18 replies to this topic

[Fujisan]

Add us to the list of Privacy Danger victims. I have run AVG Anti-Spyware, Spybot, Spyware Doctor, AdAware 2007, Super Antispyware, Avira Antivir, and SD Fix. This has made the desktop look normal again, has allowed me to access the task manager once again, and has stopped the pop-ups. I still can't access the control panel, and we keep getting the message "This operation has been canceled due to restrictions in effect on this computer. Please contact your system administrator" when we try to access certain things. Also, we can't keep the AntiVir Guard running, because it pops up with a constant stream of warnings about a Trojan called Crypt.Xpack.Gen.

I'll paste the Hijack This log here. Any help would be greatly greatly appreciated.

Thank you very much.

Logfile of HijackThis v1.99.1
Scan saved at 9:32:41 AM, on 8/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\spoolsv.exe
H:\WINDOWS\Explorer.exe
H:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
H:\Program Files\Icons\SetIcon.exe
H:\WINDOWS\system32\RUNDLL32.EXE
H:\PROGRA~1\Grisoft\AVG7\avgcc.exe
H:\Program Files\QuickTime\qttask.exe
H:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE
H:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
H:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
H:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE
H:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE
H:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
H:\Program Files\Messenger\msmsgs.exe
H:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
H:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
H:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
H:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
H:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe
H:\Program Files\Nikon\PictureProject\NkbMonitor.exe
H:\Program Files\AntiVir PersonalEdition Classic\sched.exe
H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
H:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
H:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
H:\PROGRA~1\Grisoft\AVG7\avgemc.exe
H:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
H:\WINDOWS\system32\nvsvc32.exe
H:\WINDOWS\System32\svchost.exe
H:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
F2 - REG:system.ini: Shell=Explorer.exe
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - H:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - h:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SetIcon] H:\Program Files\Icons\SetIcon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE H:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE H:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PCLEPCI] H:\PROGRA~1\Pinnacle\PPE\PPE.EXE
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [AVG7_CC] H:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "H:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PinnacleDriverCheck] H:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [\\BLACKDELL\EPSON Stylus Photo R220 Series] H:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE /P42 "\\BLACKDELL\EPSON Stylus Photo R220 Series" /O6 "USB001" /M "Stylus Photo R220"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "H:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [\\EMS\EPSON Stylus Photo R200 Series cd] H:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P39 "\\EMS\EPSON Stylus Photo R200 Series cd" /O6 "USB002" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "H:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Auto EPSON Stylus Photo R220 Series (Index) on EMS] H:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE /P50 "Auto EPSON Stylus Photo R220 Series (Index) on EMS" /O19 "\\EMS\EPSON220Index" /M "Stylus Photo R220"
O4 - HKLM\..\Run: [Auto EPSON Stylus Photo R220 Series (CD Cover) on EMS] H:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE /P53 "Auto EPSON Stylus Photo R220 Series (CD Cover) on EMS" /O16 "\\EMS\EPSON220CD" /M "Stylus Photo R220"
O4 - HKLM\..\Run: [WinAVX] H:\WINDOWS\system32\WinAvXX.exe
O4 - HKLM\..\Run: [avgnt] "H:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [MSMSGS] "H:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [\\BLACKDELL\EPSON Stylus Photo R200 Series] H:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P42 "\\BLACKDELL\EPSON Stylus Photo R200 Series" /M "Stylus Photo R200" /EF "HKCU"
O4 - HKCU\..\Run: [IW_Drop_Icon] H:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe /DropDisc
O4 - HKCU\..\Run: [swg] H:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WinAVX] H:\WINDOWS\system32\WinAvXX.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] H:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
O4 - Global Startup: ColorVisionStartup.lnk = H:\Program Files\PANTONE COLORVISION\Startup\ColorVisionStartup.exe
O4 - Global Startup: LaunchU3.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = H:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = H:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: H:\WINDOWS\system32\hanonvt.ini
O20 - Winlogon Notify: !SASWinLogon - H:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - H:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - H:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - H:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - H:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - H:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - H:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - H:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - H:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - H:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - H:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: Gp10nftnicwt - Unknown owner - (no file)
O23 - Service: Google Updater Service (gusvc) - Google - H:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - H:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - H:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - H:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - H:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - H:\Program Files\Spyware Doctor\swdsvc.exe

[AndyManchesta]

Hi Fujisan, Welcome to the forum

You should print out these instructions, or copy them to a Notepad file and save it to your desktop, because you will not be able to connect to the Internet to read from this site for most of the fix

Goto Start > Run > then copy and paste

sc delete Gp10nftnicwt

Press OK and you will just notice the cmd screen flash on then off again then the service will be removed

Next please uplaod a file so we can check what changes it makes to the system

Please visit the below link

http://www.bleepingcomputer.com/submit-mal....php?channel=27

In the Browse to the file you want to submit: area, copy and paste this

H:\WINDOWS\system32\WinAvXX.exe

Then click Send File. Once it shows

Quote

Your file was successfully submitted. Please let the user helping you know that you have submitted the file.

You can then close that site and continue with the steps below

Download SmitfraudFix and save it to your system,

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
  
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  
• Instead of Windows loading as normal, a menu with options should appear;
  
• Select the first option, to run Windows in Safe Mode, then press "Enter".
  
• Choose your usual account.

Once in Safe Mode, Run HijackThis and choose Do A System Scan then place a check next to these entries

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
F2 - REG:system.ini: Shell=Explorer.exe
O4 - HKLM\..\Run: [WinAVX] H:\WINDOWS\system32\WinAvXX.exe
O4 - HKCU\..\Run: [WinAVX] H:\WINDOWS\system32\WinAvXX.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O20 - AppInit_DLLs: H:\WINDOWS\system32\hanonvt.ini

Close all open browser and other windows except for HijackThis and press the Fix Checked button

Next double-click SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply. The report can also be found at the root of the system drive, usually at C:\rapport.txt

Once your back in Normal Mode run Kaspersky WebScanner

• Please go HERE and click Kaspersky Online Scanner
  
• Read and Accept the Agreement
  
• You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  
• If you see a Windows [dialog asking if you want to install this software, click the Install button.
  
• The program will launch and then begin downloading the latest definition files,
  
• When the "Update progress" line changes to "Ready" and the "NEXT ->" button becomes available, please click on it.
  
• Click on the Scan Settings button, and in the next window select the Extended database, and click Ok.
  
• Under "Please select a target to scan:", click My Computer to start the scan.
  
• When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window.

Please then post back the SDFix report if its still on the system (Located at H:\SDFix\report.txt), the Smitfraudfix report (H:\Rapport.txt), the Kaspersky results and a new HijackThis log

Let us know if you have any problems

Thanks

[AndyManchesta]

Thanks for uploading the file, the size was 0 bytes so it may of already been removed from your system, let us know if you have any problems with the other steps from my last post then we can continue once Ive seen the logs,

Cheers

[Fujisan]

Thank you so much for your help.

When I got to the step in Hijack This to "Fix Checked" I got a message that said "Registry editing has been disabled by your administrator". It looked like it went ahead and did it anyway, but I'm not sure. The computer seems to be acting exactly the same way as before (except the desktop background is gone now). I still can't access the control panel and still get the "This operation has been canceled due to restrictions..." message.

Anyway, here are the logs.

First, the old SD Fix log.


