Hi all,
need help,
can't get rid of ip6fw.sys file. even tried killbox.
it affects my lan connection and shuts off internet.
need to delete and clean off which ever sick trojan affected me.
please help.
thanks in advance.
alison

here's hijack this log


Logfile of HijackThis v1.99.1
Scan saved at 12:12:08 AM, on 4/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Speed Disk\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NavNT\vptray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\CyberScrub Trial\Cybscrub.exe
C:\Program Files\CyberScrub Trial\silent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HIJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS10
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.guru.com/login.cfm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.guru.com/login.cfm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.guru.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3C7195F6-D788-4D50-BA72-2EE212EDAC78} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: WsftpBrowserHelper Class - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {2C0A5F28-48D8-408B-9172-9C6121025BCE} - (no file)
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [CyberScurb] "C:\PROGRA~1\CYBERS~1\silent.exe" /R
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Blue eye Calibration.lnk = C:\Program Files\LaCie blue eye 2\Tools\CLCalibrationLoader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Backgammon - http://download.games.yahoo.com/games/clients/y/at0_x.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O18 - Protocol: bw+0 - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bw+0s - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bw-0 - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bw-0s - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bw00 - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bw00s - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bw10 - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bw10s - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bw20 - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bw20s - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bw30 - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bw30s - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bw40 - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bw40s - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bw50 - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bw50s - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bw60 - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bw60s - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bw70 - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bw70s - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bw80 - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bw80s - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bw90 - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bw90s - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwa0 - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwa0s - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwb0 - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwb0s - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwc0 - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwc0s - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwd0 - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwd0s - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwe0 - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwe0s - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwf0 - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwf0s - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - (no file)
O18 - Protocol: bwg0 - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwg0s - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwh0 - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwh0s - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwi0 - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwi0s - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwj0 - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwj0s - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwk0 - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwk0s - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwl0 - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwl0s - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwm0 - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwm0s - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwn0 - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwn0s - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwo0 - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwo0s - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwp0 - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwp0s - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwq0 - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwq0s - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwr0 - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwr0s - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bws0 - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bws0s - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwt0 - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwt0s - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwu0 - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwu0s - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwv0 - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwv0s - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bww0 - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bww0s - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwx0 - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwx0s - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwy0 - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwy0s - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwz0 - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwz0s - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: offline-8876480 - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O20 - AppInit_DLLs:
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Utilities\NPROTECT.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe

Hello soberalison,

Welcome to Gladiator Security Forum

I'm a redhead that works HJT logs here and I deleted your duplicate topic. Please do not start another topic, as it does you no good whatsoever. :) I will look your log over and get back to you as soon as possible. Thank you for your patience.

Regards,
tea

Alison,

That file may also be legit. Is it popping off errors, or what? Can you please go to the file, right click and choose properties and tell me the company name, version, any info in there.

We can tidy up that log in the meantime :

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {3C7195F6-D788-4D50-BA72-2EE212EDAC78} - (no file)
O3 - Toolbar: (no name) - {2C0A5F28-48D8-408B-9172-9C6121025BCE} - (no file)
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE <<this is a resource hog
O18 - Protocol: bw+0 - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bw+0s - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bw-0 - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bw-0s - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bw00 - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bw00s - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bw10 - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bw10s - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bw20 - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bw20s - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bw30 - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bw30s - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bw40 - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bw40s - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bw50 - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bw50s - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bw60 - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bw60s - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bw70 - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bw70s - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bw80 - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bw80s - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bw90 - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bw90s - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwa0 - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwa0s - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwb0 - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwb0s - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwc0 - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwc0s - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwd0 - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwd0s - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwe0 - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwe0s - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwf0 - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwf0s - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - (no file)
O18 - Protocol: bwg0 - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwg0s - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwh0 - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwh0s - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwi0 - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwi0s - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwj0 - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwj0s - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwk0 - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwk0s - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwl0 - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwl0s - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwm0 - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwm0s - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwn0 - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwn0s - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwo0 - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwo0s - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwp0 - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwp0s - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwq0 - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwq0s - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwr0 - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwr0s - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bws0 - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bws0s - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwt0 - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwt0s - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwu0 - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwu0s - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwv0 - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwv0s - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bww0 - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bww0s - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwx0 - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwx0s - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwy0 - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwy0s - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwz0 - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: bwz0s - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O18 - Protocol: offline-8876480 - {641AAA99-A642-4042-B7F1-6F3EF36CCF21} - (no file)
O20 - AppInit_DLLs:

Close all browsers and other windows except for HijackThis!, and click "Fix checked".

