Require Assistance Please

Unknown

I have been having some issues with Trojan’s the last little while. Most recently had a few viruses, which I used my f-secure to remove. Before and since those viruses appearance and removal, f-secure seems to detect about a hundred or so Trojan apps trying to run and deletes them, obviously the root of the problem is not being detected by f-secure. Most recently my fstfwd.exe which I believe is apart of F-Secure has been maxing out my cpu, and causing me to kill the process and as a result killing the internet shield feature in F-Secure. I don't know enough regarding what processes, .exe's, and .dll's are required for my pc to run correctly. I have preformed numerous scans with XoftSpy, Ad-Aware SE, and F-Secure. All your expert knowledge would be greatly appreciated.

Here is my log file, I have never done this before so if I'm missing anything please let me know, I am leave in about a month for 8 months in Afghanistan with the Canadian Armed Forces and would love to resolve this before I left.

Cheers,

Logfile of HijackThis v1.99.1
Scan saved at 8:16:21 PM, on 3/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system\msrv32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COGECO~1\backweb\9867844\Program\SERVIC~1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\COGECO Security Services\Anti-Virus\fsgk32st.exe
C:\Program Files\COGECO Security Services\Anti-Virus\FSGK32.EXE
C:\Program Files\COGECO Security Services\backweb\9867844\Program\fspex.exe
C:\Program Files\COGECO Security Services\backweb\9867844\program\fsbwsys.exe
C:\Program Files\COGECO Security Services\Common\FSMA32.EXE
C:\Program Files\COGECO Security Services\Common\FSMB32.EXE
C:\Program Files\COGECO Security Services\Anti-Virus\fssm32.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\COGECO Security Services\Common\FCH32.EXE
C:\Program Files\COGECO Security Services\Common\FAMEH32.EXE
C:\Program Files\COGECO Security Services\Anti-Virus\fsrw.exe
C:\Program Files\COGECO Security Services\FSPC\fspc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\COGECO Security Services\Common\FSM32.EXE
C:\Program Files\COGECO Security Services\Anti-Virus\fsav32.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\COGECO Security Services\FSGUI\fsguidll.exe
C:\PROGRA~1\COGECO~1\ANTI-S~1\fsaw.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - URLSearchHook: (no name) - _{DF2F3873-ACE5-856A-9F49-FCBAA3361D9E} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\COGECO Security Services\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\COGECO Security Services\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\COGECO Security Services\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [WindowsHive] C:\WINDOWS\system32\rpcc.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: COGECO Security Services.lnk = C:\Program Files\COGECO Security Services\backweb\9867844\Program\fspex.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Block this popup - C:\Program Files\COGECO Security Services\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\COGECO Security Services\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\COGECO Security Services\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\COGECO Security Services\FSPC\fspcmsie.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\COGECO Security Services\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\COGECO Security Services\Anti-Spyware\ieshield.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Owner.YOUR-968A8C4819\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'winsflt.dll' missing
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1168913656412
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: smss.dll
O20 - Winlogon Notify: igfxcui - igfxsrvc.dll (file missing)
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll (file missing)
O20 - Winlogon Notify: SSOExec - %windir%\temp\sso\ssoexec.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Application Layer Gateway - Unknown owner - C:\WINDOWS\system\msrv32.exe
O23 - Service: Microsoft ASPI Manager (aspi113210) - Unknown owner - C:\WINDOWS\system32\aspi279533.exe
O23 - Service: COGECO Security Services (BackWeb Plug-in - 9867844) - BackWeb Technologies Inc. - C:\PROGRA~1\COGECO~1\backweb\9867844\Program\SERVIC~1.EXE
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corp. - C:\Program Files\COGECO Security Services\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\COGECO Security Services\backweb\9867844\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\COGECO Security Services\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - C:\Program Files\COGECO Security Services\FSPC\fshttps\fshttps.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\COGECO Security Services\Common\FSMA32.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Microsoft Validation Service - Unknown owner - C:\WINDOWS\wmiprsv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

steen15

don't know if this might help, i just ran f-secure again here is the log report and another hijack after the f-secure scan.......thanks again to all who can help.

Scanning Report

27 March 2007 21:48:12 - 23:50:08


Computer name: STEVE
Scanning type: Perform full computer check
Target: C:\ D:\ + system Result: 4 malware found

Trojan.Win32.Qhost.ka (virus)

• C:\WINDOWS\system32\drivers\etc\hosts

Trojan-Proxy.Win32.Dlena.ck (virus)

• C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\ANWQLILH\21[1].exe Action: deleted

Trojan-Downloader.Win32.Agent.bkm (virus)

• C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\J03TVX13\flrbblv[2].htm Action: deleted

Backdoor.Win32.Agent.aju (virus)

• C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\ANWQLILH\pebllmmww[1].htm Action: deleted

Statistics

Files:

• Scanned: 52229
• System: 5404
• Not scanned: 36

Result:

• Viruses: 4
• Spyware: 0
• Suspected: 0

Actions:

• Disinfected: 0
• Renamed: 0
• Deleted: 3
• Quarantined: 0
• Failed: 0

Boot Sectors:

• Scanned: 1
• Infected: 0
• Suspected: 0
• Disinfected: 0

Files not scanned:

• Cannot open file C:\hiberfil.sys
• Cannot open file C:\pagefile.sys
• Cannot open file C:\WINDOWS\system32\drivers\sptd.sys
• Cannot open file C:\WINDOWS\system32\config\default
• Scanning of C:\Program Files\EA GAMES\Battlefield 2\mods\bf2\Objects_client.zip was aborted [F-Secure AVP]
• Cannot open a file in archive C:\Program Files\EA GAMES\Battlefield 2\mods\bf2\Levels\Zatar_Wetlands\server.zip\Overgrowth\Overgrowth.con
• Cannot open a file in archive C:\Program Files\EA GAMES\Battlefield 2\mods\bf2\Levels\Wake_Island_2007\server.zip\overgrowth\Overgrowth.con
• Cannot open a file in archive C:\Program Files\EA GAMES\Battlefield 2\mods\bf2\Levels\Strike_at_Karkand\server.zip\Overgrowth\Overgrowth.con
• Cannot open a file in archive C:\Program Files\EA GAMES\Battlefield 2\mods\bf2\Levels\Songhua_Stalemate\server.zip\overgrowth\Overgrowth.con
• Cannot open a file in archive C:\Program Files\EA GAMES\Battlefield 2\mods\bf2\Levels\Sharqi_Peninsula\server.zip\overgrowth\Overgrowth.con
• Cannot open a file in archive C:\Program Files\EA GAMES\Battlefield 2\mods\bf2\Levels\Sharqi_Peninsula\server.zip\overgrowth\OvergrowthCollision.con
• Cannot open a file in archive C:\Program Files\EA GAMES\Battlefield 2\mods\bf2\Levels\Operation_Clean_Sweep\server.zip\Overgrowth\Overgrowth.con
• Cannot open a file in archive C:\Program Files\EA GAMES\Battlefield 2\mods\bf2\Levels\Operation_Clean_Sweep\server.zip\Overgrowth\OvergrowthCollision.con
• Cannot open a file in archive C:\Program Files\EA GAMES\Battlefield 2\mods\bf2\Levels\Mashtuur_City\server.zip\Overgrowth\Overgrowth.con
• Cannot open a file in archive C:\Program Files\EA GAMES\Battlefield 2\mods\bf2\Levels\Mashtuur_City\server.zip\Overgrowth\OvergrowthCollision.con
• Cannot open a file in archive C:\Program Files\EA GAMES\Battlefield 2\mods\bf2\Levels\kubra_dam\server.zip\overgrowth\Overgrowth.con
• Cannot open a file in archive C:\Program Files\EA GAMES\Battlefield 2\mods\bf2\Levels\Gulf_of_Oman\server.zip\HeightmapSecondary_R1U1.raw
• Cannot open a file in archive C:\Program Files\EA GAMES\Battlefield 2\mods\bf2\Levels\Gulf_of_Oman\server.zip\overgrowth\Overgrowth.con
• Cannot open a file in archive C:\Program Files\EA GAMES\Battlefield 2\mods\bf2\Levels\FuShe_Pass\server.zip\Overgrowth\Overgrowth.con
• Cannot open a file in archive C:\Program Files\EA GAMES\Battlefield 2\mods\bf2\Levels\Dragon_Valley\server.zip\overgrowth\Overgrowth.con
• Cannot open a file in archive C:\Program Files\EA GAMES\Battlefield 2\mods\bf2\Levels\Daqing_oilfields\server.zip\overgrowth\Overgrowth.con
• Cannot open a file in archive C:\Program Files\EA GAMES\Battlefield 2\mods\bf2\Levels\Dalian_plant\server.zip\Overgrowth\Overgrowth.con
• Scanning of C:\Pirates\Disk 1\Disk2A~1.cab was aborted [F-Secure AVP]
• Cannot open a file in archive C:\Documents and Settings\Owner.YOUR-968A8C4819\My Documents\My Received Files\Nero 7.rar\Nero 7\Nero BackItUp\NeroFiles\UDFImporter.dll
• Scanning of C:\Documents and Settings\Owner.YOUR-968A8C4819\My Documents\My Received Files\Nero 7.rar was aborted [F-Secure AVP]
• Scanning of C:\Documents and Settings\Owner.YOUR-968A8C4819\Desktop\Cracks\office\PROJECT\M4561203.CAB was aborted [F-Secure AVP]
• Scanning of C:\Documents and Settings\Owner.YOUR-968A8C4819\Desktop\Cracks\office\OFFICE\M4561403.CAB was aborted [F-Secure AVP]
• Scanning of C:\Documents and Settings\Owner.YOUR-968A8C4819\Desktop\Cracks\office\FRONTPAGE\M4561403.CAB was aborted [F-Secure AVP]
• Scanning of D:\i386\driver.cab was aborted [F-Secure AVP]
• File D:\i386\Apps\App17662\shared\agentcfg.cab\screm.ui\agntcons.vbs is encrypted
• File D:\i386\Apps\App26959\shared\agentcfg.cab\screm.ui\agntcons.vbs is encrypted
• File D:\i386\Apps\App26959\mas\mascfg.cab\masrem.ui\appconst.vbs is encrypted
• Cannot open a file in archive D:\i386\Apps\App22320\incd 4\incd\dma.bin.cab
• Cannot open a file in archive D:\i386\Apps\App22320\incd 4\incd\gaa.bin.cab
• Cannot open a file in archive D:\i386\Apps\App22320\incd 4\incd\lgc.bin.cab
• Cannot open file C:\WINDOWS\system32\drivers\etc\hosts