SDFix: Version 1.99

Run by Bud on Sat 08/18/2007 at 03:30 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: H:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

No Trojan Files Found




Removing Temp Files...

ADS Check:

H:\WINDOWS
No streams found.

H:\WINDOWS\system32
No streams found.

H:\WINDOWS\system32\svchost.exe
No streams found.

H:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"H:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"="H:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE:*:Enabled:SAgent4"
"H:\\Program Files\\Messenger\\msmsgs.exe"="H:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"H:\\Program Files\\Microtek\\ScanWizard Pro\\LANServer.exe"="H:\\Program Files\\Microtek\\ScanWizard Pro\\LANServer.exe:*:Enabled:LAN Server"
"H:\\Program Files\\QuickTime\\QuickTimePlayer.exe"="H:\\Program Files\\QuickTime\\QuickTimePlayer.exe:*:Enabled:QuickTime Player"
"H:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"="H:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe:*:Enabled:Render Manager"
"H:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"="H:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe:*:Enabled:Studio"
"H:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"="H:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe:*:Enabled:PMSRegisterFile"
"H:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"="H:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe:*:Enabled:umi"
"H:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="H:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"H:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="H:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"
"H:\\Program Files\\Last.fm\\LastFM.exe"="H:\\Program Files\\Last.fm\\LastFM.exe:*:Enabled:LastFM"
"H:\\Program Files\\iTunes\\iTunes.exe"="H:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"H:\\Program Files\\Mozilla Firefox\\firefox.exe"="H:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Disabled:Firefox"
"H:\\Program Files\\Real\\RealPlayer\\realplay.exe"="H:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------


Files with Hidden Attributes:

H:\Documents and Settings\Bud\Application Data\U3\temp\Launchpad Removal.exe
H:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp

Finished









SmitFraudFix v2.213b

Scan done at 13:34:41.03, Mon 08/20/2007
Run from H:\Documents and Settings\Bud\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


192.168.200.3 ad.doubleclick.net
192.168.200.3 ad.fastclick.net
192.168.200.3 ads.fastclick.net
192.168.200.3 atdmt.com
192.168.200.3 awaps.net
192.168.200.3 banner.fastclick.net
192.168.200.3 banners.fastclick.net
192.168.200.3 click.atdmt.com
192.168.200.3 clicks.atdmt.com
192.168.200.3 engine.awaps.net
192.168.200.3 fastclick.net
192.168.200.3 ftp.avp.ch
192.168.200.3 ftp.kasperskylab.ru
192.168.200.3 updates5.kaspersky-labs.com
192.168.200.3 www.awaps.net
192.168.200.3 www.symantec.com
192.168.200.3 www.viruslist.ru

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{00470301-F087-47F6-9DF2-36B131E78226}: DhcpNameServer=192.168.254.254
HKLM\SYSTEM\CS1\Services\Tcpip\..\{00470301-F087-47F6-9DF2-36B131E78226}: DhcpNameServer=192.168.254.254
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.254.254
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.254.254


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End







-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, August 20, 2007 3:38:59 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 20/08/2007
Kaspersky Anti-Virus database records: 386240
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
F:\
H:\
Y:\
Z:\

Scan Statistics:
Total number of scanned objects: 137868
Number of viruses found: 9
Number of infected objects: 39
Number of suspicious objects: 0
Duration of the scan process: 01:31:09

