\nnopq.dll
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\KEVDADDY\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-3c936701-34d3d0c6.zip[InstallerApplet.class]
Adware:Adware/CWS No disinfected C:\Documents and Settings\KEVDADDY\Favorites\Fun & Games\Betting.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\KEVDADDY\Favorites\Fun & Games\Casino Palace.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\KEVDADDY\Favorites\Fun & Games\Casino.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\KEVDADDY\Favorites\Fun & Games\Games.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\KEVDADDY\Favorites\Fun & Games\Horoscope.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\KEVDADDY\Favorites\Going Places\Air Tickets.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\KEVDADDY\Favorites\Going Places\Car Rentals.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\KEVDADDY\Favorites\Going Places\Hotel Deals.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\KEVDADDY\Favorites\Going Places\Luggage.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\KEVDADDY\Favorites\Going Places\Travel.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\KEVDADDY\Favorites\Living\Dating.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\KEVDADDY\Favorites\Living\Find a Degree.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\KEVDADDY\Favorites\Living\Find a job.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\KEVDADDY\Favorites\Living\Home.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\KEVDADDY\Favorites\Living\Insurance.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\KEVDADDY\Favorites\Shop\Auctions.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\KEVDADDY\Favorites\Shop\Books.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\KEVDADDY\Favorites\Shop\Computers.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\KEVDADDY\Favorites\Shop\Discount.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\KEVDADDY\Favorites\Shop\Flowers.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\KEVDADDY\Favorites\Shop\Golf.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\KEVDADDY\Favorites\Shop\Jewelry.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\KEVDADDY\Favorites\Shop\Movies.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\KEVDADDY\Favorites\Shop\Music.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\KEVDADDY\Favorites\Shop\Online Store.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\KEVDADDY\Favorites\Shop\Perfume.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\KEVDADDY\Favorites\Shop\Sleepwear.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\KEVDADDY\Favorites\Technology\Adware Remover.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\KEVDADDY\Favorites\Technology\Anti-Virus.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\KEVDADDY\Favorites\Technology\PC Cleaner.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\KEVDADDY\Favorites\Technology\Tech & gadgets.lnk
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\10145f1c.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\105f2d9c.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\10663a0c.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\10a9088c.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\10f0190c.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\111ee2a.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\113be78c.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\1143c66c.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\118ad4ec.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\11c591d.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\11dda5e9.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\11e4b20e.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\122f806c.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\12716eec.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\127279d.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\12b87f6c.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\12c34ddc.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\130a5a5c.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\135d28dc.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\1364395c.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\13af07dc.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\13b1dda.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\13f6145c.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\142ea7b.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\1439e2dc.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\1440f35c.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\148bc1dc.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\14d2ae6c.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\14e5bccf.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\152c8d5c.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\15779bdc.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\158fc85.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\15b9685c.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\15c14b2c.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\160859ac.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\163cc20.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\1653262c.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\169a34ac.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\16ad052c.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\16e341d.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\16f413ac.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\173fe02c.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\1746ceac.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\1789df2c.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\17d0adac.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\181bba2c.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\195f88b.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\1aada27.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\1dcc95a.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\1e7d73c.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\1f8131d.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\203e18d.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\22ea5bc.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\24ace1d.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\271b23c.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\29ddc9d.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\2a4ad1d.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\2efbb9d.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\33688af.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\379969d.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\383671d.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\3ca759d.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\4125094.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\4252177.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\46c0f94.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\4b71c14.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\4feea94.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\501fb14.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\50b37a56.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\548c994.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\593d604.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\5daa484.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\5edb514.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\5f43eb.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\6348394.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\665758.exe

HansDogg · May 2005

Here is part two...

Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\67f9014.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\6817e94.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\6c84f14.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\6d586582.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\712c81ae.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\7135d94.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\76d3894.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\785a8ed7.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\79696330.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\7b40914.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\7c30c6.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\7ff1794.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\806e414.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\827a1d.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\849f294.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\870191.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\890c304.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\8d8a3e4.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\8e3b064.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\92a9ee4.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\97c6f64.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\9877de4.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\9ce4a74.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\a582964.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\a6337e4.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\a922b0.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\aaa0464.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\afd12e4.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\b04e364.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\b4ff1e4.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\b96de64.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\bd9ace4.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\be0bd64.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\c2b8be4.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\c729854.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\c8466d4.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\ccf7754.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\ceeeed.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\d17521c.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\d5488d.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\d5e209c.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\d61310c.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\da81f9c.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\df3ec1c.exe
Spyware:Spyware/BetterInet No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\DrTemp\bho_prob.exe
Spyware:Spyware/BetterInet No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\DrTemp\thin-139-1-x-x.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\e3afa9c.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\e4dcb1c.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\e94d99c.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\edfa61c.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\ee6b48c.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\f00fb5.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\f29850c.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\fba600c.exe
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\fFGFHQp.exe
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\fidcnkL.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\frbbfsjx.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\gfcwsyru.exe
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\istsv_.exe
Adware:Adware/SideFind No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\sidefind.exe
Adware:Adware/Transponder No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\THI510D.tmp\Pynix.inf
Adware:Adware/IPInsight No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\THI7083.tmp\farmmext.exe
Adware:Adware/IPInsight No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\THI7083.tmp\farmmext.inf
Adware:Adware/IPInsight No disinfected C:\Documents and Settings\KEVDADDY\Local Settings\Temp\THI7083.tmp\farmmext.ini
Spyware:Spyware/ISTbar No disinfected C:\gc.exe
Possible Virus. No disinfected C:\Program Files\Atari\Act of War - Direct Action\fpupdate.exe
Spyware:Spyware/Dyfuca No disinfected C:\Program Files\Tyopfe\Mfnkaom.exe
Spyware:Spyware/ISTbar No disinfected C:\RECYCLER\gc.exe
Adware:Adware/nCase No disinfected C:\temp\salmau.dat
Adware:Adware/nCase No disinfected C:\temp\salm_gdf.dat
Adware:Adware/nCase No disinfected C:\temp\salm_kyf.dat
Adware:Adware/IPInsight No disinfected C:\WINDOWS\farmmext.exe
Adware:Adware/IPInsight No disinfected C:\WINDOWS\farmmext.ini
Adware:Adware/IPInsight No disinfected C:\WINDOWS\inf\farmmext.inf
Adware:Adware/Transponder No disinfected C:\WINDOWS\inf\Pynix.inf
Adware:Adware/EliteBar No disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\E3KFMLEZ\protector_update[1].exe

Buckeye_Sam · May 2005

Please download and install Cleanup 4.0
http://cleanup.stevengould.org/

Reboot your computer into Safe Mode

Fix this line with Hijackthis.

O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitemuc32.exe

Delete these files, if present.

C:\gc.exe
C:\WINDOWS\farmmext.exe
C:\WINDOWS\farmmext.ini
C:\WINDOWS\inf\farmmext.inf
C:\WINDOWS\inf\Pynix.inf
C:\windows\system32\elitemuc32.exe
C:\Program Files\Tyopfe\Mfnkaom.exe

Now run CleanUp.

Reboot back to normal mode and post a new hijackthis log.

HansDogg · May 2005

Sorry for such a late reply, but I have been bogged down with school, track, and family lately. I ran the cleanup and it freed up 1.9gb! I hope that was nothing i needed

...my computer is running unusually slow lately, if I'm playing a song and open a mozilla browser, the song gets cracky, almost like laggy, as if the system is bogged down. But all that I am running is windows media player, the browser, and msn. Is that just the spyware crap causing that?...Well ne who, here the the hijack this log...

Logfile of HijackThis v1.99.1
Scan saved at 11:06:31 AM, on 5/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Java\jre1.5.0_01\bin\jucheck.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\KEVDADDY\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitemuc32.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [warez] "C:\Program Files\Warez P2P Client\warez.exe" -h
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe

Buckeye_Sam · May 2005

Please download miekiemoes' LQfix batch here:
http://users.pandora.be/bluepatchy/LQfix.zip
Unzip it to the desktop but do NOT run it yet.

Reboot your computer into SAFE MODE

Once in Safe Mode, please run LQfix.bat. When finished, restart your computer in normal mode and please post a new HijackThis log.

HansDogg · May 2005

Here is the Hijack this log...

Logfile of HijackThis v1.99.1
Scan saved at 8:29:02 AM, on 5/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Warez P2P Client\warez.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\KEVDADDY\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitemuc32.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [warez] "C:\Program Files\Warez P2P Client\warez.exe" -h
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe

Buckeye_Sam · May 2005

Fix this line with Hijackthis.

O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitemuc32.exe

Delete this file and any others that begin with elite***32.exe

C:\windows\system32\elitemuc32.exe

Reboot and post a new hijackthis log.

Spyware Issue caused by MSN messenger

Comments