Logfile of HijackThis v1.99.1
Scan saved at 12:09:06 AM, on 3/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system\msrv32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\COGECO~1\backweb\9867844\Program\SERVIC~1.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\COGECO Security Services\Anti-Virus\fsgk32st.exe
C:\Program Files\COGECO Security Services\Anti-Virus\FSGK32.EXE
C:\Program Files\COGECO Security Services\backweb\9867844\program\fsbwsys.exe
C:\Program Files\COGECO Security Services\backweb\9867844\Program\fspex.exe
C:\Program Files\COGECO Security Services\Common\FSMA32.EXE
C:\Program Files\COGECO Security Services\Common\FSMB32.EXE
C:\Program Files\COGECO Security Services\Anti-Virus\fssm32.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\wmiprsv.exe
C:\Program Files\COGECO Security Services\Common\FCH32.EXE
C:\Program Files\COGECO Security Services\Common\FAMEH32.EXE
C:\Program Files\COGECO Security Services\Anti-Virus\fsrw.exe
C:\Program Files\COGECO Security Services\FSPC\fspc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\COGECO Security Services\Common\FSM32.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\COGECO Security Services\Anti-Virus\fsav32.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\PROGRA~1\COGECO~1\ANTI-S~1\fsaw.exe
C:\Program Files\COGECO Security Services\FSGUI\fsguidll.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Steam\steam.exe
C:\WINDOWS\system32\LVComsX.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - URLSearchHook: (no name) - _{DF2F3873-ACE5-856A-9F49-FCBAA3361D9E} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat
7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\COGECO Security Services\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\COGECO Security Services\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\COGECO Security Services\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [WindowsHive] C:\WINDOWS\system32\rpcc.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: COGECO Security Services.lnk = C:\Program Files\COGECO Security
Services\backweb\9867844\Program\fspex.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Block this popup - C:\Program Files\COGECO Security Services\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\COGECO Security
Services\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\COGECO Security
Services\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\COGECO Security
Services\FSPC\fspcmsie.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\COGECO Security
Services\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\COGECO Security
Services\Anti-Spyware\ieshield.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program
Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program
Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Owner.YOUR-968A8C4819\Start
Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file
missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network
Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'winsflt.dll' missing
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) -
http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) -
http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) -
https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) -
http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1168913656412
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) -
http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) -
http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: smss.dll
O20 - Winlogon Notify: igfxcui - igfxsrvc.dll (file missing)
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll (file missing)
O20 - Winlogon Notify: SSOExec - %windir%\temp\sso\ssoexec.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Application Layer Gateway - Unknown owner - C:\WINDOWS\system\msrv32.exe
O23 - Service: Microsoft ASPI Manager (aspi113210) - Unknown owner - C:\WINDOWS\system32\aspi279533.exe
O23 - Service: COGECO Security Services (BackWeb Plug-in - 9867844) - BackWeb Technologies Inc. -
C:\PROGRA~1\COGECO~1\backweb\9867844\Program\SERVIC~1.EXE
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corp. - C:\Program Files\COGECO Security
Services\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\COGECO Security Services\backweb\9867844\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\COGECO Security
Services\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - C:\Program Files\COGECO Security
Services\FSPC\fshttps\fshttps.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\COGECO Security
Services\Common\FSMA32.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common
Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Microsoft Validation Service - Unknown owner - C:\WINDOWS\wmiprsv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

peku006

Hi steen15 and welcome to Short-Media. I'm checking your log, so please be patient.

peku006

Hi steen15


Please Download SDFix and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the following
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

In Safe Mode, right click the SDFix.zip folder and choose Extract All,
Open the extracted folder and double click RunThis.bat to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

steen15

Here are the logs,


SDFix: Version 1.75
Run by Owner - Wed 03/28/2007 - 13:43:14.39
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix\SDFix
Safe Mode:
Checking Services:
Name:
Application Layer Gateway
aspi113210
kprof
poof
ImagePath:
"C:\WINDOWS\system\msrv32.exe"
C:\WINDOWS\system32\aspi279533.exe
\??\C:\WINDOWS\system32\kprof
\??\C:\WINDOWS\system32\poof
Application Layer Gateway Deleted
aspi113210 Deleted
kprof Deleted
poof Deleted

Restoring Windows Registry Entries
Restoring Default Hosts File

Rebooting...
Normal Mode:
Checking Files:
Below files will be copied to Backups folder then removed:
C:\WINDOWS\system32\aspi279533.exe - Deleted
C:\WINDOWS\s32.txt - Deleted
C:\WINDOWS\system\msrv32.exe - Deleted
C:\WINDOWS\system32\koos.exe - Deleted
C:\WINDOWS\system32\kprof - Deleted
C:\WINDOWS\system32\poof - Deleted
C:\WINDOWS\Temp\_check32.bat - Deleted
C:\WINDOWS\Temp\_td61.tmp - Deleted
C:\WINDOWS\Temp\_tdDA.tmp - Deleted
C:\WINDOWS\Temp\_tdF1.tmp - Deleted
C:\WINDOWS\ws386.ini - Deleted

ADS Check:
C:\WINDOWS\system32
No streams found.

Final Check:
Remaining Services:

---

Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplica
tions\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\DFPinger\\DFBHDPinger\\DFBHDPinger.exe"="C:\\Program
Files\\DFPinger\\DFBHDPinger\\DFBHDPinger.exe:*:Enabled:DFBHDPinger"
"C:\\Program Files\\NovaLogic\\Delta Force Black Hawk Down\\dfbhd.exe"="C:\\Program Files\\NovaLogic\\Delta Force Black Hawk
Down\\dfbhd.exe:*:Enabled:dfbhd"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\3DO\\Heroes of Might and Magic IV\\HEROES4S.EXE"="C:\\Program Files\\3DO\\Heroes of Might and Magic
IV\\HEROES4S.EXE:*:Enabled:Heroes of Might and Magic® IV: Winds of War™"
"C:\\Program Files\\Steam\\SteamApps\\sostash\\counter-strike\\hl.exe"="C:\\Program
Files\\Steam\\SteamApps\\sostash\\counter-strike\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Program Files\\LucasArts\\Star Wars Empire at War\\GameData\\sweaw.exe"="C:\\Program Files\\LucasArts\\Star Wars Empire
at War\\GameData\\sweaw.exe:*:Enabled:Star Wars: Empire at War"
"C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"="C:\\Program Files\\EA GAMES\\Battlefield
2\\BF2.exe:*:Enabled:Battlefield 2"
"C:\\Program Files\\GameSpy Arcade\\Aphex.exe"="C:\\Program Files\\GameSpy Arcade\\Aphex.exe:*:Enabled:GameSpy Arcade"
"C:\\Program Files\\Xfire\\Xfire.exe"="C:\\Program Files\\Xfire\\Xfire.exe:*:Enabled:Xfire"
"C:\\Program Files\\Steam\\SteamApps\\ken_slimshady@hotmail.com\\counter-strike\\hl.exe"="C:\\Program
Files\\Steam\\SteamApps\\ken_slimshady@hotmail.com\\counter-strike\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Program Files\\COGECO Security Services\\backweb\\9867844\\Program\\fspex.exe"="C:\\Program Files\\COGECO Security
Services\\backweb\\9867844\\Program\\fspex.exe:*:Enabled:COGECO Security Services"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live
Messenger 8.0 (Phone)"
"C:\\Program Files\\uTorrent\\utorrent.exe"="C:\\Program Files\\uTorrent\\utorrent.exe:*:Enabled:µTorrent"
"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"="C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe:*:Enabled:Remot
e Assistance - Windows Messenger and Voice"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="C:\\Program
Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live
Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live
Messenger 8.1 (Phone)"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplicati
ons\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\COGECO Security Services\\backweb\\9867844\\Program\\fspex.exe"="C:\\Program Files\\COGECO Security
Services\\backweb\\9867844\\Program\\fspex.exe:*:Enabled:COGECO Security Services"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live
Messenger 8.0 (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="C:\\Program
Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live
Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live
Messenger 8.1 (Phone)"

Remaining Files:

---

Backups Folder: - C:\SDFix\SDFix\backups\backups.zip
Checking For Files with Hidden Attributes :
C:\Documents and Settings\Owner.YOUR-968A8C4819\NetHood\ftp.f-secure.com\Desktop.ini
C:\Documents and Settings\Owner.YOUR-968A8C4819\Application Data\??sembly\m?config.exe
C:\WINDOWS\wmiprsv.exe
C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp
Finished