Infected Object Name / Virus Name / Last Action
C:\iwctrllog.txt Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
H:\Documents and Settings\All Users\Application Data\AVG7\Log\emc.log Object is locked skipped
H:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
H:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
H:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
H:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
H:\Documents and Settings\Bud\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SUPERANTISPYWARE.LOG Object is locked skipped
H:\Documents and Settings\Bud\Cookies\index.dat Object is locked skipped
H:\Documents and Settings\Bud\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
H:\Documents and Settings\Bud\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
H:\Documents and Settings\Bud\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
H:\Documents and Settings\Bud\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped
H:\Documents and Settings\Bud\Desktop\Torpark 2.0.0.3a\App\Tconfig.exe/data0004 Infected: not-a-virus:RiskTool.Win32.FWDisabler.a skipped
H:\Documents and Settings\Bud\Desktop\Torpark 2.0.0.3a\App\Tconfig.exe NSIS: infected - 1 skipped
H:\Documents and Settings\Bud\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
H:\Documents and Settings\Bud\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
H:\Documents and Settings\Bud\Local Settings\Application Data\Mozilla\Firefox\Profiles\oc0vko1u.default\Cache\63329BDCd01/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
H:\Documents and Settings\Bud\Local Settings\Application Data\Mozilla\Firefox\Profiles\oc0vko1u.default\Cache\63329BDCd01/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
H:\Documents and Settings\Bud\Local Settings\Application Data\Mozilla\Firefox\Profiles\oc0vko1u.default\Cache\63329BDCd01 RarSFX: infected - 2 skipped
H:\Documents and Settings\Bud\Local Settings\History\History.IE5\index.dat Object is locked skipped
H:\Documents and Settings\Bud\Local Settings\History\History.IE5\MSHist012007082020070821\index.dat Object is locked skipped
H:\Documents and Settings\Bud\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
H:\Documents and Settings\Bud\ntuser.dat Object is locked skipped
H:\Documents and Settings\Bud\NTUSER.DAT.LOG Object is locked skipped
H:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
H:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
H:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
H:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
H:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
H:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
H:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
H:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
H:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
H:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
H:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
H:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
H:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped
H:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
H:\RECYCLER\NPROTECT�166917.DBX/[From from <pw-conf@ebay.com> forward (org good) [db-null]][Date Sat, 08 Apr 2006 20:10:11 -0400]/UNNAMED/UNNAMED/html Infected: Trojan-Spy.HTML.Bayfraud.kl skipped
H:\RECYCLER\NPROTECT�166917.DBX/[From from <pw-conf@ebay.com> forward (org good) [db-null]][Date Sat, 08 Apr 2006 20:10:11 -0400]/UNNAMED/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.kl skipped
H:\RECYCLER\NPROTECT�166917.DBX/[From from <pw-conf@ebay.com> forward (org good) [db-null]][Date Sat, 08 Apr 2006 20:10:11 -0400]/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.kl skipped
H:\RECYCLER\NPROTECT�166917.DBX Mail MS Outlook 5: infected - 3 skipped
H:\SDFix\backups\HOSTS Infected: Trojan.Win32.Qhost.my skipped
H:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
H:\System Volume Information\_restore{36ADF857-E310-417A-A961-A48F78699DE5}\RP177\A0062002.ini Infected: Trojan-Downloader.Win32.Agent.bxx skipped
H:\System Volume Information\_restore{36ADF857-E310-417A-A961-A48F78699DE5}\RP178\A0062051.exe/stream/data0006 Infected: Trojan-Downloader.Win32.Zlob.bzl skipped
H:\System Volume Information\_restore{36ADF857-E310-417A-A961-A48F78699DE5}\RP178\A0062051.exe/stream Infected: Trojan-Downloader.Win32.Zlob.bzl skipped
H:\System Volume Information\_restore{36ADF857-E310-417A-A961-A48F78699DE5}\RP178\A0062051.exe NSIS: infected - 2 skipped
H:\System Volume Information\_restore{36ADF857-E310-417A-A961-A48F78699DE5}\RP179\A0062296.ocx Infected: Trojan.Win32.Agent.ahq skipped
H:\System Volume Information\_restore{36ADF857-E310-417A-A961-A48F78699DE5}\RP179\A0062338.exe/stream/data0006 Infected: Trojan-Downloader.Win32.Zlob.bzl skipped
H:\System Volume Information\_restore{36ADF857-E310-417A-A961-A48F78699DE5}\RP179\A0062338.exe/stream Infected: Trojan-Downloader.Win32.Zlob.bzl skipped
H:\System Volume Information\_restore{36ADF857-E310-417A-A961-A48F78699DE5}\RP179\A0062338.exe NSIS: infected - 2 skipped
H:\System Volume Information\_restore{36ADF857-E310-417A-A961-A48F78699DE5}\RP182\A0062357.exe/stream/data0006 Infected: Trojan-Downloader.Win32.Zlob.bzl skipped
H:\System Volume Information\_restore{36ADF857-E310-417A-A961-A48F78699DE5}\RP182\A0062357.exe/stream Infected: Trojan-Downloader.Win32.Zlob.bzl skipped
H:\System Volume Information\_restore{36ADF857-E310-417A-A961-A48F78699DE5}\RP182\A0062357.exe NSIS: infected - 2 skipped
H:\System Volume Information\_restore{36ADF857-E310-417A-A961-A48F78699DE5}\RP182\A0062591.ini Infected: Trojan-Downloader.Win32.Agent.bxx skipped
H:\System Volume Information\_restore{36ADF857-E310-417A-A961-A48F78699DE5}\RP182\A0063646.dll Infected: not-a-virus:AdWare.Win32.Agent.bn skipped
H:\System Volume Information\_restore{36ADF857-E310-417A-A961-A48F78699DE5}\RP182\A0063647.dll Infected: not-a-virus:AdWare.Win32.Agent.bn skipped
H:\System Volume Information\_restore{36ADF857-E310-417A-A961-A48F78699DE5}\RP182\A0063669.exe/stream/data0006 Infected: Trojan-Downloader.Win32.Zlob.bzl skipped
H:\System Volume Information\_restore{36ADF857-E310-417A-A961-A48F78699DE5}\RP182\A0063669.exe/stream Infected: Trojan-Downloader.Win32.Zlob.bzl skipped
H:\System Volume Information\_restore{36ADF857-E310-417A-A961-A48F78699DE5}\RP182\A0063669.exe NSIS: infected - 2 skipped
H:\System Volume Information\_restore{36ADF857-E310-417A-A961-A48F78699DE5}\RP191\A0073229.ini Infected: Trojan-Downloader.Win32.Agent.bxx skipped
H:\System Volume Information\_restore{36ADF857-E310-417A-A961-A48F78699DE5}\RP191\A0073246.ini Infected: Trojan-Downloader.Win32.Agent.bxx skipped
H:\System Volume Information\_restore{36ADF857-E310-417A-A961-A48F78699DE5}\RP193\change.log Object is locked skipped
H:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
H:\WINDOWS\SchedLgU.Txt Object is locked skipped
H:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
H:\WINDOWS\Sti_Trace.log Object is locked skipped
H:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
H:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
H:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
H:\WINDOWS\system32\config\default Object is locked skipped
H:\WINDOWS\system32\config\DEFAULT.LOG Object is locked skipped
H:\WINDOWS\system32\config\SAM Object is locked skipped
H:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
H:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
H:\WINDOWS\system32\config\SECURITY Object is locked skipped
H:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
H:\WINDOWS\system32\config\software Object is locked skipped
H:\WINDOWS\system32\config\SOFTWARE.LOG Object is locked skipped
H:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
H:\WINDOWS\system32\config\system Object is locked skipped
H:\WINDOWS\system32\config\SYSTEM.LOG Object is locked skipped
H:\WINDOWS\system32\drivers\etc\hosts.20070816-173029.backup Infected: Trojan.Win32.Qhost.mg skipped
H:\WINDOWS\system32\drivers\etc\hosts.20070818-172541.backup Infected: Trojan.Win32.Qhost.mg skipped
H:\WINDOWS\system32\drivers\etc\hosts.20070818-172542.backup Infected: Trojan.Win32.Qhost.mg skipped
H:\WINDOWS\system32\h323log.txt Object is locked skipped
H:\WINDOWS\system32\hanonvt.ini Infected: Trojan-Downloader.Win32.Agent.bxx skipped
H:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
H:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
H:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
H:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
H:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
H:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
H:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
H:\WINDOWS\wiadebug.log Object is locked skipped
H:\WINDOWS\wiaservc.log Object is locked skipped
H:\WINDOWS\WindowsUpdate.log Object is locked skipped
Z:\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
Z:\SmitfraudFix.zip ZIP: infected - 1 skipped

Scan process completed.




This HijackThis log is from after everything else was done.

Logfile of HijackThis v1.99.1
Scan saved at 3:44:45 PM, on 8/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\spoolsv.exe
H:\WINDOWS\Explorer.EXE
H:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
H:\Program Files\Icons\SetIcon.exe
H:\WINDOWS\system32\RUNDLL32.EXE
H:\PROGRA~1\Grisoft\AVG7\avgcc.exe
H:\Program Files\QuickTime\qttask.exe
H:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE
H:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
H:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
H:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE
H:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE
H:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
H:\Program Files\Messenger\msmsgs.exe
H:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
H:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
H:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
H:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
H:\Program Files\AntiVir PersonalEdition Classic\sched.exe
H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
H:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
H:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
H:\PROGRA~1\Grisoft\AVG7\avgemc.exe
H:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
H:\WINDOWS\system32\nvsvc32.exe
H:\WINDOWS\System32\svchost.exe
H:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe
H:\Program Files\Nikon\PictureProject\NkbMonitor.exe
H:\WINDOWS\System32\svchost.exe
H:\Program Files\Internet Explorer\iexplore.exe
H:\Program Files\HijackThis\HijackThis.exe

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - H:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - h:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SetIcon] H:\Program Files\Icons\SetIcon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE H:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE H:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PCLEPCI] H:\PROGRA~1\Pinnacle\PPE\PPE.EXE
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [AVG7_CC] H:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "H:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PinnacleDriverCheck] H:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [\\BLACKDELL\EPSON Stylus Photo R220 Series] H:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE /P42 "\\BLACKDELL\EPSON Stylus Photo R220 Series" /O6 "USB001" /M "Stylus Photo R220"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "H:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [\\EMS\EPSON Stylus Photo R200 Series cd] H:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P39 "\\EMS\EPSON Stylus Photo R200 Series cd" /O6 "USB002" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "H:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Auto EPSON Stylus Photo R220 Series (Index) on EMS] H:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE /P50 "Auto EPSON Stylus Photo R220 Series (Index) on EMS" /O19 "\\EMS\EPSON220Index" /M "Stylus Photo R220"
O4 - HKLM\..\Run: [Auto EPSON Stylus Photo R220 Series (CD Cover) on EMS] H:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE /P53 "Auto EPSON Stylus Photo R220 Series (CD Cover) on EMS" /O16 "\\EMS\EPSON220CD" /M "Stylus Photo R220"
O4 - HKLM\..\Run: [avgnt] "H:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [MSMSGS] "H:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [\\BLACKDELL\EPSON Stylus Photo R200 Series] H:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P42 "\\BLACKDELL\EPSON Stylus Photo R200 Series" /M "Stylus Photo R200" /EF "HKCU"
O4 - HKCU\..\Run: [IW_Drop_Icon] H:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe /DropDisc
O4 - HKCU\..\Run: [swg] H:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] H:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
O4 - Global Startup: ColorVisionStartup.lnk = H:\Program Files\PANTONE COLORVISION\Startup\ColorVisionStartup.exe
O4 - Global Startup: LaunchU3.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = H:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = H:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O20 - AppInit_DLLs: H:\WINDOWS\system32\hanonvt.ini
O20 - Winlogon Notify: !SASWinLogon - H:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - H:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - H:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - H:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - H:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - H:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - H:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - H:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - H:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - H:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - H:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: Google Updater Service (gusvc) - Google - H:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - H:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - H:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - H:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - H:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - H:\Program Files\Spyware Doctor\swdsvc.exe

[AndyManchesta]

Hi Fujisan

Thanks for the logs, its Smitfraudfix that has reset your wallpaper so just restore the one you want to use again, when you said 'the computer seems to be acting the way it was before', how do you mean ? if its the lack of Control Panel then do not worry about that as we can sort that out soon, the main part is getting rid of the trojans first so we dont have to keep fixing the damage its causing.

