19 replies to this topic

[lanche]

Hello, and first of all, thanks for all your invaluable support you are giving to all of us! My struggle to get rid of this Trojan pest is going on for 10 days already. I tried several suggested steps, but arrived nowhere.

I am running Windows XP SP2, with Avast anty-virus, and CounterSpy as a protection. All was well until, 10 days ago, I think my kid (13 years) downloaded something nasty (through Internet Download Manager, Limewire, Torrent or some similar software) and since than – while we are on the Internet (first we had IE 6, than 7 and finally Firefox) every 15 minutes Avast is popping up with the sound-siren telling me I have a Trojan Win32 Dialer-gen13 [Trj] that is trying to connect (I suppose to some site?) and I reject that connection, but in 20 min it starts all over again. Since then, we got a lot porn pop-ups and explicit images during browsing, with xxx sites even finding out country of living so now they are offering me a "Mate or Friend" in my hometown, or similar stuff. Also sometimes there is pop-up saying my computer may be at risk and that I need to instal some spyware removal tool to fix this. I am very careful not to touch any of these messages. Sometimes DOS command prompt window opens and flashes for a few seconds and disappears. So, I did a lot of scans, lately. While I try to reboot (which I have to do a lot, after almost every antyspy scan), there is an error window saying I need to wait for the Windows Explorer to close down. Sometimes it takes awaile, some times it reboots after 10 seconds.

I cleaned with Avast many times but it cannot kill it permanently.

Also run Spyware doctor which told me he removed it (he is calling it Trojan.Downloader.Small.CML), but next time I start the Internet browser the Avast finds it again.

Now, I did all the above proposed steps before turning to you:
1. BitDefender (attached log as file)
2. Ad Aware (he found Crackspider obj[0]=RegValue : software\microsoft\internet explorer\main "Search Bar" obj[1]=File : C:\Documents and Settings\pc\Application Data\IDM\DwnlData\pc\install_907\SrchPlug.dll)
3. SpyBot (clean)
4. SuperAntiSpyware (found & cleaned Trojan.Unknown Origin & Trojan.Media-Codec)
5. AVG Anty-Spyware (found CoolWebSearch & Better Internet, but ignored it?! See attached log)
6. HijackThis (attaching log)


---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 00:06:26 31/10/2006

+ Scan result:



C:\Program Files\WinRAR\winrar_342_srpski_prevod.rar/Engleski\Default.SFX -> Adware.BetterInternet : Ignored.
HKLM\SOFTWARE\Classes\Interface\{06CA2DA3-3A44-4FC7-8FD9-246C0F53407C} -> Adware.CoolWebSearch : Ignored.


::Report end
________________________________________

Logfile of HijackThis v1.99.1
Scan saved at 00:16:52, on 31/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avast4 antivirus\aswUpdSv.exe
C:\Program Files\Avast4 antivirus\ashServ.exe
C:\Program Files\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\BluetoothDongle\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Avast4 antivirus\ashMaiSv.exe
C:\Program Files\Avast4 antivirus\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\AVAST4~1\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\Program Files\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\HJT\analyse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - D:\Internet Download Manager\IDMIECC.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\PROGRA~1\TEXTware\QUICKF~1\PlugIns\IEHelp.dll
O3 - Toolbar: Translator - {FF284F5C-7CF9-4682-8701-D467C1DBB99F} - C:\Program Files\PRMT6\PRMTIE\prmtie.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\AVAST4~1\ashDisp.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKCU\..\Run: [µTorrent] "C:\Documents and Settings\pc\Desktop\TORRENTS\Torrent Clients\utorrent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download All Links with IDM - D:\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - D:\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-sec.../ols3/fscax.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -
O18 - Protocol: textwareilluminatorbase - {CE5CD329-1650-414A-8DB0-4CBF72FAED87} - C:\WINDOWS\system32\textwareilluminatorbaseProtocol.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Avast4 antivirus\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Avast4 antivirus\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Avast4 antivirus\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Avast4 antivirus\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\BluetoothDongle\BlueSoleil\BTNtService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe


Thanks a lot in advance for your kind HELP.

LANA

 Bitdefender.txt   19.19K   101 downloads

[rridgely]

Welcome to the forum.
For now I suggest you shut down all of your file sharing programs(utorrent, limewire, Internet Download Manager, and anything else).

Run Kaspersky WebScanner

• Please go HERE and click Kaspersky Online Scanner
  
• Read and Accept the Agreement
  
• You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  
• If you see a Windows dialog asking if you want to install this software, click the Install button.
  
• The program will launch and then begin downloading the latest definition files,
  
• When the "Update progress" line changes to "Ready" and the "NEXT ->" button becomes available, please click on it.
  
• Click on the Scan Settings button, and in the next window select the Extended database, and click Ok.
  
• Under "Please select a target to scan:", click My Computer to start the scan.
  
• When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window.
  