Logfile of HijackThis v1.99.1
Scan saved at 1:56:33 PM, on 3/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\COGECO~1\backweb\9867844\Program\SERVIC~1.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\COGECO Security Services\Anti-Virus\fsgk32st.exe
C:\Program Files\COGECO Security Services\Anti-Virus\FSGK32.EXE
C:\Program Files\COGECO Security Services\backweb\9867844\program\fsbwsys.exe
C:\Program Files\COGECO Security Services\backweb\9867844\Program\fspex.exe
C:\Program Files\COGECO Security Services\Common\FSMA32.EXE
C:\Program Files\COGECO Security Services\Common\FSMB32.EXE
C:\Program Files\COGECO Security Services\Anti-Virus\fssm32.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\wmiprsv.exe
C:\Program Files\COGECO Security Services\Common\FCH32.EXE
C:\Program Files\COGECO Security Services\Common\FAMEH32.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\COGECO Security Services\Anti-Virus\fsrw.exe
C:\Program Files\COGECO Security Services\FSPC\fspc.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COGECO Security Services\Anti-Virus\fsav32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\COGECO Security Services\FWES\Program\fsdfwd.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\COGECO Security Services\Common\FSM32.EXE
C:\Program Files\COGECO Security Services\FSGUI\FSSW.EXE
C:\PROGRA~1\COGECO~1\ANTI-S~1\fsaw.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\COGECO Security Services\FSGUI\fsguidll.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - URLSearchHook: (no name) - _{DF2F3873-ACE5-856A-9F49-FCBAA3361D9E} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat
7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\COGECO Security Services\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\COGECO Security Services\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\COGECO Security Services\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [WindowsHive] C:\WINDOWS\system32\rpcc.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: COGECO Security Services.lnk = C:\Program Files\COGECO Security
Services\backweb\9867844\Program\fspex.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Block this popup - C:\Program Files\COGECO Security Services\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\COGECO Security
Services\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\COGECO Security
Services\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\COGECO Security
Services\FSPC\fspcmsie.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\COGECO Security
Services\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\COGECO Security
Services\Anti-Spyware\ieshield.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program
Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program
Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Owner.YOUR-968A8C4819\Start
Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file
missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network
Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'winsflt.dll' missing
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) -
http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) -
http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) -
https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) -
http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1168913656412
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) -
http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) -
http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: smss.dll
O20 - Winlogon Notify: igfxcui - igfxsrvc.dll (file missing)
O20 - Winlogon Notify: SSOExec - %windir%\temp\sso\ssoexec.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: COGECO Security Services (BackWeb Plug-in - 9867844) - BackWeb Technologies Inc. -
C:\PROGRA~1\COGECO~1\backweb\9867844\Program\SERVIC~1.EXE
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corp. - C:\Program Files\COGECO Security
Services\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\COGECO Security Services\backweb\9867844\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\COGECO Security
Services\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - C:\Program Files\COGECO Security
Services\FSPC\fshttps\fshttps.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\COGECO Security
Services\Common\FSMA32.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common
Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Microsoft Validation Service - Unknown owner - C:\WINDOWS\wmiprsv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS


Thanks for all your hard work again,

Steve

peku006

Hi steen15

Please download PurityScan uninstaller
Double click on the OiUninstaller.exe icon on your desktop
Click on Run
Enter the four digit code that is displayed and click on Uninstall
Click on Ok and reboot your computer


Open HijackThis
- Click the Do a system scan only button
- Check the following entries (below)
R3 - URLSearchHook: (no name) - _{DF2F3873-ACE5-856A-9F49-FCBAA3361D9E} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [WindowsHive] C:\WINDOWS\system32\rpcc.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Owner.YOUR-968A8C4819\StartMenu\Programs\IMVU\Run IMVU.lnk (file missing)
O20 - AppInit_DLLs: smss.dll
O20 - Winlogon Notify: SSOExec - %windir%\temp\sso\ssoexec.dll (file missing)

Close ALL open windows
Click Fix Checked
Close HijackThis
Please delete these folders using Windows Explorer(if present):
C:\Program Files\PurityScan

Please delete these files using Windows Explorer(if present):
C:\WINDOWS\wmiprsv.exe
C:\WINDOWS\system32\rpcc.exe

Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.
This program is for XP and Windows 2000 only!
Double-click ATF Cleaner.exe to open it.
Under Main select the following:
* Windows Temp
* Current User Temp
* All Users Temp
* Temporary Internet Files
* Prefetch
* Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
Click Exit on the Main menu to close the program.

Print out these instructions or save them with notepad or Word

Download AVG Anti-Spyware to your desktop. When ready, do following:

• Start AVG Anti-Spyware
• Click the Update icon
• Click Start update
• Wait until updates are downloaded
• Click the Scanner icon
• Open the Settings tab
  • Make sure that under "How to act?" read Quarantine

• • (If not, click the text and choose Quarantine)
    
  • Under "How to scan?" all checkboxes should be ticked
  • Under "Reports" select Automatically generate report after every scan
    and uncheck Only if threats were found
    
  • Under "What to scan?" select Scan every file
  
  
• Click the Shield icon
• Under the "Resident shield is" click active to make it inactive
• Close AVG Anti-Spyware

=========================================
Reboot to safe mode

• If the computer is running, shut down Windows, and then turn off the power
• Wait 30 seconds, and then turn the computer on
• Start tapping the F8 key
• The Windows Advanced Options Menu appears
• Ensure that the Safe Mode option is selected
• Press Enter. The computer then begins to start in Safe mode
• Login on your usual account

=========================================

• Close all open windows / programs / folders
• Start AVG Anti-Spyware
• Click the Scanner icon
• Click Complete System Scan
• Let the program scan the machine
• When the scan has finished, follow the instructions below
  • Make sure that under "Set all elements to" read Quarantine

• • (If not, click the text and choose Quarantine)
    
  • Click Apply all actions
  • Click Save Report
  • Click Save reports as
  • Save report to your Desktop

Post fresh HijackThis log ,and the AVG Anti-Spyware report

steen15

I don't know how you guys (peku006 for me) got so good at this but thank god you did. Here's the latest logs

Logfile of HijackThis v1.99.1
Scan saved at 8:33:45 PM, on 3/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\COGECO~1\backweb\9867844\Program\SERVIC~1.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\COGECO Security Services\Anti-Virus\fsgk32st.exe
C:\Program Files\COGECO Security Services\Anti-Virus\FSGK32.EXE
C:\Program Files\COGECO Security Services\backweb\9867844\program\fsbwsys.exe
C:\Program Files\COGECO Security Services\backweb\9867844\Program\fspex.exe
C:\Program Files\COGECO Security Services\Common\FSMA32.EXE
C:\Program Files\COGECO Security Services\Common\FSMB32.EXE
C:\Program Files\COGECO Security Services\Anti-Virus\fssm32.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\COGECO Security Services\Common\FCH32.EXE
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COGECO Security Services\Common\FAMEH32.EXE
C:\Program Files\COGECO Security Services\Anti-Virus\fsrw.exe
C:\Program Files\COGECO Security Services\FSPC\fspc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\COGECO Security Services\Common\FSM32.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\COGECO Security Services\Anti-Virus\fsav32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat
7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\COGECO Security Services\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\COGECO Security Services\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\COGECO Security Services\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: COGECO Security Services.lnk = C:\Program Files\COGECO Security
Services\backweb\9867844\Program\fspex.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Block this popup - C:\Program Files\COGECO Security Services\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\COGECO Security
Services\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\COGECO Security
Services\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\COGECO Security
Services\FSPC\fspcmsie.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\COGECO Security
Services\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\COGECO Security
Services\Anti-Spyware\ieshield.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program
Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program
Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file
missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network
Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'winsflt.dll' missing
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) -
http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) -
http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) -
https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) -
http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1168913656412
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) -
http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) -
http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - igfxsrvc.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware
7.5\guard.exe
O23 - Service: COGECO Security Services (BackWeb Plug-in - 9867844) - BackWeb Technologies Inc. -
C:\PROGRA~1\COGECO~1\backweb\9867844\Program\SERVIC~1.EXE
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corp. - C:\Program Files\COGECO Security
Services\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\COGECO Security Services\backweb\9867844\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - Unknown owner - C:\Program Files\COGECO Security
Services\FWES\Program\fsdfwd.exe (file missing)
O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - C:\Program Files\COGECO Security
Services\FSPC\fshttps\fshttps.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\COGECO Security
Services\Common\FSMA32.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common
Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Microsoft Validation Service - Unknown owner - C:\WINDOWS\wmiprsv.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

---

AVG Anti-Spyware - Scan Report

---

+ Created at: 8:25:49 PM 3/28/2007
+ Scan result:

HKU\S-1-5-21-367405231-2284523091-1955801859-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2D38A51A-23C9-48A1-A33C-48675AA2B494} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\\Windows installer -> Adware.PestTrap : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\Windows installer -> Adware.PestTrap : Error during cleaning.
C:\System Volume Information\_restore{B15A192A-0024-42A2-975A-EEF66F271A43}\RP363\A0123909.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B15A192A-0024-42A2-975A-EEF66F271A43}\RP363\A0123910.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Clickspring -> Adware.PurityScan : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\SpySheriff -> Adware.SpySheriff : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\SpySheriff\IE Security -> Adware.SpySheriff : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\SpySheriff\IE Security\BlockedLocations -> Adware.SpySheriff : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\SpySheriff\Process Security -> Adware.SpySheriff : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\SpySheriff\Process Security\Policies -> Adware.SpySheriff : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\SpySheriff\Process Security\Policies\Allowed -> Adware.SpySheriff : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\SpySheriff\Process Security\Policies\Restricted -> Adware.SpySheriff : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\SpySheriff\Scan -> Adware.SpySheriff : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\SpySheriff\System Security -> Adware.SpySheriff : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\SpySheriff\Updates -> Adware.SpySheriff : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\SpySheriff -> Adware.SpySheriff : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\SpySheriff\IE Security -> Adware.SpySheriff : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\SpySheriff\IE Security\BlockedLocations -> Adware.SpySheriff : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\SpySheriff\Process Security -> Adware.SpySheriff : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\SpySheriff\Process Security\Policies -> Adware.SpySheriff : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\SpySheriff\Process Security\Policies\Allowed -> Adware.SpySheriff : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\SpySheriff\Process Security\Policies\Restricted -> Adware.SpySheriff : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\SpySheriff\Scan -> Adware.SpySheriff : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\SpySheriff\System Security -> Adware.SpySheriff : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\SpySheriff\Updates -> Adware.SpySheriff : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B15A192A-0024-42A2-975A-EEF66F271A43}\RP341\A0114975.exe -> Downloader.Small.ddt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B15A192A-0024-42A2-975A-EEF66F271A43}\RP346\A0116384.exe -> Downloader.Small.ddt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B15A192A-0024-42A2-975A-EEF66F271A43}\RP355\A0117210.exe -> Downloader.Small.ddt : Cleaned with backup (quarantined).
C:\Program Files\Microsoft Works\hoxyn.0tml -> Hijacker.Small.jf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B15A192A-0024-42A2-975A-EEF66F271A43}\RP340\A0113991.dll -> Proxy.Dlena.aj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B15A192A-0024-42A2-975A-EEF66F271A43}\RP355\A0117211.dll -> Proxy.Dlena.aj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B15A192A-0024-42A2-975A-EEF66F271A43}\RP360\A0117746.0ll -> Proxy.Dlena.cb : Cleaned with backup (quarantined).
C:\WINDOWS\system32\rpcc.0ll -> Proxy.Dlena.cb : Cleaned with backup (quarantined).
C:\WINDOWS\IA\KE.vbs -> Trojan.Small : Cleaned with backup (quarantined).