Please remove some of the tools you have used before proceeding as they are not needed now

Delete the H:\SDFix folder and the SDFix.exe file from the location you saved it to.

Delete the Z:\SmitfraudFix.zip and H:\Documents and Settings\Bud\Desktop\SmitfraudFix folders

These tools are updated every few days so its not worth keeping them on the system.

Please then download The Avenger by Swandog46 to your Desktop

• Click on Avenger.zip to open the file
  
• Extract avenger.exe to your desktop

Copy all of the text contained in the code box below (making Files to Delete: the top line) to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to Delete:

H:\WINDOWS\system32\drivers\etc\hosts.20070816-173029.backup 
H:\WINDOWS\system32\drivers\etc\hosts.20070818-172541.backup
H:\WINDOWS\system32\drivers\etc\hosts.20070818-172542.backup
H:\WINDOWS\system32\hanonvt.ini
H:\WINDOWS\system32\winav.exe

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Now, start The Avenger program by clicking on its icon on your desktop.

• Under "Script file to execute" choose "Input Script Manually".
  
• Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  
• Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  
• Click Done
  
• Now click on the Green Light to begin execution of the script
  
• Answer "Yes" twice when prompted.

The Avenger will automatically do the following:

• It will Restart your computer.
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger's actions. This log file will be located at H:\avenger.txt
  
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to H:\avenger\backup.zip.

Please copy/paste the content of H:\avenger.txt into your next reply

After reboot fix this entry with HijackThis

O20 - AppInit_DLLs: H:\WINDOWS\system32\hanonvt.ini

Next Open notepad (Start Menu > Run > type notepad and press ok) then copy and paste the contents of the code box into Notepad making REGEDIT4 the top line.

REGEDIT4

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\winav.exe"=-

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\winav.exe"=-

Goto File on the top bar of Notepad and choose Save As, on the Save As Type area change it to all files then name it fix.reg and save it to your desktop, double click fix.reg(or right click and choose Merge) and allow it to be merged into the registry which will remove the entries.

Open Notepad again

Copy and Paste the contents of the code box into Notepad

regedit.exe /e checkreg1.txt "HKEY_CURRENT_USER\Software\Policies\Microsoft"
regedit.exe /e checkreg2.txt "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft"
regedit.exe /e checkreg3.txt "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies"
regedit.exe /e checkreg4.txt "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies"
TYPE checkreg*.txt >> Result.txt
del /q Checkreg*.txt

Goto File on the top bar and choose Save As, Change the Save As Type to All Files, Name it Check.bat then save it to your desktop

Double click Check.bat and it will export the information from the registry and save it to a text file named Result.txt which will save to your desktop, please upload the Report.txt into your next reply by clicking Browse on the Attachment area below the reply windows then locate the Report.txt and click Upload

Please post back the Avenger log (H:\avenger.txt), the Report.txt and a new HijackThis log

Cheers

[Fujisan]

Thanks again.

When I said that the computer was the same as before, I was talking about the lack of control panel. It wasn't concern or criticism -- I was just reporting what I saw.

Here are the new logs.

I got another error message when I tried to remove the entry with HijackThis. I'll post that message first.



An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O20 - AppInit_DLLs: H:\WINDOWS\system32\hanonvt.ini)
Error #5 - Invalid procedure call or argument

Please email me at merijn@spywareinfo.com, reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible

Windows version: Windows NT 5.01.2600
MSIE version: 6.0.2900.2180
HijackThis version: 1.99.1

This message has been copied to your clipboard.
Click OK to continue the rest of the scan.





Logfile of HijackThis v1.99.1
Scan saved at 5:35:13 PM, on 8/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\spoolsv.exe
H:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
H:\WINDOWS\Explorer.EXE
H:\Program Files\Icons\SetIcon.exe
H:\WINDOWS\system32\RUNDLL32.EXE
H:\PROGRA~1\Grisoft\AVG7\avgcc.exe
H:\Program Files\QuickTime\qttask.exe
H:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE
H:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
H:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
H:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE
H:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE
H:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
H:\Program Files\Messenger\msmsgs.exe
H:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
H:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
H:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
H:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
H:\Program Files\AntiVir PersonalEdition Classic\sched.exe
H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
H:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
H:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
H:\PROGRA~1\Grisoft\AVG7\avgemc.exe
H:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
H:\WINDOWS\system32\nvsvc32.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe
H:\Program Files\Nikon\PictureProject\NkbMonitor.exe
H:\Program Files\HijackThis\HijackThis.exe

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - H:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - h:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SetIcon] H:\Program Files\Icons\SetIcon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE H:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE H:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PCLEPCI] H:\PROGRA~1\Pinnacle\PPE\PPE.EXE
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [AVG7_CC] H:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "H:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PinnacleDriverCheck] H:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [\\BLACKDELL\EPSON Stylus Photo R220 Series] H:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE /P42 "\\BLACKDELL\EPSON Stylus Photo R220 Series" /O6 "USB001" /M "Stylus Photo R220"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "H:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [\\EMS\EPSON Stylus Photo R200 Series cd] H:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P39 "\\EMS\EPSON Stylus Photo R200 Series cd" /O6 "USB002" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "H:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Auto EPSON Stylus Photo R220 Series (Index) on EMS] H:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE /P50 "Auto EPSON Stylus Photo R220 Series (Index) on EMS" /O19 "\\EMS\EPSON220Index" /M "Stylus Photo R220"
O4 - HKLM\..\Run: [Auto EPSON Stylus Photo R220 Series (CD Cover) on EMS] H:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE /P53 "Auto EPSON Stylus Photo R220 Series (CD Cover) on EMS" /O16 "\\EMS\EPSON220CD" /M "Stylus Photo R220"
O4 - HKLM\..\Run: [avgnt] "H:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [MSMSGS] "H:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [\\BLACKDELL\EPSON Stylus Photo R200 Series] H:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P42 "\\BLACKDELL\EPSON Stylus Photo R200 Series" /M "Stylus Photo R200" /EF "HKCU"
O4 - HKCU\..\Run: [IW_Drop_Icon] H:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe /DropDisc
O4 - HKCU\..\Run: [swg] H:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] H:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
O4 - Global Startup: ColorVisionStartup.lnk = H:\Program Files\PANTONE COLORVISION\Startup\ColorVisionStartup.exe
O4 - Global Startup: LaunchU3.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = H:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = H:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O20 - Winlogon Notify: !SASWinLogon - H:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - H:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - H:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - H:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - H:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - H:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - H:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - H:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - H:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - H:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - H:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: Google Updater Service (gusvc) - Google - H:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - H:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - H:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - H:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - H:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - H:\Program Files\Spyware Doctor\swdsvc.exe






Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\njwdsdee

*******************

Script file located at: \??\H:\Program Files\^skxmxew.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at H:\Avenger

*******************

Beginning to process script file:

File H:\WINDOWS\system32\drivers\etc\hosts.20070816-173029.backup deleted successfully.
File H:\WINDOWS\system32\drivers\etc\hosts.20070818-172541.backup deleted successfully.
File H:\WINDOWS\system32\drivers\etc\hosts.20070818-172542.backup deleted successfully.
File H:\WINDOWS\system32\hanonvt.ini deleted successfully.