• Paste kaspersky log onto forum.

[lanche]

Hi and thanks for your prompt reply!!!

I did Kaspersky Online scan and will paste the log bellow. Do you need a fresh HijackThis log, as well?

Things are running much better, now. No annoing Avast siren-warnings for the Trojan Dialer attempts. What next?

Thanks very much for any help that can be given.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, October 31, 2006 5:03:36 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 31/10/2006
Kaspersky Anti-Virus database records: 236694
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 61103
Number of viruses found: 1
Number of infected objects: 2 / 0
Number of suspicious objects: 0
Duration of the scan process: 00:56:30

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\pc\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\pc\Desktop\Smitfraud\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\pc\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\pc\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\pc\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\pc\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\pc\Local Settings\History\History.IE5\MSHist012006103120061101\index.dat Object is locked skipped
C:\Documents and Settings\pc\Local Settings\Temp\~DF2B09.tmp Object is locked skipped
C:\Documents and Settings\pc\Local Settings\Temp\~DF2B0F.tmp Object is locked skipped
C:\Documents and Settings\pc\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\pc\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\pc\My Documents\Anti Spyware\SmitFraudFix\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\pc\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\pc\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\pc\UserData\index.dat Object is locked skipped
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\logs\starwind.2006-10-31.15-52-59.log Object is locked skipped
C:\Program Files\Avast4 antivirus\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Avast4 antivirus\DATA\Avast4.db Object is locked skipped
C:\Program Files\Avast4 antivirus\DATA\integ\avast.int Object is locked skipped
C:\Program Files\Avast4 antivirus\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Avast4 antivirus\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Avast4 antivirus\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Avast4 antivirus\DATA\report\Stalna zastita.txt Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_2e8.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.
---------------------------------------------------------------------

[lanche]

Hi and thanks for your prompt reply!!!

I did Kaspersky Online scan and will paste the log bellow. Do you need a fresh HijackThis log, as well?

Things are running much better, now. No annoing Avast siren-warnings for the Trojan Dialer attempts. What next?

Thanks very much for any help that can be given.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, October 31, 2006 5:03:36 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 31/10/2006
Kaspersky Anti-Virus database records: 236694
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 61103
Number of viruses found: 1
Number of infected objects: 2 / 0
Number of suspicious objects: 0
Duration of the scan process: 00:56:30

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\pc\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\pc\Desktop\Smitfraud\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\pc\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\pc\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\pc\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\pc\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\pc\Local Settings\History\History.IE5\MSHist012006103120061101\index.dat Object is locked skipped
C:\Documents and Settings\pc\Local Settings\Temp\~DF2B09.tmp Object is locked skipped
C:\Documents and Settings\pc\Local Settings\Temp\~DF2B0F.tmp Object is locked skipped
C:\Documents and Settings\pc\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\pc\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\pc\My Documents\Anti Spyware\SmitFraudFix\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\pc\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\pc\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\pc\UserData\index.dat Object is locked skipped
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\logs\starwind.2006-10-31.15-52-59.log Object is locked skipped
C:\Program Files\Avast4 antivirus\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Avast4 antivirus\DATA\Avast4.db Object is locked skipped
C:\Program Files\Avast4 antivirus\DATA\integ\avast.int Object is locked skipped
C:\Program Files\Avast4 antivirus\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Avast4 antivirus\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Avast4 antivirus\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Avast4 antivirus\DATA\report\Stalna zastita.txt Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_2e8.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.
---------------------------------------------------------------------

[rridgely]

Well the scan I had you run came up clean(and it doesn't remove anything just scans) Did you do anything besides what I told you?

Post a new hijackthis log.

[lanche]

Thanks for your help! No, I didn't do anything besides what you told me, exept flushing my restore points and making a new one.

And the strangest thing is the Avast warnings for Tojan Dialer stoped as of yesterday morning. Although the PC is still quite slow. But workable, for a change. Also less pop-ups, but still not all xxx ads desapeeared.

Here is my fresh hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 16:58:42, on 01/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avast4 antivirus\aswUpdSv.exe
C:\Program Files\Avast4 antivirus\ashServ.exe
C:\Program Files\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\BluetoothDongle\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Avast4 antivirus\ashMaiSv.exe
C:\Program Files\Avast4 antivirus\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\AVAST4~1\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunServer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HJT\analyse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - D:\Internet Download Manager\IDMIECC.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\PROGRA~1\TEXTware\QUICKF~1\PlugIns\IEHelp.dll
O3 - Toolbar: Translator - {FF284F5C-7CF9-4682-8701-D467C1DBB99F} - C:\Program Files\PRMT6\PRMTIE\prmtie.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\AVAST4~1\ashDisp.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKCU\..\Run: [µTorrent] "C:\Documents and Settings\pc\Desktop\TORRENTS\Torrent Clients\utorrent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download All Links with IDM - D:\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - D:\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-sec.../ols3/fscax.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -
O18 - Protocol: textwareilluminatorbase - {CE5CD329-1650-414A-8DB0-4CBF72FAED87} - C:\WINDOWS\system32\textwareilluminatorbaseProtocol.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Avast4 antivirus\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Avast4 antivirus\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Avast4 antivirus\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Avast4 antivirus\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\BluetoothDongle\BlueSoleil\BTNtService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

Thanks again for very quick and kind help !