::Report end

peku006

Hi steen15


Please download SmitfraudFix (by S!Ri) to your Desktop.
Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive usually C: and launch from there.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/processutil/processutil.htm

steen15

SmitFraudFix v2.159
Scan done at 6:48:09.45, Thu 03/29/2007
Run from C:\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\COGECO~1\backweb\9867844\Program\SERVIC~1.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\COGECO Security Services\Anti-Virus\fsgk32st.exe
C:\Program Files\COGECO Security Services\Anti-Virus\FSGK32.EXE
C:\Program Files\COGECO Security Services\backweb\9867844\program\fsbwsys.exe
C:\Program Files\COGECO Security Services\backweb\9867844\Program\fspex.exe
C:\Program Files\COGECO Security Services\Common\FSMA32.EXE
C:\Program Files\COGECO Security Services\Common\FSMB32.EXE
C:\Program Files\COGECO Security Services\Anti-Virus\fssm32.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\COGECO Security Services\Common\FCH32.EXE
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COGECO Security Services\Common\FAMEH32.EXE
C:\Program Files\COGECO Security Services\Anti-Virus\fsrw.exe
C:\Program Files\COGECO Security Services\FSPC\fspc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\COGECO Security Services\Common\FSM32.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\COGECO Security Services\Anti-Virus\fsav32.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cmd.exe
»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner.YOUR-968A8C4819

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner.YOUR-968A8C4819\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\OWNER~1.YOU\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{7916f057-223f-4612-ac84-e882cbe043d4}"="bals"

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

Logfile of HijackThis v1.99.1
Scan saved at 6:48:51 AM, on 3/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\COGECO~1\backweb\9867844\Program\SERVIC~1.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\COGECO Security Services\Anti-Virus\fsgk32st.exe
C:\Program Files\COGECO Security Services\Anti-Virus\FSGK32.EXE
C:\Program Files\COGECO Security Services\backweb\9867844\program\fsbwsys.exe
C:\Program Files\COGECO Security Services\backweb\9867844\Program\fspex.exe
C:\Program Files\COGECO Security Services\Common\FSMA32.EXE
C:\Program Files\COGECO Security Services\Common\FSMB32.EXE
C:\Program Files\COGECO Security Services\Anti-Virus\fssm32.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\COGECO Security Services\Common\FCH32.EXE
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COGECO Security Services\Common\FAMEH32.EXE
C:\Program Files\COGECO Security Services\Anti-Virus\fsrw.exe
C:\Program Files\COGECO Security Services\FSPC\fspc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\COGECO Security Services\Common\FSM32.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\COGECO Security Services\Anti-Virus\fsav32.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat
7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\COGECO Security Services\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\COGECO Security Services\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\COGECO Security Services\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: COGECO Security Services.lnk = C:\Program Files\COGECO Security
Services\backweb\9867844\Program\fspex.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Block this popup - C:\Program Files\COGECO Security Services\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\COGECO Security
Services\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\COGECO Security
Services\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\COGECO Security
Services\FSPC\fspcmsie.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\COGECO Security
Services\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\COGECO Security
Services\Anti-Spyware\ieshield.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program
Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program
Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file
missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network
Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'winsflt.dll' missing
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) -
http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) -
http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) -
https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) -
http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1168913656412
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) -
http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) -
http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - igfxsrvc.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware
7.5\guard.exe
O23 - Service: COGECO Security Services (BackWeb Plug-in - 9867844) - BackWeb Technologies Inc. -
C:\PROGRA~1\COGECO~1\backweb\9867844\Program\SERVIC~1.EXE
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corp. - C:\Program Files\COGECO Security
Services\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\COGECO Security Services\backweb\9867844\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - Unknown owner - C:\Program Files\COGECO Security
Services\FWES\Program\fsdfwd.exe (file missing)
O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - C:\Program Files\COGECO Security
Services\FSPC\fshttps\fshttps.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\COGECO Security
Services\Common\FSMA32.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common
Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Microsoft Validation Service - Unknown owner - C:\WINDOWS\wmiprsv.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

:smiles:

peku006

Hi steen15

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :
* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, a menu with options should appear;
* Select the first option, to run Windows in Safe Mode, then press "Enter".
* Choose your usual account.
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".
The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.


post C:/rapport.txt

steen15

peku006 Here is the repport and another hjt log incase you needed it too.

SmitFraudFix v2.159
Scan done at 12:20:18.73, Thu 03/29/2007
Run from C:\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{7916f057-223f-4612-ac84-e882cbe043d4}"="bals"

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

Logfile of HijackThis v1.99.1
Scan saved at 12:30:21 PM, on 3/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\COGECO~1\backweb\9867844\Program\SERVIC~1.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\COGECO Security Services\Anti-Virus\fsgk32st.exe
C:\Program Files\COGECO Security Services\backweb\9867844\program\fsbwsys.exe
C:\Program Files\COGECO Security Services\Anti-Virus\FSGK32.EXE
C:\Program Files\COGECO Security Services\Common\FSMA32.EXE
C:\Program Files\COGECO Security Services\Anti-Virus\fssm32.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\COGECO Security Services\Common\FSMB32.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\COGECO Security Services\Common\FCH32.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COGECO Security Services\backweb\9867844\Program\fspex.exe
C:\Program Files\COGECO Security Services\Common\FAMEH32.EXE
C:\Program Files\COGECO Security Services\Anti-Virus\fsrw.exe
C:\Program Files\COGECO Security Services\FSPC\fspc.exe
C:\Program Files\COGECO Security Services\Anti-Virus\fsav32.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\COGECO Security Services\Common\FSM32.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ig?hl=en
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat
7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\COGECO Security Services\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\COGECO Security Services\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\COGECO Security Services\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: COGECO Security Services.lnk = C:\Program Files\COGECO Security
Services\backweb\9867844\Program\fspex.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Block this popup - C:\Program Files\COGECO Security Services\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\COGECO Security
Services\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\COGECO Security
Services\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\COGECO Security
Services\FSPC\fspcmsie.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\COGECO Security
Services\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\COGECO Security
Services\Anti-Spyware\ieshield.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program
Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program
Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file
missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network
Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'winsflt.dll' missing
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) -
http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) -
http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) -
https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) -
http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1168913656412
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) -
http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) -
http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - igfxsrvc.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware
7.5\guard.exe
O23 - Service: COGECO Security Services (BackWeb Plug-in - 9867844) - BackWeb Technologies Inc. -
C:\PROGRA~1\COGECO~1\backweb\9867844\Program\SERVIC~1.EXE
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corp. - C:\Program Files\COGECO Security
Services\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\COGECO Security Services\backweb\9867844\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - Unknown owner - C:\Program Files\COGECO Security
Services\FWES\Program\fsdfwd.exe (file missing)
O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - C:\Program Files\COGECO Security
Services\FSPC\fshttps\fshttps.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\COGECO Security
Services\Common\FSMA32.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common
Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Microsoft Validation Service - Unknown owner - C:\WINDOWS\wmiprsv.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

peku006

Hi steen15


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...
Updating Java:

• Download the latest version of Java Runtime Environment (JRE) 6 .
• Click the "Download" button to the right.
• Check the box that says: "Accept License Agreement."
• The page will refresh.
• Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel double-click on Add/Remove programs and remove the following...
  • J2SE Runtime Environment 5.0 Update 6
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6-windows-i586.exe to install the newest version.

Please run Panda's ActiveScan You will need to use Internet Explorer to run it.
* Once you are on the Panda site click the Scan your PC button
* A new window will open...click the Check Now button
* Enter your Country
* Enter your State/Province
* Enter your e-mail address and click send
* Select either Home User or Company
* Click the big Scan Now button
* If it wants to install an ActiveX component allow it
* It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
* When download is complete, click on My Computer to start the scan
* When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Download
Deckard's System Scanner to your Desktop.
* Close all applications and windows.
* Double-click on Dss.exe to run it, and follow the prompts.
* The scan may take a minute. When the scan is complete, a text file will open -
Main.txt and extra.txt

Post , Dss Main.txt extra.txt ActiveScan report

steen15

Peku006 here are the logs,

Deckard's System Scanner v20070328.36
Run by Owner on 2007-03-29 at 18:09:24
Computer is in Normal Mode.