File H:\WINDOWS\system32\winav.exe not found!
Deletion of file H:\WINDOWS\system32\winav.exe failed!

Could not process line:
H:\WINDOWS\system32\winav.exe
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.an.

Attached Files

•  Result.txt   58.7K   1 downloads

[AndyManchesta]

Quote

When I said that the computer was the same as before, I was talking about the lack of control panel. It wasn't concern or criticism -- I was just reporting what I saw.

Thanks for the info', I just wanted to make sure there wasn't additional problems

Quote

I got another error message when I tried to remove the entry with HijackThis. I'll post that message first.
An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O20 - AppInit_DLLs: H:\WINDOWS\system32\hanonvt.ini)
Error #5 - Invalid procedure call or argument

Please email me at merijn@spywareinfo.com, reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible

That's fine, it's just a bug in the older version of HijackThis and it can be ignored as it was able to remove the entry, if you wanted to replace it with the latest version of HijackThis which is now owned by Trend Micro, just remove HijackThis from the Add/Remove screen then download the latest version from here

http://www.trendsecure.com/portal/en-US/th.../HJTInstall.exe


Your latest log is now clean so there's just a couple of things left to clean up then run a quick scan to make sure there's no hidden files

Delete the H:\Avenger folder and H:\Avenger.txt

You can also delete the Report.txt from your dekstop and Check.bat, then create a new reg fix with this inside (you can use the fix.reg you already created earlier and just right click it then choose Edit) and copy and paste this over the earlier commands making REGEDIT4 the top line

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoControlPanel"=-

Next empty the Norton Protected Recycle Bin by right-clicking the Norton Protected Recycle Bin icon, and then click Empty Norton Protected Files.

Then clear your System Restore points:

Click Start Menu > All Programs > Accessories > System Tools > SystemRestore

Choose Create a Restore Point then click Next. Name it and click Create, when the confirmation screen shows the restore point has been created click Close.

Next goto Start Menu > Run > type

cleanmgr

Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created. Then press OK to clear the temp files found in the initial scan and close Disk Cleanup

Please then open HijackThis, click Config... in the bottom right of the scan screen or open the Misc Tools section if its on the Main Menu, click Open hosts file manager and this will then display the contents of the hosts file, please then click Open in Notepad and copy and paste the contents of the notepad file back on here so we can make sure the hosts file is correct.

Finally download Blacklight beta HERE and save it to your desktop.
Run the program, accept statement > click next then scan
When its finished scanning exit the program and post back the log if it detects hidden files, The log is called 'fsbl-<date/time>.log' which will save to the same location as the fsbl.exe file.

Post the Blacklight log if any hidden items are found and let us know if there's still problems on the system

Thanks

[Fujisan]

Hi. All seems well now except that I still can't find the control panel and I'm still getting the "This operation has been canceled due to restrictions in effect on this computer. Please contact your system administrator" in certain situations (For example, when I went to My Computer and clicked on the Add/Remove programs). The difference now is that if I click "ok" on that error message, the Add/Remove programs actually appears. Before you helped me, when I clicked "ok" on the error message is just ended there without allowing me to access what I was trying to access.

I don't think I explained that very clearly, so if you have any questions just let me know.

Blacklight said that it didn't find any hidden files, but I'll post that log anyway, along with the newest HijackThis log.

Thanks again.


08/21/07 09:38:19 [Info]: BlackLight Engine 1.0.64 initialized
08/21/07 09:38:19 [Info]: OS: 5.1 build 2600 (Service Pack 2)
08/21/07 09:38:19 [Note]: 7019 4
08/21/07 09:38:19 [Note]: 7005 0
08/21/07 09:38:29 [Note]: 7006 0
08/21/07 09:38:29 [Note]: 7011 1732
08/21/07 09:38:29 [Note]: 7026 0
08/21/07 09:38:29 [Note]: 7026 0
08/21/07 09:38:31 [Note]: FSRAW library version 1.7.1022
08/21/07 09:42:35 [Note]: 7007 0




Logfile of HijackThis v1.99.1
Scan saved at 9:35:02 AM, on 8/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\spoolsv.exe
H:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
H:\WINDOWS\Explorer.EXE
H:\Program Files\Icons\SetIcon.exe
H:\WINDOWS\system32\RUNDLL32.EXE
H:\PROGRA~1\Grisoft\AVG7\avgcc.exe
H:\Program Files\QuickTime\qttask.exe
H:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE
H:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
H:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
H:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE
H:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE
H:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
H:\Program Files\Messenger\msmsgs.exe
H:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
H:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
H:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
H:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
H:\Program Files\AntiVir PersonalEdition Classic\sched.exe
H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
H:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
H:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
H:\PROGRA~1\Grisoft\AVG7\avgemc.exe
H:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
H:\WINDOWS\system32\nvsvc32.exe
H:\WINDOWS\System32\svchost.exe
H:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe
H:\Program Files\Nikon\PictureProject\NkbMonitor.exe
H:\WINDOWS\System32\svchost.exe
H:\Program Files\Mozilla Firefox\firefox.exe
H:\Program Files\HijackThis\HijackThis.exe

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - H:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - h:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SetIcon] H:\Program Files\Icons\SetIcon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE H:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE H:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PCLEPCI] H:\PROGRA~1\Pinnacle\PPE\PPE.EXE
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [AVG7_CC] H:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "H:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PinnacleDriverCheck] H:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [\\BLACKDELL\EPSON Stylus Photo R220 Series] H:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE /P42 "\\BLACKDELL\EPSON Stylus Photo R220 Series" /O6 "USB001" /M "Stylus Photo R220"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "H:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [\\EMS\EPSON Stylus Photo R200 Series cd] H:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P39 "\\EMS\EPSON Stylus Photo R200 Series cd" /O6 "USB002" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "H:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Auto EPSON Stylus Photo R220 Series (Index) on EMS] H:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE /P50 "Auto EPSON Stylus Photo R220 Series (Index) on EMS" /O19 "\\EMS\EPSON220Index" /M "Stylus Photo R220"
O4 - HKLM\..\Run: [Auto EPSON Stylus Photo R220 Series (CD Cover) on EMS] H:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE /P53 "Auto EPSON Stylus Photo R220 Series (CD Cover) on EMS" /O16 "\\EMS\EPSON220CD" /M "Stylus Photo R220"
O4 - HKLM\..\Run: [avgnt] "H:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [MSMSGS] "H:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [\\BLACKDELL\EPSON Stylus Photo R200 Series] H:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P42 "\\BLACKDELL\EPSON Stylus Photo R200 Series" /M "Stylus Photo R200" /EF "HKCU"
O4 - HKCU\..\Run: [IW_Drop_Icon] H:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe /DropDisc
O4 - HKCU\..\Run: [swg] H:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] H:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
O4 - Global Startup: ColorVisionStartup.lnk = H:\Program Files\PANTONE COLORVISION\Startup\ColorVisionStartup.exe
O4 - Global Startup: LaunchU3.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = H:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = H:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O20 - Winlogon Notify: !SASWinLogon - H:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - H:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - H:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - H:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - H:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - H:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - H:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - H:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - H:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - H:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - H:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: Google Updater Service (gusvc) - Google - H:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - H:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - H:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - H:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - H:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - H:\Program Files\Spyware Doctor\swdsvc.exe