Lana

[rridgely]

Download Superantispyware

• Load Superantispyware and click the check for updates button.
  
• Once the update is finished click the scan your computer button.
  
• Check Perform Complete Scan and then next.
  
• Superantispyware will now scan your computer and when its finished it will list all the infections it has found.
  
• Make sure that they all have a check next to them and press next.
  
• Click finish and you will be taken back to the main interface.
  
• Click Preferences and then click the statistics/logs tab. Click the dated log and press view log and a text file will appear.
  
• Copy and paste the log onto the forum.

[lanche]

Thanks, Rridgely! I did per your instructions, updated & scanned, and the scan came out - clean! This means my PC is finally clean, isn't it?!

If you think of anything else I might do or check, just to be on the safe side - please advise.

This is my SUPERAntyspy scan log:


SUPERAntiSpyware Scan Log
Generated 11/02/2006 at 12:29 PM

Application Version : 3.3.1020

Core Rules Database Version : 3119
Trace Rules Database Version: 1142

Scan type : Complete Scan
Total Scan Time : 00:31:57

Memory items scanned : 399
Memory threats detected : 0
Registry items scanned : 6719
Registry threats detected : 0
File items scanned : 38574
File threats detected : 0

THANKS AGAIN A LOT!!!

Best regards, Lana

[rridgely]

Post a new hijackthis log.
From there we can try a few more things.

[lanche]

Thanks for not givinig up on me!!! My PC is still slow, often CPU 100%, Task Manager reports 6 instances of svchost running simultaneously, and God knows what else. Plus, when I am rebooting or sutting down there is (almost always) dialog box: Ending program explorer.exe (This program is not responding), and I have to click End Now in order to reboot or shut down. Sometimes it says the same for Word, or Internet Explorer or Connections Tray and other programs.

What can be done? Thanks in advance.

Here is a frash HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 16:44:16, on 04/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avast4 antivirus\aswUpdSv.exe
C:\Program Files\Avast4 antivirus\ashServ.exe
C:\Program Files\BluetoothDongle\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\AVAST4~1\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Avast4 antivirus\ashMaiSv.exe
C:\Program Files\Avast4 antivirus\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\Program Files\HJT\analyse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - D:\Internet Download Manager\IDMIECC.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll (file missing)
O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\PROGRA~1\TEXTware\QUICKF~1\PlugIns\IEHelp.dll
O3 - Toolbar: Translator - {FF284F5C-7CF9-4682-8701-D467C1DBB99F} - C:\Program Files\PRMT6\PRMTIE\prmtie.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\AVAST4~1\ashDisp.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKCU\..\Run: [µTorrent] "C:\Documents and Settings\pc\Desktop\TORRENTS\Torrent Clients\utorrent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download All Links with IDM - D:\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - D:\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-sec.../ols3/fscax.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O18 - Protocol: textwareilluminatorbase - {CE5CD329-1650-414A-8DB0-4CBF72FAED87} - C:\WINDOWS\system32\textwareilluminatorbaseProtocol.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Avast4 antivirus\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Avast4 antivirus\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Avast4 antivirus\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Avast4 antivirus\ashWebSv.exe" /service (file missing)
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\BluetoothDongle\BlueSoleil\BTNtService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

Regards, LANA

[rridgely]

Download this file - combofix.exe and save it to your desktop.
Double click combofix.exe & follow the prompts.
When it's finished, it will produce a log of what it found. Please post the contents of that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running as it may cause it to stall

[lanche]

Thanks, Ridgley, did as per your instructions. Here is the ComboFix Log:

pc - 06-11-05 13:03:06.28 Service Pack 2
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\pc\Desktop\ComboFix"

((((((((((((((((((((((((((((((( Files Created from 2006-10-05 to 2006-11-05 ))))))))))))))))))))))))))))))))))