---

-- System Restore

---

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
81: 2007-03-29 22:09:50 UTC - RP368 - Deckard's System Scanner Restore Point
80: 2007-03-29 20:42:03 UTC - RP367 - Installed Java(TM) SE Runtime Environment 6 Update 1
79: 2007-03-29 20:37:03 UTC - RP366 - Removed J2SE Runtime Environment 5.0 Update 2
78: 2007-03-29 20:36:28 UTC - RP365 - Removed J2SE Runtime Environment 5.0 Update 6
77: 2007-03-29 18:29:04 UTC - RP364 - System Checkpoint

-- First Restore Point --
1: 2007-01-06 20:17:36 UTC - RP288 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

-- HijackThis (run as Owner.exe)

---

Logfile of HijackThis v1.99.1
Scan saved at 6:11:04 PM, on 3/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\COGECO~1\backweb\9867844\Program\SERVIC~1.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\COGECO Security Services\Anti-Virus\fsgk32st.exe
C:\Program Files\COGECO Security Services\backweb\9867844\program\fsbwsys.exe
C:\Program Files\COGECO Security Services\Anti-Virus\FSGK32.EXE
C:\Program Files\COGECO Security Services\Common\FSMA32.EXE
C:\Program Files\COGECO Security Services\Anti-Virus\fssm32.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\COGECO Security Services\Common\FSMB32.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COGECO Security Services\Common\FCH32.EXE
C:\Program Files\COGECO Security Services\backweb\9867844\Program\fspex.exe
C:\Program Files\COGECO Security Services\Common\FAMEH32.EXE
C:\Program Files\COGECO Security Services\Anti-Virus\fsrw.exe
C:\Program Files\COGECO Security Services\FSPC\fspc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\COGECO Security Services\Anti-Virus\fsav32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\COGECO Security Services\Common\FSM32.EXE
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Cracks\dss.exe
C:\Program Files\Windows Media Player\setup_wm.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\HIJACK~1\Owner.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ig?hl=en
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\COGECO Security Services\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\COGECO Security Services\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\COGECO Security Services\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: COGECO Security Services.lnk = C:\Program Files\COGECO Security Services\backweb\9867844\Program\fspex.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Block this popup - C:\Program Files\COGECO Security Services\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\COGECO Security Services\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\COGECO Security Services\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\COGECO Security Services\FSPC\fspcmsie.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\COGECO Security Services\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\COGECO Security Services\Anti-Spyware\ieshield.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'winsflt.dll' missing
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1168913656412
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - igfxsrvc.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: COGECO Security Services (BackWeb Plug-in - 9867844) - BackWeb Technologies Inc. - C:\PROGRA~1\COGECO~1\backweb\9867844\Program\SERVIC~1.EXE
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corp. - C:\Program Files\COGECO Security Services\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\COGECO Security Services\backweb\9867844\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - Unknown owner - C:\Program Files\COGECO Security Services\FWES\Program\fsdfwd.exe (file missing)
O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - C:\Program Files\COGECO Security Services\FSPC\fshttps\fshttps.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\COGECO Security Services\Common\FSMA32.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Microsoft Validation Service - Unknown owner - C:\WINDOWS\wmiprsv.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

-- HijackThis Fixed Entries (C:\PROGRA~1\HIJACK~1\backups\)

---

backup-20070328-172430-790 O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Owner.YOUR-968A8C4819\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
backup-20070328-172430-824 O4 - HKLM\..\Run: [WindowsHive] C:\WINDOWS\system32\rpcc.exe
backup-20070328-172430-906 O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
backup-20070328-172442-893 O20 - Winlogon Notify: SSOExec - %windir%\temp\sso\ssoexec.dll (file missing)
-- File Associations

---

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled

---

R0 cbidf - c:\windows\system32\drivers\cbidf2k.sys
R0 dac2w2k - c:\windows\system32\drivers\dac2w2k.sys
R0 FSFW (F-Secure Firewall Driver) - c:\windows\system32\drivers\fsdfw.sys
R0 sfdrv01 (StarForce Protection Environment Driver (version 1.x)) - c:\windows\system32\drivers\sfdrv01.sys
R0 sfhlp02 (StarForce Protection Helper Driver (version 2.x)) - c:\windows\system32\drivers\sfhlp02.sys
R0 sfsync02 (StarForce Protection Synchronization Driver (version 2.x)) - c:\windows\system32\drivers\sfsync02.sys
R2 ElbyCDIO (ElbyCDIO Driver) - c:\windows\system32\drivers\elbycdio.sys
R2 F-Secure Filter (F-Secure File System Filter) - c:\program files\cogeco security services\anti-virus\win2k\fsfilter.sys
R2 F-Secure Gatekeeper - c:\program files\cogeco security services\anti-virus\win2k\fsgk.sys
R2 F-Secure Recognizer (F-Secure File System Recognizer) - c:\program files\cogeco security services\anti-virus\win2k\fsrec.sys
R2 mdmxsdk - c:\windows\system32\drivers\mdmxsdk.sys
R3 ElbyDelay - c:\windows\system32\drivers\elbydelay.sys
R3 HSF_DPV - c:\windows\system32\drivers\hsf_dpv.sys
R3 HSFHWBS2 - c:\windows\system32\drivers\hsfhwbs2.sys
R3 LVUVC (Logitech QuickCam Pro 5000(UVC)) - c:\windows\system32\drivers\lvuvc.sys
R3 winachsf - c:\windows\system32\drivers\hsf_cnxt.sys
S3 AdWatchDrv (AW Realtime Driver) - c:\windows\system32\drivers\awrtpd.sys (file missing)
S3 CamDrL (Logitech QuickCam Pro 3000(CamDrl)) - c:\windows\system32\drivers\camdrl.sys
S3 hamachi (Hamachi Network Interface) - c:\windows\system32\drivers\hamachi.sys
S3 L8042mou (Logitech SetPoint PS/2 Mouse Filter Driver) - c:\windows\system32\drivers\l8042mou.sys
S3 mxnic (Macronix MX987xx Family Fast Ethernet NT Driver) - c:\windows\system32\drivers\mxnic.sys
S3 nm (Network Monitor Driver) - c:\windows\system32\drivers\nmnt.sys
S3 PciCon - e:\pcicon.sys (file missing)
S3 WpdUsb - c:\windows\system32\drivers\wpdusb.sys

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled

---

R2 BackWeb Plug-in - 9867844 (COGECO Security Services) - c:\progra~1\cogeco~1\backweb\9867844\program\servic~1.exe
R2 fsbwsys - "c:\program files\cogeco security services\backweb\9867844\program\fsbwsys.exe"
R2 F-Secure Gatekeeper Handler Starter (FSGKHS) - "c:\program files\cogeco security services\anti-virus\fsgk32st.exe"
R2 FSMA (F-Secure Management Agent) - "c:\program files\cogeco security services\common\fsma32.exe"
R3 fshttps (F-Secure HTTP Server) - "c:\program files\cogeco security services\fspc\fshttps\fshttps.exe"
S2 Microsoft Validation Service - "c:\windows\wmiprsv.exe" (file missing)
S3 FSDFWD (F-Secure Anti-Virus Firewall Daemon) - "c:\program files\cogeco security services\fwes\program\fsdfwd.exe" (file missing)
S3 MHN - c:\windows\system32\svchost.exe -k netsvcs

-- Scheduled Tasks

---

2007-03-28 20:31:26 544 --a

---

C:\WINDOWS\Tasks\Scheduled scanning task.job<SCHEDU~1.JOB>
2006-07-02 15:46:28 300 --a

---

C:\WINDOWS\Tasks\XoftSpy.job
2006-03-02 21:15:00 258 --a

---

C:\WINDOWS\Tasks\ISP signup reminder 3.job<ISPSIG~3.JOB>
2006-02-17 21:00:00 258 --a

---

C:\WINDOWS\Tasks\ISP signup reminder 1.job<ISPSIG~1.JOB>

-- Files created between 2007-02-28 and 2007-03-29

---

2007-03-29 16:44:46 0 d

---

C:\WINDOWS\system32\ActiveScan<ACTIVE~1>
2007-03-29 16:44:43 0 d

---

C:\WINDOWS\LastGood
2007-03-29 16:42:07 0 d

---

C:\Program Files\Common Files\Java
2007-03-29 06:48:00 0 d

---

C:\SmitfraudFix<SMITFR~1>
2007-03-29 06:47:19 2204 --a

---

C:\WINDOWS\system32\tmp.reg
2007-03-29 06:46:30 866390 --a

---

C:\SmitfraudFix.exe<SMITFR~1.EXE>
2007-03-28 17:30:47 3968 --a

---

C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-03-27 19:34:46 77312 --a

---

C:\WINDOWS\ua2.dll
2007-03-27 12:16:59 0 d

---

C:\WINDOWS\trace
2007-03-13 02:48:58 0 d

---

C:\Program Files\MSBuild
2007-03-13 02:46:05 0 d

---

C:\WINDOWS\system32\XPSViewer<XPSVIE~1>
2007-03-13 02:45:17 0 d

---

C:\Program Files\Reference Assemblies<REFERE~1>
2007-03-13 02:44:31 14048

---

n--- C:\WINDOWS\system32\spmsg2.dll
2007-03-10 21:15:15 0 d

---

C:\trek
2007-03-08 21:26:19 0 d

---

C:\Program Files\Steam
2007-03-08 21:25:36 0 d

---

C:\Program Files\Sierra On-Line<SIERRA~1>
2007-03-07 20:06:58 0 d

---

C:\WINDOWS\system32\QuickTime<QUICKT~1>
2007-03-07 20:06:57 0 d

---

C:\Program Files\3ivx

-- Find3M Report

---

2007-03-29 17:33:10 0 d

---

C:\Program Files\MSN Messenger<MSNMES~1>
2007-03-29 16:42:42 0 d

---

C:\Program Files\Java
2007-03-29 12:06:13 0 d

---

C:\Documents and Settings\Owner.YOUR-968A8C4819\Application Data\uTorrent
2007-03-28 17:18:02 0 d