[AndyManchesta]

Can you create a new Check.bat with a couple of extra keys to be checked, delete the original check.bat and the report.txt it created if it still exists

Open Notepad (Start Menu > Run > Type notepad and press OK)

Copy and Paste the contents of the code box into Notepad

regedit.exe /e checkreg1.txt "HKEY_CURRENT_USER\Software\Policies\Microsoft"
regedit.exe /e checkreg2.txt "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft"
regedit.exe /e checkreg3.txt "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies"
regedit.exe /e checkreg4.txt "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies"
regedit.exe /e checkreg5.txt "HKEY_USERS\.DEFAULT\Microsoft\Windows\CurrentVersion\Policies"
regedit.exe /e checkreg6.txt "HKEY_USERS\.DEFAULT\Software\Policies\Microsoft"
TYPE checkreg*.txt >> Result.txt
del /q Checkreg*.txt

Goto File on the top bar and choose Save As, Change the Save As Type to All Files, Name it Check.bat then save it to your desktop

Double click Check.bat again and it will export the information from the registry and save it to the Result.txt which you can then upload again into your next reply

Next download this file - combofix.exe and save it to your desktop.
Double click combofix.exe & follow the prompts.
When it's finished, it will produce a log of what it found. Please post the contents of that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running as it may cause it to stall

Can you also let me know if you have XP Home or XP Professional

Cheers

[Fujisan]

I have XP Professional.

Here's the ComboFix log. I'll attach the Result.txt

ComboFix 07-08-17.2 - "Bud" 2007-08-21 12:01:19.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1536 [GMT -6:00]
* Created a new restore point


((((((((((((((((((((((((( Files Created from 2007-07-21 to 2007-08-21 )))))))))))))))))))))))))))))))


2007-08-21 12:00 51,200 --a------ H:\WINDOWS\nircmd.exe
2007-08-20 13:46 <DIR> d-------- H:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-08-20 13:45 <DIR> d-------- H:\WINDOWS\system32\Kaspersky Lab
2007-08-20 13:35 4,508 --a------ H:\WINDOWS\system32\tmp.reg
2007-08-18 17:42 <DIR> d-------- H:\DOCUME~1\ALLUSE~1\APPLIC~1\AntiVir PersonalEdition Classic
2007-08-18 17:28 <DIR> d-------- H:\Program Files\CCleaner
2007-08-18 15:52 <DIR> d-------- H:\Program Files\SUPERAntiSpyware
2007-08-18 15:52 <DIR> d-------- H:\DOCUME~1\Bud\APPLIC~1\SUPERAntiSpyware.com
2007-08-18 15:52 <DIR> d-------- H:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-08-18 14:54 <DIR> d-------- H:\WINDOWS\ERUNT
2007-08-15 12:59 82,248 --a------ H:\WINDOWS\system32\drivers\iksyssec.sys
2007-08-15 12:59 626,688 --a------ H:\WINDOWS\system32\msvcr80.dll
2007-08-15 12:59 57,672 --a------ H:\WINDOWS\system32\drivers\iksysflt.sys
2007-08-15 12:59 40,264 --a------ H:\WINDOWS\system32\drivers\ikfilesec.sys
2007-08-15 12:59 29,000 --a------ H:\WINDOWS\system32\drivers\kcom.sys
2007-08-15 12:59 <DIR> d-------- H:\Program Files\Spyware Doctor
2007-08-15 12:59 <DIR> d-------- H:\DOCUME~1\Bud\APPLIC~1\PC Tools
2007-08-15 12:59 <DIR> d-------- H:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-08-14 18:15 20,992 --a------ H:\WINDOWS\psvenc.exe
2007-08-14 11:39 <DIR> d-------- H:\Program Files\Common Files\xing shared
2007-07-30 17:45 <DIR> d-------- H:\Program Files\YouNameIt


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-20 13:44 --------- d-------- H:\DOCUME~1\Bud\APPLIC~1\Google
2007-08-18 15:52 --------- d-------- H:\Program Files\Common Files\Wise Installation Wizard
2007-08-18 10:55 212849 --a------ H:\Program Files\hijackthis.zip
2007-08-15 13:11 --------- d-------- H:\Program Files\Google
2007-08-15 10:57 --------- d-------- H:\Program Files\Horses
2007-08-14 11:39 --------- d-------- H:\Program Files\Real
2007-08-14 11:38 --------- d-------- H:\Program Files\Common Files\Real
2007-08-13 10:29 --------- d-------- H:\DOCUME~1\Bud\APPLIC~1\OpenOffice.org2
2007-08-04 09:54 --------- d-------- H:\Program Files\Napster
2007-07-12 14:11 --------- d-------- H:\DOCUME~1\Bud\APPLIC~1\U3
2007-07-03 17:35 --------- d-------- H:\Program Files\Lavasoft
2007-07-03 17:35 --------- d-------- H:\DOCUME~1\Bud\APPLIC~1\Lavasoft
2007-06-26 00:08 1104896 --a------ H:\WINDOWS\system32\msxml3.dll
2007-06-19 07:31 282112 --a------ H:\WINDOWS\system32\gdi32.dll
2007-06-13 04:23 1033216 --a------ H:\WINDOWS\explorer.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetIcon"="H:\Program Files\Icons\SetIcon.exe" [2002-12-16 11:02]
"NvCplDaemon"="H:\WINDOWS\system32\NvCpl.dll" [2005-12-10 04:06]
"nwiz"="nwiz.exe" [2005-12-10 04:06 H:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="H:\WINDOWS\system32\NvMcTray.dll" [2005-12-10 04:06]
"PCLEPCI"="H:\PROGRA~1\Pinnacle\PPE\PPE.EXE" [2004-02-03 16:13]
"Cmaudio"="cmicnfg.cpl" []
"AVG7_CC"="H:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-08-13 09:45]
"QuickTime Task"="H:\Program Files\QuickTime\qttask.exe" [2006-09-24 03:24]
"PinnacleDriverCheck"="H:\WINDOWS\system32\\PSDrvCheck.exe" [2004-03-11 02:26]
"\\BLACKDELL\EPSON Stylus Photo R220 Series"="H:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.exe" [2005-03-09 05:00]
"SunJavaUpdateSched"="H:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"\\EMS\EPSON Stylus Photo R200 Series cd"="H:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.exe" [2003-07-08 05:00]
"Adobe Reader Speed Launcher"="H:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"Auto EPSON Stylus Photo R220 Series (Index) on EMS"="H:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.exe" [2005-03-09 05:00]
"Auto EPSON Stylus Photo R220 Series (CD Cover) on EMS"="H:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.exe" [2005-03-09 05:00]
"avgnt"="H:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2007-04-02 10:35]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="H:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24]
"\\BLACKDELL\EPSON Stylus Photo R200 Series"="H:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.exe" [2003-07-08 05:00]
"IW_Drop_Icon"="H:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe" [2005-06-29 12:34]
"swg"="H:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-08-15 13:00]
"SUPERAntiSpyware"="H:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

H:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk.disabled [2005-05-24 21:51:33]
ColorVisionStartup.lnk - H:\Program Files\PANTONE COLORVISION\Startup\ColorVisionStartup.exe [2004-12-21 10:37:55]
LaunchU3.exe.lnk - H:\WINDOWS\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_2cd672ae.exe [2007-07-12 13:37:58]
Microsoft Office.lnk - H:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04]
NkbMonitor.exe.lnk - H:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2005-07-20 12:28:37]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideShutdownScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLogonScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoChangeKeyboardNavigationIndicators"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoChangeKeyboardNavigationIndicators"=0 (0x0)
"NoStartMenuMFUprogramsList"=0 (0x0)
"NoFavoritesMenu"=0 (0x0)
"NoRecentDocsMenu"=0 (0x0)
"NoSMHelp"=0 (0x0)
"StartMenuLogoff"=0 (0x0)
"NoSetTaskbar"=0 (0x0)
"NoStartMenuMorePrograms"=0 (0x0)
"NoUserNameInStartMenu"=0 (0x0)
"NoChangeStartMenu"=0 (0x0)
"NoRecentDocsHistory"=0 (0x0)
"MaxRecentDocs"=1 (0x1)
"NoSimpleStartMenu"=0 (0x0)
"NoTrayContextMenu"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= H:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
H:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 H:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

R1 avgio;avgio;\??\H:\Program Files\AntiVir PersonalEdition Classic\avgio.sys
R1 avipbb;avipbb;H:\WINDOWS\system32\DRIVERS\avipbb.sys
R1 MemAlloc;MemAlloc;H:\WINDOWS\system32\DRIVERS\memalloc.sys
R1 ssmdrv;ssmdrv;H:\WINDOWS\system32\DRIVERS\ssmdrv.sys
R1 vobiw;vobiw;H:\WINDOWS\system32\drivers\vobiw.sys
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;H:\WINDOWS\system32\DRIVERS\AN983.sys
R3 avgntflt;avgntflt;\??\H:\Program Files\AntiVir PersonalEdition Classic\avgntflt.sys
R3 cdrdrv;Cdrdrv;H:\WINDOWS\system32\Drivers\Cdrdrv.sys
R3 epppdt;EPSON 1394.3 Class;H:\WINDOWS\system32\DRIVERS\epppdt.sys
R3 epppdtpr;EPSON 1394.3 Printer Class;H:\WINDOWS\system32\DRIVERS\epppdtpr.sys
R3 scsiscan;SCSI Scanner Driver;H:\WINDOWS\system32\DRIVERS\scsiscan.sys
R3 usbprint;Microsoft USB PRINTER Class;H:\WINDOWS\system32\DRIVERS\usbprint.sys
S1 LStone;Pinnacle Systems Studio AV/DV Overlay;H:\WINDOWS\system32\DRIVERS\lstone2k.sys
S2 Ca536av;FashionCam Video Camera Device;H:\WINDOWS\system32\Drivers\Ca536av.sys
S3 ALABULK;Fujifilm USB MemoryCard ReaderWriter device driver;H:\WINDOWS\system32\Drivers\ALABULK2.sys
S3 cvspydr2;ColorVision Spyder 2;H:\WINDOWS\system32\DRIVERS\cvspydr2.sys
S3 USBCamera;FashionCam Digital Still Camera Device;H:\WINDOWS\system32\Drivers\Bulk536.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a88e8ddc-fbf8-11db-b3ba-0020ed6c9173}]
AutoRun\command- E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a9c78aba-3079-11dc-b417-0020ed6c9173}]
AutoRun\command- E:\LaunchU3.exe -a


Contents of the 'Scheduled Tasks' folder
2007-08-21 17:59:00 H:\WINDOWS\Tasks\Symantec NetDetect.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-21 12:02:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
\\BLACKDELL\EPSON Stylus Photo R200 Series = H:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P42 "\\BLACKDELL\EPSON Stylus Photo R200 Series" /M "Stylus Photo R200" /EF "HKCU"??????a?w6???????????????p????????????????????b?w????p???????????8???????????h??w????p???????z??wp???????????)??|???????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"\\\\BLACKDELL\\EPSON Stylus Photo R220 Series"="H:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATIAIA.EXE /P42 \"\\\\BLACKDELL\\EPSON Stylus Photo R220 Series\" /O6 \"USB001\" /M \"Stylus Photo R220\""
"\\\\EMS\\EPSON Stylus Photo R200 Series cd"="H:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I2H1.EXE /P39 \"\\\\EMS\\EPSON Stylus Photo R200 Series cd\" /O6 \"USB002\" /M \"Stylus Photo R200\""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"\\\\BLACKDELL\\EPSON Stylus Photo R200 Series"="H:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I2H1.EXE /P42 \"\\\\BLACKDELL\\EPSON Stylus Photo R200 Series\" /M \"Stylus Photo R200\" /EF \"HKCU\"ÄÜ\12ÆaÕw6381pÉ\131\131ÿÿÿÿäÜ\128bÕw\131pÉ\131Éù1\108Ý\123\10Ý\12h±Öw\131pÉ\131z±ÖwpÉ\131\131Èñ\12)Ç€|üé\12"

Completion time: 2007-08-21 12:02:47

--- E O F ---

Attached Files

•  Result.txt   60.19K   1 downloads

[AndyManchesta]

Thanks,

I don't see any remaining restrictions that would prevent you opening the Control Panel, there is alot of restrictive values present in the Policy keys that are not present on a default install but as they are all set to 0 (Disabled) Windows would treat them as though they do not exist so they shouldnt be causing any problems and are not related to control panel restrictions anyway.

Can you check the group policy editor to see if it shows any restrictions

Type GPEDIT.MSC from the Run box and navigate to User Configuration>Administrative Templates>Control Panel

Can you also have this file scanned

Visit VirusTotal
Open the scan site and copy and paste this into the Upload a File area (next to Browse)

H:\WINDOWS\psvenc.exe

Then click Send File, wait until all the results are shown and it shows Finished in the current status area then copy and paste the full results back on here

If the Control Panel is missing from the Start Menu are you able to add it back using the Start Menu Properties

Right Click Start Menu > click Properties > on the Start Menu tab click Customize then Advanced

Under Start Menu Items, Check for Control Panel and then place a check next to either Display as a link or Display as a Menu and click OK then Apply and OK to close the Properties screen

Its a shame the trojan file didnt exist earlier as I could of checked it to see what changes it made but if it did add restrictions they would appear under the policy keys, can you let us know if the group policy editor shows any restrictions present and if your able to restore the control panel to the start menu using its properties screen. Also post the Hosts file contents to make sure the entries blocking you accessing certain AV sites have been removed

Quote

Please then open HijackThis, click Config... in the bottom right of the scan screen or open the Misc Tools section if its on the Main Menu, click Open hosts file manager and this will then display the contents of the hosts file, please then click Open in Notepad and copy and paste the contents of the notepad file back on here so we can make sure the hosts file is correct.