2006-10-30 22:03 0 --a------ C:\WINDOWS\system32\CMMGR32.EXE
2006-10-29 02:08 51,072 --a------ C:\WINDOWS\system32\drivers\ikhlayer.sys
2006-10-29 02:08 30,592 --a------ C:\WINDOWS\system32\drivers\ikhfile.sys
2006-10-27 16:48 523,264 --a------ C:\WINDOWS\system32\AviProcessor.dll
2006-10-27 16:48 51,200 --a------ C:\WINDOWS\system32\camcodec.dll
2006-10-27 16:48 114,688 --a------ C:\WINDOWS\system32\avizlib.dll
2006-10-25 13:03 10,752 --------- C:\WINDOWS\system32\pxwma.dll
2006-10-24 13:39 11,254 --a------ C:\WINDOWS\system32\locate.com
2006-10-22 14:37 121,856 --------- C:\WINDOWS\system32\xmllite.dll
2006-10-22 14:34 23,552 --a------ C:\WINDOWS\system32\normaliz.dll
2006-10-22 10:39 273,664 --a------ C:\WINDOWS\pptpunin.exe
2006-10-20 19:28 109,568 --------- C:\WINDOWS\system32\pxinsi64.exe
2006-10-20 19:28 108,544 --------- C:\WINDOWS\system32\pxcpyi64.exe
2006-10-20 19:23 446,464 --a------ C:\WINDOWS\system32\vp31vfw.dll
2006-10-17 12:33 6,049,280 --------- C:\WINDOWS\system32\ieframe.dll
2006-10-17 12:33 50,688 --------- C:\WINDOWS\system32\msfeedsbs.dll
2006-10-17 12:33 458,752 --------- C:\WINDOWS\system32\msfeeds.dll
2006-10-17 12:33 180,736 --------- C:\WINDOWS\system32\ieui.dll
2006-10-17 12:05 206,336 --------- C:\WINDOWS\system32\WinFXDocObj.exe
2006-10-17 12:01 13,312 --a------ C:\WINDOWS\system32\ieudinit.exe
2006-10-17 11:58 61,952 --------- C:\WINDOWS\system32\icardie.dll
2006-10-17 11:58 12,288 --------- C:\WINDOWS\system32\msfeedssync.exe
2006-10-17 11:57 266,752 --------- C:\WINDOWS\system32\iertutil.dll
2006-10-17 11:27 380,928 --------- C:\WINDOWS\system32\ieapfltr.dll
2006-10-12 18:05 243,680 --a------ C:\WINDOWS\UNINST16.EXE
2006-10-09 18:59 611,064 --a------ C:\WINDOWS\system32\drivers\sptd.sys