---

C:\Documents and Settings\Owner.YOUR-968A8C4819\Application Data\??sembly
2007-03-27 08:42:28 0 d

---

C:\Program Files\XoftSpy
2007-03-24 12:23:49 0 d

---

C:\Program Files\PokerStars<POKERS~1>
2007-03-23 16:36:58 0 d

---

C:\Program Files\UFile 2006<UFILE2~1>
2007-03-11 01:43:51 0 d

---

C:\Documents and Settings\Owner.YOUR-968A8C4819\Application Data\LimeWire
2007-03-10 21:24:19 0 d

---

C:\Program Files\Bethesda Softworks<BETHES~1>
2007-03-10 16:47:24 0 d

---

C:\Program Files\Lavasoft
2007-03-08 21:06:28 0 d

---

C:\Program Files\Google
2007-03-08 21:04:46 0 d

---

C:\Program Files\Cain
2007-03-07 20:03:40 0 d

---

C:\Program Files\DivX
2007-02-23 00:29:58 524288 --a

---

C:\WINDOWS\system32\DivXsm.exe
2007-02-23 00:29:56 3596288 --a

---

C:\WINDOWS\system32\qt-dx331.dll
2007-02-23 00:29:49 200704 --a

---

C:\WINDOWS\system32\ssldivx.dll
2007-02-23 00:29:49 1044480 --a

---

C:\WINDOWS\system32\libdivx.dll
2007-02-23 00:25:24 196608 --a

---

C:\WINDOWS\system32\dtu100.dll
2007-02-23 00:25:24 73728 --a

---

C:\WINDOWS\system32\dpl100.dll
2007-02-23 00:25:23 53248 --a

---

C:\WINDOWS\system32\dpuGUI10.dll
2007-02-23 00:25:22 57344 --a

---

C:\WINDOWS\system32\dpv11.dll
2007-02-23 00:25:22 344064 --a

---

C:\WINDOWS\system32\dpus11.dll
2007-02-23 00:25:22 593920 --a

---

C:\WINDOWS\system32\dpuGUI11.dll
2007-02-23 00:25:22 294912 --a

---

C:\WINDOWS\system32\dpu11.dll
2007-02-23 00:25:22 294912 --a

---

C:\WINDOWS\system32\dpu10.dll
2007-02-23 00:25:19 802816 --a

---

C:\WINDOWS\system32\divx_xx11.dll<DIVX_X~3.DLL>
2007-02-23 00:25:19 823296 --a

---

C:\WINDOWS\system32\divx_xx0c.dll<DIVX_X~1.DLL>
2007-02-23 00:25:19 823296 --a

---

C:\WINDOWS\system32\divx_xx07.dll<DIVX_X~2.DLL>
2007-02-23 00:25:19 639066 --a

---

C:\WINDOWS\system32\DivX.dll
2007-02-16 21:23:56 0 d--h

---

C:\Program Files\InstallShield Installation Information<INSTAL~1>
2007-02-15 21:40:35 124472 --a

---

C:\WINDOWS\system32\DivXCodecUpdateChecker.exe<DIVXCO~1.EXE>
2007-02-15 18:18:07 0 d

---

C:\Program Files\Common Files\Wise Installation Wizard<WISEIN~1>
2007-02-14 19:54:14 0 d

---

C:\Documents and Settings\Owner.YOUR-968A8C4819\Application Data\Uniblue
2007-02-14 19:53:58 0 d

---

C:\Program Files\Uniblue
2007-02-12 18:36:32 0 d

---

C:\Documents and Settings\Owner.YOUR-968A8C4819\Application Data\Logitech
2007-02-12 18:26:24 0 d

---

C:\Program Files\Common Files\Logitech
2007-02-12 18:26:18 0 d

---

C:\Program Files\Logitech
2007-02-12 09:19:53 0 d

---

C:\Program Files\Microsoft Works<MICROS~3>
2007-02-03 16:24:05 0 d

---

C:\Documents and Settings\Owner.YOUR-968A8C4819\Application Data\AdobeUM
2007-02-02 23:17:51 0 d

---

C:\Program Files\GameShadow<GAMESH~1>
2007-02-02 23:02:12 0 d

---

C:\Program Files\Ubisoft
2007-02-01 23:44:28 0 d

---

C:\Documents and Settings\Owner.YOUR-968A8C4819\Application Data\Ahead
2007-02-01 19:08:45 0 d

---

C:\Program Files\Cucusoft
2007-01-31 03:13:56 0 d---s---- C:\Documents and Settings\Owner.YOUR-968A8C4819\Application Data\Microsoft<MICROS~1>
2007-01-31 00:05:21 0 d

---

C:\Program Files\Common Files\L&H
2007-01-31 00:04:27 0 d

---

C:\Program Files\Microsoft ActiveSync<MI3AA1~1>
2007-01-31 00:02:24 0 d

---

C:\Program Files\Microsoft.NET<MICROS~1.NET>
2007-01-29 22:24:53 0 d

---

C:\Program Files\Winamp
2007-01-26 23:27:19 130048 --a

---

C:\WINDOWS\system32\SpoonUninstall.exe<SPOONU~1.EXE>
2007-01-25 21:19:00 118520

---

n--- C:\WINDOWS\system32\pxinsi64.exe
2007-01-25 21:19:00 116472

---

n--- C:\WINDOWS\system32\pxcpyi64.exe
2007-01-25 21:19:00 129784

---

n--- C:\WINDOWS\system32\pxafs.dll
2007-01-19 13:53:04 51056 --a

---

C:\WINDOWS\system32\sirenacm.dll
2007-01-08 20:01:14 17408 --a

---

C:\WINDOWS\system32\corpol.dll

-- Registry Dump

---

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"WMPNSCFG"="C:\\Program Files\\Windows Media Player\\WMPNSCFG.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SoundMan"="SOUNDMAN.EXE"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"F-Secure Manager"="\"C:\\Program Files\\COGECO Security Services\\Common\\FSM32.EXE\" /splash"
"F-Secure TNB"="\"C:\\Program Files\\COGECO Security Services\\TNB\\TNBUtil.exe\" /CHECKALL /WAITFORSW"
"F-Secure Startup Wizard"="\"C:\\Program Files\\COGECO Security Services\\FSGUI\\FSSW.EXE\" /reboot"
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\BigFix.lnk"
"backup"="C:\\WINDOWS\\pss\\BigFix.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\BigFix\\BigFix.exe /atstartup"
"item"="BigFix"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACTX1]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="v1201"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\v1201.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="daemon"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\defender]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dfndrb_3"
"hkey"="HKLM"
"command"="c:\\\\dfndrb_3.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Core"
"hkey"="HKCU"
"command"="C:\\Program Files\\Electronic Arts\\EA Link\\Core.exe -silent"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ealb]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="cmd"
"hkey"="HKCU"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ehtray"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\ehome\\ehtray.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet Optimizer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="optimize"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Internet Optimizer\\optimize.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\keyboard]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="kybrdb_3"
"hkey"="HKLM"
"command"="c:\\\\kybrdb_3.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="LogitechDesktopMessenger"
"hkey"="HKCU"
"command"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ManifestEngine"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Logitech\\Video\\ManifestEngine.exe\" boot"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ISStart"
"hkey"="HKLM"
"command"="C:\\Program Files\\Logitech\\Video\\ISStart.exe "
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="LogiTray"
"hkey"="HKLM"
"command"="C:\\Program Files\\Logitech\\Video\\LogiTray.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="LVCOMSX"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\LVCOMSX.EXE"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ms076209-214555]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ms076209-214555"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\ms076209-214555.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msnmsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mukywt]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MCONFI~1"
"hkey"="HKCU"
"command"="C:\\DOCUME~1\\OWNER~1.YOU\\APPLIC~1\\SEMBLY~1\\MCONFI~1.EXE"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\newname]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwnmb_3"
"hkey"="HKLM"
"command"="c:\\\\nwnmb_3.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\News Service]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ispnews"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\COGECO Security Services\\FSGUI\\ispnews.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvCpl"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvMcTray"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /install"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\readericon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="readericon45G"
"hkey"="HKLM"
"command"="C:\\Program Files\\Digital Media Reader\\readericon45G.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RECGUARD"
"hkey"="HKLM"
"command"="%WINDIR%\\SMINST\\RECGUARD.EXE"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PDVDServ"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rwbmyprA]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="rwbmyprA"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\rwbmyprA.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Steam"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Steam\\Steam.exe\" -silent"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SurfSideKick 3]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Ssk"
"hkey"="HKLM"
"command"="C:\\Program Files\\SurfSideKick 3\\Ssk.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sys_up1]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="svchostsys"
"hkey"="HKCU"
"command"="C:\\Program Files\\Common Files\\svchostsys\\svchostsys.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TheMonitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue SpeedUpMyPC]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SpeedUpMyPC"
"hkey"="HKCU"
"command"="C:\\Program Files\\Uniblue\\SpeedUpMyPC\\SpeedUpMyPC.exe -s"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wfzm]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wfzmm"
"hkey"="HKCU"
"command"="C:\\PROGRA~1\\COMMON~1\\wfzm\\wfzmm.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\win320909-21455562]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="win320909-21455562"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\win320909-21455562.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WMPNSCFG"
"hkey"="HKCU"
"command"="C:\\Program Files\\Windows Media Player\\WMPNSCFG.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"
"SpySheriff"="C:\\Program Files\\SpySheriff\\SpySheriff.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\
63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\
6d,73,73,74,79,6c,65,73,00
"InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\
73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F]
Shell\AutoRun\command F:\SH3Autorun.exe

-- End of Deckard's System Scanner: finished at 2007-03-29 at 18:11:27

---

Deckard's System Scanner v20070328.36
Extra logfile - please post this as an attachment with your post.