Let me know how it goes

Cheers

[Fujisan]

The results from VirusTotal were:

0 bytes size received / Se ha recibido un archivo vacio.

When I sent it to VirusTotal, AVG popped up with a warning about Trojan Horse Downloader.Generic5.TZV.

I actually tried to restore the Control Panel through the Start Menu Properties after your previous post. It showed that it was there, but it wasn't.

HOWEVER, after doing everything you said in your last post, I looked one more time and the Control Panel is back and the error message has stopped. It looks like everything is fixed. The only remaining concern is that warning from AVG about the Trojan. Is that something to worry about? Everything seems perfect except for that.

Thank you so much for your help.

[AndyManchesta]

Thats good to hear

Regarding the trojan it's likely your AVG scanned the file when VirusTotal tried to upload it then removed it from the system which is probably why VirusTotal shows it was 0 bytes, just make sure the file has been deleted then we can run one final scan to make sure there's nothing else

Goto Start > Run > and copy and paste this command

cmd /c TYPE %systemroot%\system32\drivers\etc\HOSTS >> %systemdrive%\check.txt & start notepad %systemdrive%\check.txt & exit

Press OK and it will copy the contents of the HOSTS file into a text file and open it in notepad and also save it to H:\Check.txt, copy and paste the contents of that file back,

Finally run Panda Activescan from Here.

Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan
(Note: It may take a couple of minutes)
- When the download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location so you can post it back.

Thanks

[Fujisan]

I couldn't get ActiveScan to work. Every time I tried it failed. I tried disabling the firewall, antivirus, and antispyware programs, but it just wouldn't work. The first time that I tried, I allowed it to download the Active X thing, but AntiVir caught it. I disabled AntiVir after that, but maybe it was too late.

Anyway, here's the contents of the Check file:


192.168.200.3 ad.doubleclick.net
192.168.200.3 ad.fastclick.net
192.168.200.3 ads.fastclick.net
192.168.200.3 atdmt.com
192.168.200.3 awaps.net
192.168.200.3 banner.fastclick.net
192.168.200.3 banners.fastclick.net
192.168.200.3 click.atdmt.com
192.168.200.3 clicks.atdmt.com
192.168.200.3 engine.awaps.net
192.168.200.3 fastclick.net
192.168.200.3 ftp.avp.ch
192.168.200.3 ftp.kasperskylab.ru
192.168.200.3 updates5.kaspersky-labs.com
192.168.200.3 www.awaps.net
192.168.200.3 www.symantec.com
192.168.200.3 www.viruslist.ru
# Start of entries inserted by Spybot - Search & Destroy
# End of entries inserted by Spybot - Search & Destroy

[AndyManchesta]

Im not sure why AntiVir would give alerts when installing the ActiveX control for Pandascan but that might of caused the problem, remove Panda Activescan from the Add/Remove screen if its listed and also fix this entry with HijackThis if its now there

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab

Then disable your AntiVirus temporarily and try the scanner again, if it still doesnt run then give Eset a try

http://www.eset.com/onlinescan

To reset your Hosts file download HostsXpert from here

http://www.funkytoad.../HostsXpert.zip

Extract and run the program and press the Restore MS Hosts File button then click OK at the prompt, your current Hosts file is blocking access to some Ad/Banner sites which is fine but its also blocking access to Symantec & parts of Kaspersky's site so its easier to just reset it, with the HostsXpert program you can click Make ReadOnly? to prevent anything changing your hosts file again or even use the download option to add protective hosts files like MVPs Hosts and HP Hosts which will block hundreds of malicious sites as well as Ads, Banner and 3rd party cookies sites

You can read more about how the hosts file works here if needed

http://www.mvps.org/...p2002/hosts.htm

Let us know if you can get Panda scan to run on the next attempt or if Eset will run and if it finds any problems

Cheers

[Fujisan]

I was probably just wrong about AntiVir alerting me about the Active X control. I probably just remembered wrong. I still couldn't get ActiveScan to work. It was in the Add/Remove list, but when I tried to remove it, it said the removal failed. After using HijackThis to delete that entry, it did let me start the process over, but it didn't work again. It went through the whole 300+ second download, and when it got to zero, it just said it failed (which is the same thing it did every other time too). I did get Eset to work, and it didn't find anything. Do you think I'm clean now?

[AndyManchesta]

Panda's scan can be abit temperamental for some users but Im glad ESET worked fine as it shows there isnt a problem with installing ActiveX conponents and that is an excellent scanner, if your having problems removing Panda Activescan from the Add/Remove screen you can remove its entry by opening Hijackthis, click the Misc Tools button, click the Open Uninstall Manager... button then the Add/Remove Programs Manager panel should appear.

Locate Panda Activescan in the list and left click it then on the right side of the screen click Delete this entry, also remove this folder if it exists

H:\WINDOWS\system32\Activescan

Apart from that I'd say your now all set , just have a read of Tony Klein's article below as it contains alot of useful information to help keep the PC secure and avoid more infections

So how did I get Infected in the First Place?

Cheers

Andy

[Fujisan]

You're a superhero!

I just have a couple more questions for you.

First, was that trojan something that could have randomly gotten into my system just by being connected to the internet, or was it something that required me to do something stupid to get in?

Second, is there a way to send you a donation? I couldn't have solved this problem in a million years by myself, and you were incredibly prompt, patient, and helpful. I don't know if you're a Piriform employee or if you just do this out of kindness, but either way you deserve to be paid back for your help.

Thank you again for your help.

[AndyManchesta]

Hi Fujisan

Quote

First, was that trojan something that could have randomly gotten into my system just by being connected to the internet, or was it something that required me to do something stupid to get in?

Its quite difficult to know how you picked up the infection but it wouldnt of been able to get in just by being connected to the Internet, the main advise I can give is to make sure to run your Antivirus software regularly, and to keep it up-to-date and also make sure your windows has the latest updates: http://windowsupdate.microsoft.com/ as that will reduce the chances of infections being able to get on your machine using exploit scripts hidden in malicious website pages, Avoid illegal sites such as warez, cracks, serials etc... because that's where most malware is present, Don't click on any links inside popups, Spam email messages or Instant Messenger programs and to download free software only from sites you know and trust as files from unknown sites or through programs like file sharing applications may also be bundled with malware.

Consider installing a third party firewall program if you do not have one installed as they offer better protection than the Windows Firewall. Here are some good free firewalls if needed (Do not install more than one firewall program though as they will conflict with each other)

• ZoneAlarm,
  
• PC Tools Firewall Plus
  
• Sunbelt Kerio
  
• Comodo Personal Firewall

A tutorial on understanding and using firewalls can be found here

Also consider updating your version of IE to IE7 as its more secure than the current version of IE or using an alternate browser such as Mozilla's Firefox. Firefox can be downloaded from HERE if needed.

Then read Tony's article which I linked to in the earlier post as that contains alot of additional steps you can take to prevent infections.

Quote

Second, is there a way to send you a donation? I couldn't have solved this problem in a million years by myself, and you were incredibly prompt, patient, and helpful. I don't know if you're a Piriform employee or if you just do this out of kindness, but either way you deserve to be paid back for your help.

No problem regarding the help, Im not a Piriform employee but I'm happy to assist users in cleaning up infections when I can and I wouldnt accept a donation for that. Im just pleased we were able to get things resolved, Thanks alot for the offer though

Let us know if you have more problems or questions anytime and we will try to help

Regards

Andy