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-05 12:56 -------- d-------- C:\Program Files\Mozilla Firefox
2006-11-05 12:55 -------- d-------- C:\Program Files\Travelogue 360 Paris
2006-11-04 23:02 -------- d-------- C:\Documents and Settings\pc\Application Data\uTorrent
2006-11-04 16:44 -------- d-------- C:\Program Files\HJT
2006-11-04 15:13 -------- d-------- C:\Documents and Settings\pc\Application Data\SUPERAntiSpyware.com
2006-11-04 14:38 -------- d-------- C:\Program Files\Spyware Doctor
2006-11-03 14:05 -------- d-------- C:\Program Files\Winnie the Pooh Kindergarten
2006-11-02 20:45 -------- d-------- C:\Program Files\Internet Explorer
2006-11-02 01:00 -------- d-------- C:\Program Files\Paint Shop Pro
2006-10-31 22:22 -------- d-------- C:\Program Files\LimeWire
2006-10-31 19:26 -------- d-------- C:\Program Files\SpywareBlaster
2006-10-30 17:22 -------- d-a------ C:\Program Files\Common Files
2006-10-30 17:09 -------- d-------- C:\Program Files\Lavasoft
2006-10-30 17:07 -------- d-------- C:\Documents and Settings\pc\Application Data\Lavasoft
2006-10-30 12:35 -------- d-------- C:\Program Files\PokeDex
2006-10-30 12:00 -------- d-------- C:\Program Files\FlaskMPEG
2006-10-30 11:58 -------- d-------- C:\Program Files\BFG
2006-10-29 23:43 -------- d-------- C:\Documents and Settings\pc\Application Data\DMCache
2006-10-29 02:08 -------- d-------- C:\Documents and Settings\pc\Application Data\PC Tools
2006-10-28 18:59 -------- d-------- C:\Program Files\Time to Play Pet Shop
2006-10-28 18:00 -------- d-------- C:\Program Files\Outlook Express
2006-10-28 16:38 -------- d-------- C:\Program Files\ESET
2006-10-28 15:43 -------- d-------- C:\Program Files\DivX
2006-10-28 15:42 -------- d-------- C:\Program Files\AltoMP3 Maker
2006-10-28 15:02 -------- d-------- C:\Documents and Settings\pc\Application Data\Skype
2006-10-28 13:38 -------- d-------- C:\Program Files\iWin.com
2006-10-28 11:39 -------- d-------- C:\Documents and Settings\pc\Application Data\Mozilla
2006-10-27 01:17 -------- d-------- C:\Program Files\KaraFun
2006-10-26 19:14 21840 --a----t- C:\WINDOWS\system32\SIntfNT.dll
2006-10-26 19:14 17212 --a----t- C:\WINDOWS\system32\SIntf32.dll
2006-10-26 19:14 12067 --a----t- C:\WINDOWS\system32\SIntf16.dll
2006-10-25 17:31 -------- d-------- C:\Program Files\AVI to MPEG Converter
2006-10-25 17:09 -------- d-------- C:\Program Files\XviD
2006-10-25 16:16 -------- d-------- C:\Program Files\Movie Converter
2006-10-25 16:07 -------- d-------- C:\Program Files\MPEGTOAVI
2006-10-25 14:57 -------- d-------- C:\Program Files\Google
2006-10-25 14:49 -------- d-------- C:\Program Files\Common Files\PestPatrol
2006-10-25 14:44 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-25 13:43 -------- d-------- C:\Program Files\VCDGear
2006-10-25 13:12 -------- d-------- C:\Program Files\Pegasys Inc
2006-10-25 12:52 -------- d-------- C:\Documents and Settings\pc\Application Data\Pegasys Inc
2006-10-25 01:42 -------- d-------- C:\Documents and Settings\pc\Application Data\DivX
2006-10-24 23:30 -------- d-------- C:\Documents and Settings\pc\Application Data\IDM
2006-10-24 22:22 -------- d-------- C:\Program Files\Kirikou
2006-10-24 21:05 -------- d-------- C:\Program Files\WinZip
2006-10-24 20:55 -------- d-------- C:\Program Files\Avast4 antivirus
2006-10-24 14:30 -------- d-------- C:\Program Files\Java
2006-10-24 14:01 -------- d-------- C:\Program Files\Sunbelt Software
2006-10-24 13:07 -------- d-------- C:\Program Files\CCleaner
2006-10-23 21:42 47104 --a------ C:\Documents and Settings\pc\Application Data\GDIPFONTCACHEV1.DAT
2006-10-22 10:46 -------- d-------- C:\Program Files\Monkey's Audio
2006-10-21 20:15 -------- d-------- C:\Program Files\Multiplication Game
2006-10-21 20:14 -------- d-------- C:\Program Files\Sebran
2006-10-21 20:14 -------- d-------- C:\Program Files\Multiplication Game 2
2006-10-20 21:06 -------- d-------- C:\Program Files\WinAVI DVD Copy
2006-10-20 20:49 2572 --a------ C:\WINDOWS\WINDVDBOOTRECDOE.sys
2006-10-20 20:45 -------- d-------- C:\Program Files\Real Alternative
2006-10-20 20:31 -------- d-------- C:\Program Files\WinAVI VideoConverter
2006-10-20 19:23 -------- d-------- C:\Program Files\On2 Technologies
2006-10-19 21:46 -------- d-------- C:\Program Files\Diner Dash
2006-10-19 11:21 -------- d-------- C:\Program Files\ImTOO MP4 Video Converter
2006-10-19 00:52 -------- d-------- C:\Documents and Settings\pc\Application Data\dvdcss
2006-10-18 19:57 -------- d-------- C:\Documents and Settings\pc\Application Data\Wildfire
2006-10-17 20:16 -------- d-------- C:\Program Files\CHPIANO
2006-10-17 12:33 413696 --a------ C:\WINDOWS\system32\vbscript.dll