---

-- System Information

---

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English
CPU 0: AMD Athlon(tm) 64 Processor 3500+
Percentage of Memory in Use: 26%
Physical Memory (total/avail): 2046.48 MiB / 1510.99 MiB
Pagefile Memory (total/avail): 3391.41 MiB / 2977.16 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1990.2 MiB
C: is Fixed (NTFS) - 181.42 GiB total, 39.66 GiB free.
D: is Fixed (FAT32) - 4.88 GiB total, 1.78 GiB free.
E: is CDROM (No Media)
F: is CDROM (UDF)
G: is Removable (No Media)
H: is Removable (No Media)
I: is Removable (No Media)
J: is Removable (No Media)
L: is CDROM (No Media)

-- Security Center

---

AUOptions is disabled.
Windows Internal Firewall is disabled.
FirstRunDisabled is set.
AntiVirusDisableNotify is set.
FirewallDisableNotify is set.
UpdatesDisableNotify is set.
AntivirusOverride is set.
FirewallOverride is set.
FW: COGECO Security Services 6.02 v6.02 (F-Secure Corporation)
AV: COGECO Security Services 6.02 v6.02 (F-Secure Corporation)

-- Environment Variables

---

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner.YOUR-968A8C4819\Application Data
CLASSPATH=C:\Program Files\Java\jre1.5.0_02\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=STEVE
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Owner.YOUR-968A8C4819
LOGONSERVER=\\STEVE
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 47 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=2f02
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_02\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\OWNER~1.YOU\LOCALS~1\Temp
TMP=C:\DOCUME~1\OWNER~1.YOU\LOCALS~1\Temp
USERDOMAIN=STEVE
USERNAME=Owner
USERPROFILE=C:\Documents and Settings\Owner.YOUR-968A8C4819
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI

-- User Profiles

---

Owner.YOUR-968A8C4819 (admin)
Administrator (admin)

-- Add/Remove Programs

---

--> "C:\Program Files\COGECO Security Services\fsuninst.exe" /UninstRegKey:"F-Secure Anti-Spyware Scanner"
--> "C:\Program Files\COGECO Security Services\fsuninst.exe" /UninstRegKey:"F-Secure Anti-Spyware"
--> "C:\Program Files\COGECO Security Services\fsuninst.exe" /UninstRegKey:"F-Secure Anti-Virus Client Security Installer"
--> "C:\Program Files\COGECO Security Services\fsuninst.exe" /UninstRegKey:"F-Secure Anti-Virus"
--> "C:\Program Files\COGECO Security Services\fsuninst.exe" /UninstRegKey:"F-Secure DAAS"
--> "C:\Program Files\COGECO Security Services\fsuninst.exe" /UninstRegKey:"F-Secure Diagnostics"
--> "C:\Program Files\COGECO Security Services\fsuninst.exe" /UninstRegKey:"F-Secure E-mail Scanning"
--> "C:\Program Files\COGECO Security Services\fsuninst.exe" /UninstRegKey:"F-Secure FWES"
--> "C:\Program Files\COGECO Security Services\fsuninst.exe" /UninstRegKey:"F-Secure GUI"
--> "C:\Program Files\COGECO Security Services\fsuninst.exe" /UninstRegKey:"F-Secure Help"
--> "C:\Program Files\COGECO Security Services\fsuninst.exe" /UninstRegKey:"F-Secure Internet Shield"
--> "C:\Program Files\COGECO Security Services\fsuninst.exe" /UninstRegKey:"F-Secure Management Agent"
--> "C:\Program Files\COGECO Security Services\fsuninst.exe" /UninstRegKey:"F-Secure Spam Control"
--> "C:\Program Files\COGECO Security Services\fsuninst.exe" /UninstRegKey:"F-Secure Spam Scanner"
--> "C:\Program Files\COGECO Security Services\fsuninst.exe" /UninstRegKey:"F-Secure TNB"
--> "C:\Program Files\COGECO Security Services\fsuninst.exe" /UninstRegKey:"F-Secure Web Filter"
--> "C:\Program Files\COGECO Security Services\fsuninst.exe" /UninstRegKey:"News Service"
--> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
µTorrent --> "C:\Program Files\uTorrent\uninstall.exe"
3ivx D4 4.5.1 (remove only) --> "C:\Program Files\3ivx\3ivx D4 4.5.1\uninstall.exe"
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
Battlefield 2(TM) --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{04858915-9F49-4B2A-AED4-DC49A7DE6A7B}\setup.exe" -l0x9 -removeonly
BigFix --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\BigFix\Uninst.isu" -c"C:\Program Files\BigFix\Lib\UninstallHelper.dll"
CloneDVD --> "C:\Program Files\Elaborate Bytes\CloneDVD\CloneDVD-uninst.exe" /D="C:\Program Files\Elaborate Bytes\CloneDVD"
COGECO Security Services --> C:\PROGRA~1\COGECO~1\Common\fsbwih.exe /uninstall
dBpowerAMP Au Codec --> "C:\WINDOWS\system32\SpoonUninstall.exe" <uninstall>C:\WINDOWS\system32\SpoonUninstall-dBpowerAMP Au Codec.dat
dBpowerAMP Music Converter --> "C:\WINDOWS\system32\SpoonUninstall.exe" <uninstall>C:\WINDOWS\system32\SpoonUninstall-dBpowerAMP Music Converter.dat
dBpowerAMP WMA V9.1 Codec --> "C:\WINDOWS\system32\SpoonUninstall.exe" <uninstall>C:\WINDOWS\system32\SpoonUninstall-dBpowerAMP WMA V9.1 Codec.dat
Digital Media Reader --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{4AC55A61-BA20-4DF5-ABFF-8F4819E0C875} /l1033
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
DVD Decrypter (Remove Only) --> "C:\Program Files\DVD Decrypter\uninstall.exe"
DVD Shrink 3.2 --> "C:\Program Files\DVD Shrink\unins000.exe"
DVDFab Decrypter 3.0.2.8 Beta --> "C:\Program Files\DVDFab Decrypter 3\unins000.exe"
EA Link --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{F5577101-33CC-4711-8235-3A95BCD49DB0} /l1033
EA SPORTS online 2007 --> C:\Program Files\EA SPORTS\EA SPORTS online\EASOUNInstaller.exe
GameShadow --> MsiExec.exe /I{D50BB830-3961-48EB-83D9-03A04C63534F}
GameSpy Arcade --> C:\PROGRA~1\GAMESP~1\UNWISE.EXE C:\PROGRA~1\GAMESP~1\INSTALL.LOG
Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
Google Video Player --> "C:\Program Files\Google\Google Video Player\Uninstall.exe"
Half-Life: Counter-Strike --> C:\Sierra\COUNTE~1\UNWISE.EXE C:\Sierra\COUNTE~1\INSTALL.LOG
Hamachi 1.0.0.62 --> C:\Program Files\Hamachi\uninstall.exe
Heroes of Might and Magic® IV: Winds of War --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\3DO\Heroes of Might and Magic IV\Heroes of Might and Magic IV.isu" -c"C:\Program Files\Common Files\3DO Shared\3DOUnInst.dll
Hijackthis 1.99.1 --> "C:\Program Files\Hijackthis\unins000.exe"
HijackThis 1.99.1 --> C:\Program Files\Hijackthis\HijackThis.exe /uninstall
iTunes --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{59C4F14F-7590-45FC-BE9F-A67AB3590709} /l1033
Java(TM) SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
LimeWire 4.10.9 --> "C:\Program Files\LimeWire\uninstall.exe"
Logitech Desktop Messenger --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{900B1197-53F5-4F46-A882-2CFFFE2EEDCB}\SETUP.exe" -l0x9 UNINSTALL -removeonly
Logitech QuickCam Software --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C43048A9-742C-4DAD-90D2-E3B53C9DB825}\setup.exe" -l0x9
Logitech SetPoint --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2E8EAC71-BFE4-417A-88F0-5A1BDFBCF5D3}\setup.exe" -l0x9 -removeonly
Logitech® Camera Driver --> "C:\Program Files\Common Files\Logitech\QCDRV\BIN\SETUP.EXE" UNINSTALL REMOVEPROMPT
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Digital Image Starter Edition 2006 --> "C:\Program Files\Common Files\Microsoft Shared\Picture It!\RmvSuite.exe" ADDREMOVE=1 SKU=TRIAL VERSION=11
Microsoft Money 2005 --> C:\Program Files\Microsoft Money 2005\MNYCoreFiles\Setup\uninst.exe /s:120
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Works --> MsiExec.exe /I{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}
MSXML 6.0 Parser (KB927977) --> MsiExec.exe /I{5A710547-B58E-488B-828D-CA9A25A0533C}
MSXML4SP2 --> MsiExec.exe /I{451BB54C-8B23-4455-8BDC-14FC7D43E056}
Natural Selection 3.2 --> "c:\program files\steam\steamapps\sostash\half-life\unins000.exe"
Nero BurnRights --> C:\WINDOWS\UNNeroBurnRights.exe /UNINSTALL
Nero OEM --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
Oblivion --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{35CB6715-41F8-4F99-8881-6FC75BF054B0}\setup.exe" -l0x9 -removeonly
Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
PartyPoker --> "C:\Program Files\PartyGaming\PartyPoker\Uninstall.exe" "C:\Program Files\PartyGaming\PartyPoker\install.log"
PokerStars --> C:\Program Files\PokerStars\Uninstall.EXE /u:"PokerStars"
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
PSL2 Plugin --> C:\Program Files\PgcEdit\Uninstal.exe
QuickTime --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{929408E6-D265-4174-805F-81D1D914E2A4} /l1033
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" -l0x9 -removeonly
Scarface: The World is Yours --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1150\INTEL3~1\IDriver.exe /M{28142407-ACAD-4ECD-A6B6-9FA8471F6062}
Sid Meier's Pirates! --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{1632FD86-1BA4-4FC4-8B25-A8C655D63F68} /l1033
Sierra Utilities --> C:\Program Files\Sierra On-Line\sutil32.exe uninstall
Silent Hunter III --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{9720C029-0C2C-4D1E-9DE0-E89971C4C8C7}
Soft Data Fax Modem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200014F1\HXFSETUP.EXE -U -IPDRSLSM5K.inf
Sonic Encoders --> MsiExec.exe /I{9941F0AA-B903-4AF4-A055-83A9815CC011}
Spy-Sheriff --> C:\Program Files\SpySheriff\Uninstall.exe
Star Trek Legacy --> MsiExec.exe /I{287A4E96-AC57-4A19-9B51-C5EED2EAB382}
Steam --> C:\PROGRA~1\Steam\UNWISE.EXE C:\PROGRA~1\Steam\INSTALL.LOG
TeamSpeak 2 RC2 --> "C:\Program Files\Teamspeak2_RC2\unins000.exe"
Tiger Woods PGA TOUR 07 --> C:\Program Files\EA SPORTS\Tiger Woods PGA TOUR 07\EAUninstall.exe
UFile 2006 --> MsiExec.exe /X{1DC02E08-5098-42CD-81E3-4A5C877C7902}
UFile Updater 2006 --> MsiExec.exe /X{329ABF30-0376-40AE-A8D2-231BF6AC605C}
Uniblue Registry Booster --> "C:\Program Files\Uniblue\Registry Booster\unins000.exe"
Uniblue SpeedUpMyPC --> "C:\Program Files\Uniblue\SpeedUpMyPC\unins000.exe"
Update Rollup 2 for Windows XP Media Center Edition 2005 --> C:\WINDOWS\$NtUninstallKB900325$\spuninst\spuninst.exe
Ventrilo Client --> MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F}
Winamp (remove only) --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Communication Foundation --> MsiExec.exe /X{491DD792-AD81-429C-9EB4-86DD3D22E333}
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Media Connect --> "C:\WINDOWS\$NtUninstallWMCSetup$\spuninst\spuninst.exe"
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows Workflow Foundation --> MsiExec.exe /I{7D1B85BD-AA07-48B8-808D-67A4067FC6BD}
Windows XP Media Center Edition 2005 KB925766 --> "C:\WINDOWS\$NtUninstallKB925766$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
XML Paper Specification Shared Components Pack 1.0 -->
XoftSpy --> C:\Program Files\XoftSpy\uninstall.exe