2006-10-17 12:33 231424 --a------ C:\WINDOWS\system32\webcheck.dll
2006-10-17 12:33 156160 --a------ C:\WINDOWS\system32\msls31.dll
2006-10-17 12:06 78336 --a------ C:\WINDOWS\system32\ieencode.dll
2006-10-17 12:05 40960 --a------ C:\WINDOWS\system32\licmgr10.dll
2006-10-17 12:05 105984 --a------ C:\WINDOWS\system32\url.dll
2006-10-17 12:04 101376 --a------ C:\WINDOWS\system32\occache.dll
2006-10-17 12:01 71680 --a------ C:\WINDOWS\system32\admparse.dll
2006-10-17 12:01 55296 --a------ C:\WINDOWS\system32\iesetup.dll
2006-10-17 12:01 382976 --a------ C:\WINDOWS\system32\iedkcs32.dll
2006-10-17 12:01 229376 --a------ C:\WINDOWS\system32\ieaksie.dll
2006-10-17 12:01 152064 --a------ C:\WINDOWS\system32\ieakeng.dll
2006-10-17 12:00 54784 --a------ C:\WINDOWS\system32\ie4uinit.exe
2006-10-17 12:00 43008 --a------ C:\WINDOWS\system32\iernonce.dll
2006-10-17 12:00 123904 --a------ C:\WINDOWS\system32\advpack.dll
2006-10-17 11:57 36352 --a------ C:\WINDOWS\system32\imgutil.dll
2006-10-17 11:56 45568 --a------ C:\WINDOWS\system32\mshta.exe
2006-10-17 11:28 48128 --a------ C:\WINDOWS\system32\mshtmler.dll
2006-10-17 11:23 161792 --a------ C:\WINDOWS\system32\ieakui.dll
2006-10-14 23:24 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-10-14 23:16 -------- d-------- C:\Program Files\PopCap Games
2006-10-14 22:40 -------- d-------- C:\Program Files\IsoBuster
2006-10-12 16:21 592 --a------ C:\WINDOWS\system32\InTLub1.sys
2006-10-11 19:43 -------- d-------- C:\Program Files\Bubble Bobble Gold Edition
2006-10-05 12:20 -------- d-------- C:\Documents and Settings\pc\Application Data\Help
2006-10-05 12:19 -------- d-------- C:\Program Files\CDisplay
2006-10-05 11:41 -------- d-------- C:\Program Files\Bubble Bobble Nostalgie
2006-10-05 11:29 -------- d-------- C:\Program Files\Bubble Bobble World
2006-10-04 19:22 -------- d-------- C:\Program Files\Jewel Quest
2006-10-04 19:17 -------- d-------- C:\Program Files\7 Wonders
2006-10-04 18:50 -------- d-------- C:\Program Files\GameHouse
2006-10-04 18:47 -------- d-------- C:\Program Files\Happy Note!
2006-10-04 18:42 -------- d-------- C:\Program Files\MSN Games
2006-10-04 10:26 249856 --------- C:\WINDOWS\Setup1.exe
2006-10-04 10:25 73216 --a------ C:\WINDOWS\ST6UNST.EXE
2006-10-03 01:51 -------- d-------- C:\Program Files\CDG to AVI
2006-10-03 01:41 737280 --a--c--- C:\WINDOWS\iun6002.exe
2006-10-03 00:21 -------- d-------- C:\Program Files\Common Files\Doblon
2006-10-02 23:54 -------- d-------- C:\Program Files\Power CD+G to Video Converter
2006-10-02 20:04 806912 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2006-10-02 20:04 806912 --a------ C:\WINDOWS\system32\divx_xx07.dll
2006-10-02 20:04 790528 --a------ C:\WINDOWS\system32\divx_xx11.dll
2006-10-02 20:04 635486 --a------ C:\WINDOWS\system32\DivX.dll
2006-10-01 20:56 -------- d-------- C:\Program Files\Barbie® Pet Rescue
2006-09-30 15:54 -------- d-------- C:\Program Files\Common Files\Vivendi Universal Games
2006-09-30 10:07 -------- d-------- C:\Documents and Settings\pc\Application Data\Leadertech
2006-09-25 16:45 666240 --a------ C:\WINDOWS\system32\aswBoot.exe
2006-09-25 16:40 87424 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2006-09-25 16:40 85952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2006-09-25 16:39 36176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2006-09-25 16:39 16352 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2006-09-25 16:37 90112 --a------ C:\WINDOWS\system32\AVASTSS.scr
2006-09-25 16:37 24560 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2006-09-13 06:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-09-12 13:48 -------- d-------- C:\Documents and Settings\pc\Application Data\Google
2006-09-03 16:02 80 -r-hs---- C:\WINDOWS\system32\4441D02F57.dll
2006-08-25 16:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-21 13:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 10:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-16 12:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll
2006-08-11 00:03 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2006-08-11 00:03 196608 --a------ C:\WINDOWS\system32\dtu100.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"µTorrent"="\"C:\\Documents and Settings\\pc\\Desktop\\TORRENTS\\Torrent Clients\\utorrent.exe\""
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"avast!"="C:\\PROGRA~1\\AVAST4~1\\ashDisp.exe"
"Easy-PrintToolBox"="C:\\Program Files\\Canon\\Easy-PrintToolBox\\BJPSMAIN.EXE /logon"
"SunServer"="C:\\Program Files\\Sunbelt Software\\CounterSpy\\Consumer\\sunserver.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e2,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"Spyware Doctor"=""

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"Spyware Doctor"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{076394AD-7FDD-44EF-A075-32C68DBAB99B}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"ClearRecentDocsOnExit"=dword:00000001
"NoRecentDocsMenu"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000001
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\pc backup.job
C:\WINDOWS\tasks\pc scan and fix.job

Completion time: 06-11-05 13:04:09.09
C:\ComboFix.txt ... 06-11-05 13:04


Regards,

Lana

[rridgely]

Sorry for the delay.

Can you set Windows to show hidden files and folders and then upload some files at VirusTotal to make sure they are clean.

Click Start. Goto MyComputer then C:\drive
Select the Tools menu from the top bar and click Folder Options. Select the View Tab.
Under the Hidden files and folders heading select "Show hidden files and folders".
UnCheck the "Hide protected operating system files (recommended)" option.

Click Yes to confirm then OK

Set this back once you have checked for the file by opening the same page and pressing the Restore Defaults button the click Apply and OK.

Next visit VirusTotal and have these files scanned:

C:\WINDOWS\system32\4441D02F57.dll
C:\WINDOWS\system32\InTLub1.sys
C:\WINDOWS\Setup1.exe

Open the scan site and press Browse, locate the files and double click it to load the path into the Virus scan window then press Send, copy and paste the Virus scan results back and let us know if you have any problems finding them.

[lanche]

Thanks RRIDGLEY again! Seams everything came out clean!

Here is my scan logs, as pe your instruction:

C:\WINDOWS\Setup1.exe scan RESULTS:

Antivirus Version Update Result
AntiVir 7.2.0.37 11.07.2006 no virus found
Authentium 4.93.8 11.06.2006 no virus found
Avast 4.7.892.0 11.07.2006 no virus found
AVG 386 11.07.2006 no virus found
BitDefender 7.2 11.06.2006 no virus found
CAT-QuickHeal 8.00 11.07.2006 no virus found
ClamAV devel-20060426 11.07.2006 no virus found
DrWeb 4.33 11.07.2006 no virus found
eTrust-InoculateIT 23.73.48 11.07.2006 no virus found
eTrust-Vet 30.3.3181 11.07.2006 no virus found
Ewido 4.0 11.07.2006 no virus found
Fortinet 2.82.0.0 11.07.2006 no virus found
F-Prot 3.16f 11.06.2006 no virus found
F-Prot4 4.2.1.29 11.06.2006 no virus found
Ikarus 0.2.65.0 11.07.2006 no virus found
Kaspersky 4.0.2.24 11.07.2006 no virus found
McAfee 4889 11.06.2006 no virus found
Microsoft 1.1609 11.07.2006 no virus found
NOD32v2 1.1856 11.06.2006 no virus found
Norman 5.80.02 11.07.2006 no virus found
Panda 9.0.0.4 11.06.2006 no virus found
Sophos 4.11.0 11.07.2006 no virus found
TheHacker 6.0.1.113 11.06.2006 no virus found
UNA 1.83 11.06.2006 no virus found
VBA32 3.11.1 11.07.2006 no virus found
VirusBuster 4.3.15:9 11.07.2006 no virus found

Aditional Information
File size: 249856 bytes
MD5: b9917fc4c836776765e311fff84dd534
SHA1: 63cf6b3992f2058f6a5995293e1017627569f8b5

C:\WINDOWS\system32\4441D02F57.dll scan RESULTS:

Antivirus Version Update Result
AntiVir 7.2.0.37 11.07.2006 no virus found
Authentium 4.93.8 11.06.2006 no virus found
Avast 4.7.892.0 11.07.2006 no virus found
AVG 386 11.07.2006 no virus found
BitDefender 7.2 11.06.2006 no virus found
CAT-QuickHeal 8.00 11.07.2006 no virus found
ClamAV devel-20060426 11.07.2006 no virus found
DrWeb 4.33 11.07.2006 no virus found
eTrust-InoculateIT 23.73.48 11.07.2006 no virus found
eTrust-Vet 30.3.3181 11.07.2006 no virus found
Ewido 4.0 11.07.2006 no virus found
Fortinet 2.82.0.0 11.07.2006 no virus found
F-Prot 3.16f 11.06.2006 no virus found
F-Prot4 4.2.1.29 11.06.2006 no virus found
Ikarus 0.2.65.0 11.07.2006 no virus found
Kaspersky 4.0.2.24 11.07.2006 no virus found
McAfee 4889 11.06.2006 no virus found
Microsoft 1.1609 11.07.2006 no virus found
NOD32v2 1.1856 11.06.2006 no virus found
Norman 5.80.02 11.07.2006 no virus found
Panda 9.0.0.4 11.06.2006 no virus found
Sophos 4.11.0 11.07.2006 no virus found
TheHacker 6.0.1.113 11.06.2006 no virus found
UNA 1.83 11.06.2006 no virus found
VBA32 3.11.1 11.07.2006 no virus found
VirusBuster 4.3.15:9 11.07.2006 no virus found

Aditional Information
File size: 80 bytes
MD5: 3bae9ce6e9b87785ce04d71b54d443fc
SHA1: f8e6ed7592e1c24701bbcffcc9efcfb6c89a671c

C:\WINDOWS\system32\InTLub1.sys scan RESULTS:

Antivirus Version Update Result
AntiVir 7.2.0.37 11.07.2006 no virus found
Authentium 4.93.8 11.06.2006 no virus found
Avast 4.7.892.0 11.07.2006 no virus found
AVG 386 11.07.2006 no virus found
BitDefender 7.2 11.06.2006 no virus found
CAT-QuickHeal 8.00 11.07.2006 no virus found
ClamAV devel-20060426 11.07.2006 no virus found
DrWeb 4.33 11.07.2006 no virus found
eTrust-InoculateIT 23.73.48 11.07.2006 no virus found
eTrust-Vet 30.3.3181 11.07.2006 no virus found
Ewido 4.0 11.07.2006 no virus found
Fortinet 2.82.0.0 11.07.2006 no virus found
F-Prot 3.16f 11.06.2006 no virus found
F-Prot4 4.2.1.29 11.06.2006 no virus found
Ikarus 0.2.65.0 11.07.2006 no virus found
Kaspersky 4.0.2.24 11.07.2006 no virus found
McAfee 4889 11.06.2006 no virus found
Microsoft 1.1609 11.07.2006 no virus found
NOD32v2 1.1856 11.06.2006 no virus found
Norman 5.80.02 11.07.2006 no virus found
Panda 9.0.0.4 11.06.2006 no virus found
Sophos 4.11.0 11.07.2006 no virus found
TheHacker 6.0.1.113 11.06.2006 no virus found
UNA 1.83 11.06.2006 no virus found
VBA32 3.11.1 11.07.2006 no virus found
VirusBuster 4.3.15:9 11.07.2006 no virus found

Aditional Information
File size: 592 bytes
MD5: 9ad1deda0e68183e96bd6a432819ebb3
SHA1: 1196a9a60e01feabde89a0e34ffc3c8e013517cc

Best regards,

LANA

[lanche]

Sorry RRIDGELY, I keep spelling your name wrong


One more thing: although the PC runs bit faster now, still when I am shutting it down there is always this dialog box: End program - explorer.exe (This program is not responding), and I have to click End Now in order to reboot or shut down. Sometimes its Exlorer.exe AND Connections Tray. Do you know what's causing this?


Thanks again and best regards,

LANA

[rridgely]

That means that something could still be there. Lets just make sure.

Download Blacklight beta HERE and save it to your desktop.
Run the program, accept statement > click next then scan
When its finished scanning exit the program and post back the log if it detects hidden files, The log is called 'fsbl-<date/time>.log' which will save to the same location as the blbeta.exe file.

Also run anther scan with AVG antispyware(ewido). Make sure you remove everything it finds and post back the log saying it was removed.

[lanche]

Dear RRidgely, thanks for all your efforts!!! Good new avatar, by the way!

Tried everything you said: Blaclkight didn't find anything, neither did AVG. All came out clean. Still, when I shut down there is this dialog box End Program (explorer.exe) not responding. If you think of anything new I can try, I will really appreciate it.

Regards,
Lana

11/09/06 11:27:24 [Info]: BlackLight Engine 1.0.47 initialized
11/09/06 11:27:24 [Info]: OS: 5.1 build 2600 (Service Pack 2)
11/09/06 11:27:25 [Note]: 7019 4
11/09/06 11:27:25 [Note]: 7005 0
11/09/06 11:27:33 [Note]: 7006 0
11/09/06 11:27:33 [Note]: 7011 1644
11/09/06 11:27:33 [Note]: 7026 0
11/09/06 11:27:33 [Note]: 7026 0
11/09/06 11:27:45 [Note]: FSRAW library version 1.7.1020
11/09/06 11:43:00 [Note]: 7007 0

[rridgely]

Please post a new hijackthis log. Just to make sure nothing has changed.

[lanche]

Hi Rridgely,

Did BlackLight and CounterSpy again. Everything came out clean. PC still sluggish and before shut down there is still message End Now - explorer.exe not responding. Don't know what causes this.

Here is my new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 17:41:00, on 13/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avast4 antivirus\aswUpdSv.exe
C:\Program Files\Avast4 antivirus\ashServ.exe
C:\Program Files\BluetoothDongle\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Avast4 antivirus\ashMaiSv.exe
C:\Program Files\Avast4 antivirus\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\AVAST4~1\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\Program Files\HJT\analyse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - D:\Internet Download Manager\IDMIECC.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\PROGRA~1\TEXTware\QUICKF~1\PlugIns\IEHelp.dll
O3 - Toolbar: Translator - {FF284F5C-7CF9-4682-8701-D467C1DBB99F} - C:\Program Files\PRMT6\PRMTIE\prmtie.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\AVAST4~1\ashDisp.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [µTorrent] "D:\TORRENTS\Torrent Clients\µTorrent.exe"
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download All Links with IDM - D:\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - D:\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-sec.../ols3/fscax.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O18 - Protocol: textwareilluminatorbase - {CE5CD329-1650-414A-8DB0-4CBF72FAED87} - C:\WINDOWS\system32\textwareilluminatorbaseProtocol.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Avast4 antivirus\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Avast4 antivirus\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Avast4 antivirus\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Avast4 antivirus\ashWebSv.exe" /service (file missing)
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\BluetoothDongle\BlueSoleil\BTNtService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

Thanks for all your efforts!!!

Lana

[rridgely]

Lets try this.
Download this file:
http://djlizard.net/...-v0.60.0.24.zip

Open up dial a fix and click the green arrows.(all the boxes should become checked.) Then press go and let it run. Once its finished see if you still have the same problems.