-- End of Deckard's System Scanner: finished at 2007-03-29 at 18:11:27

---

Incident Status Location
Adware:adware/commad Not disinfected Windows Registry
Adware:adware/sqwire Not disinfected Windows Registry
Dialer:dialer.asl Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A1426AC5-8CE5-4A00-B71E-011D35709AC6}
Spyware:spyware/virtumonde Not disinfected Windows Registry
Potentially unwanted tool:application/funweb Not disinfected

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB}
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Owner.YOUR-968A8C4819\Cookies\owner@xiti[1].txt
Virus:W32/Gibe.C.worm Disinfected Personal Folders\Deleted Items\Latest Microsoft Security Patch\Q261699.exe
Hacktool:Exploit/iFrame Not disinfected Personal Folders\Deleted Items\Abort Notice
Potentially unwanted tool:Application/Pskill.K Not disinfected C:\Program Files\PgcEdit\bin\pskill.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\RECYCLER\S-1-5-21-367405231-2284523091-1955801859-1006\Dc1\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\SDFix\SDFix\apps\Process.exe
Virus:W32/Sdbot.KBW.worm Disinfected C:\SDFix\SDFix\backups\backups.zip[backups/msrv32.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\SmitfraudFix\Process.exe

peku006

Hi steen15

Please backup your registry before fix it:

Start
Run
Type the following to the box and hit Ok: regedit
A window opens, click on File
Choose Export form the menu
Change the save location to C:\
Give the filename, RegBackUp
Make sure that the filetype is set to Registryfiles (*.reg)
Click on Save and Close the window
Please run Notepad and paste the following text into a new file:

[REGEDIT4
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACTX1]
 
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\defender]
 
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\keyboard]
 
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ms076209-214555]
 
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mukywt]
 
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\newname]
 
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rwbmyprA]
 
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SurfSideKick 3]
 
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sys_up1]
 
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet Optimizer]
 
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"SpySheriff"=- ]

Save the file to the desktop as fix.reg and make sure the "Save as Type" field says "All Files".
Then please go to the desktop and double-click on fix.reg, and click Yes to merge it with the registry.

Then reboot your computer.

Please download RogueRemover . Unzip to a convenient location such as C:\RogueRemover.
Navigate to the folder you unzipped the files to and double click on the file named RogueRemover.exe.
Check for updates
select Scan and the program will walk you through the remaining steps.Save logfile

Next, please reboot your computer in Safe Mode by doing the following :
* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, a menu with options should appear;
* Select the first option, to run Windows in Safe Mode, then press "Enter".
* Choose your usual account.

• Close all open windows / programs / folders
• Start AVG Anti-Spyware
• Click the Scanner icon
• Click Complete System Scan
• Let the program scan the machine
• When the scan has finished, follow the instructions below
  • Make sure that under "Set all elements to" read Quarantine

• • (If not, click the text and choose Quarantine)
    
  • Click Apply all actions
  • Click Save Report
  • Click Save reports as
  • Save report to your Desktop

Post fresh HijackThis log RRLog.txt,and the AVG Anti-Spyware report

steen15

I couldn't find a log file For RR or where to save one either, but the scan didn't find anything.

Logfile of HijackThis v1.99.1
Scan saved at 9:51:48 PM, on 4/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\COGECO~1\backweb\9867844\Program\SERVIC~1.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\COGECO Security Services\Anti-Virus\fsgk32st.exe
C:\Program Files\COGECO Security Services\backweb\9867844\program\fsbwsys.exe
C:\Program Files\COGECO Security Services\Anti-Virus\FSGK32.EXE
C:\Program Files\COGECO Security Services\Common\FSMA32.EXE
C:\Program Files\COGECO Security Services\Anti-Virus\fssm32.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\COGECO Security Services\Common\FSMB32.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COGECO Security Services\Common\FCH32.EXE
C:\Program Files\COGECO Security Services\Common\FAMEH32.EXE
C:\Program Files\COGECO Security Services\Anti-Virus\fsrw.exe
C:\Program Files\COGECO Security Services\FSPC\fspc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\COGECO Security Services\Anti-Virus\fsav32.exe
C:\Program Files\COGECO Security Services\Common\FSM32.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\COGECO Security Services\backweb\9867844\Program\fspex.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ig?hl=en
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\COGECO Security Services\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\COGECO Security Services\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\COGECO Security Services\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: COGECO Security Services.lnk = C:\Program Files\COGECO Security Services\backweb\9867844\Program\fspex.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Block this popup - C:\Program Files\COGECO Security Services\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\COGECO Security Services\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\COGECO Security Services\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\COGECO Security Services\FSPC\fspcmsie.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\COGECO Security Services\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\COGECO Security Services\Anti-Spyware\ieshield.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'winsflt.dll' missing
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1168913656412
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - igfxsrvc.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: COGECO Security Services (BackWeb Plug-in - 9867844) - BackWeb Technologies Inc. - C:\PROGRA~1\COGECO~1\backweb\9867844\Program\SERVIC~1.EXE
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corp. - C:\Program Files\COGECO Security Services\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\COGECO Security Services\backweb\9867844\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - Unknown owner - C:\Program Files\COGECO Security Services\FWES\Program\fsdfwd.exe (file missing)
O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - C:\Program Files\COGECO Security Services\FSPC\fshttps\fshttps.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\COGECO Security Services\Common\FSMA32.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Microsoft Validation Service - Unknown owner - C:\WINDOWS\wmiprsv.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

---

AVG Anti-Spyware - Scan Report

---

+ Created at: 9:47:52 PM 4/1/2007
+ Scan result:

C:\Documents and Settings\Owner.YOUR-968A8C4819\Cookies\owner@stats.adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Owner.YOUR-968A8C4819\Cookies\owner@as.casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Owner.YOUR-968A8C4819\Cookies\owner@ad1.clickhype[2].txt -> TrackingCookie.Clickhype : Cleaned.
C:\Documents and Settings\Owner.YOUR-968A8C4819\Cookies\owner@com[1].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Owner.YOUR-968A8C4819\Cookies\owner@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\Owner.YOUR-968A8C4819\Cookies\owner@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned.
C:\Documents and Settings\Owner.YOUR-968A8C4819\Cookies\owner@www.paypal[1].txt -> TrackingCookie.Paypal : Cleaned.
C:\System Volume Information\_restore{B15A192A-0024-42A2-975A-EEF66F271A43}\RP363\A0124278.vbs -> Trojan.Small : Cleaned.

::Report end

peku006

Hi steen15

Congratulations, your log looks clean!
Please copy (Ctrl C) and paste (Ctrl V) the following text in the quote to Notepad. Save it as "All Files" and name it FixServices.bat. Please save it on your desktop.

@echo off
sc stop "Microsoft Validation Service"
sc delete "Microsoft Validation Service"

Double click FixServices.bat. A window will open and close. This is normal.

Open HijackThis
- Click the Do a system scan only button
- Check the following entries (below)
O23 - Service: Microsoft Validation Service - Unknown owner - C:\WINDOWS\wmiprsv.exe (file missing)

:smiles:
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure
The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klei

Happy surfing and stay clean!