Reboot your computer.

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea

Tea,
you are teriffic! sorry for the double post. my bad.
anyway, I deleted the files on the hijack this scan you wanted me to and then ran combo fix.
it said my winlogon file is infected and here is the log created.
now what?
I'm having patience, believe me, I'm grateful for your help









"Owner" - 07-04-18 18:31:41 Service Pack 2
ComboFix 07-04-19.1V - Running from: C:\Documents and Settings\Owner\Desktop\


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\9_exception.nls
C:\WINDOWS\system32\rsvp32_2.dll
C:\WINDOWS\system32\update75152450.exe
C:\WINDOWS\system32\update89259649.exe
C:\WINDOWS\inf\d3ui32.dll
C:\Documents and Settings\All Users.\documents\settings\desktop.ini
C:\WINDOWS\system32\ksys.sys
C:\WINDOWS\system32\main.sys
C:\WINDOWS\system32\ivehuuvnzmwox.dll
C:\Documents and Settings\All Users.\documents\settings

C:\WINDOWS\system32\winlogon.exe . . . is infected!!


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\EXAMPLE
-------\new_drv
-------\Runtime
-------\LEGACY_EXAMPLE
-------\LEGACY_RUNTIME


((((((((((((((((((((((((((((((( Files Created from 2007-03-18 to 2007-04-18 ))))))))))))))))))))))))))))))))))


2007-04-18 18:40 30,592 --a------ C:\WINDOWS\system32\main.sys
2007-04-18 18:40 3,584 --a------ C:\WINDOWS\system32\ksys.sys
2007-04-17 09:09 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-04-04 22:41 <DIR> d-------- C:\Program Files\KILLBOX
2007-04-04 22:34 <DIR> d-------- C:\!KillBox
2007-04-04 22:16 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-04-04 16:53 <DIR> d-------- C:\Program Files\RegCure
2007-04-04 14:51 <DIR> d-------- C:\Program Files\XoftSpySE
2007-04-04 14:43 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Lavasoft
2007-04-04 09:29 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-04-04 09:28 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2007-04-04 09:28 <DIR> d-------- C:\Program Files\Trojan Remover
2007-04-04 09:28 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Simply Super Software
2007-04-04 09:27 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Authentium
2007-04-04 09:19 <DIR> d-------- C:\Program Files\Common Files\Authentium Shared
2007-04-04 04:39 1,456,123 ---hs---- C:\WINDOWS\ycfggh.ini2
2007-04-04 04:22 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\SUPERAntiSpyware.com
2007-04-04 04:22 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-04-04 02:28 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\MSN6
2007-04-04 02:28 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\MSN6
2007-04-04 02:23 8,760 --a------ C:\WINDOWS\system32\update47063355.exe
2007-04-04 02:23 37,441 --a------ C:\WINDOWS\system32\update34000951.exe
2007-04-04 02:23 30,409 --a------ C:\WINDOWS\system32\update56826290.exe
2007-04-04 02:23 27,489 --a------ C:\WINDOWS\system32\update88706456.exe
2007-04-04 02:17 8,760 --a------ C:\WINDOWS\system32\update07313853.exe
2007-04-04 02:17 28,949 --a------ C:\WINDOWS\system32\update22341797.exe
2007-04-04 02:17 24,569 --a------ C:\WINDOWS\system32\update15624726.exe
2007-04-04 02:12 8,760 --a------ C:\WINDOWS\system32\update50681901.exe
2007-04-04 02:12 27,489 --a------ C:\WINDOWS\system32\update42473861.exe
2007-04-04 02:07 8,760 --a------ C:\WINDOWS\system32\update36201767.exe
2007-04-04 02:07 24,569 --a------ C:\WINDOWS\system32\update22850466.exe
2007-04-04 02:07 21,649 --a------ C:\WINDOWS\system32\update42103459.exe
2007-04-04 02:02 8,760 --a------ C:\WINDOWS\system32\update85816767.exe
2007-04-04 02:02 28,949 --a------ C:\WINDOWS\system32\update03797435.exe
2007-04-04 02:02 27,489 --a------ C:\WINDOWS\system32\update41475609.exe
2007-04-04 01:57 8,760 --a------ C:\WINDOWS\system32\update05734555.exe
2007-04-04 01:52 2,669 --a------ C:\WINDOWS\system32\update03239356.exe
2007-04-04 01:52 10,220 --a------ C:\WINDOWS\system32\update61819629.exe
2007-04-04 01:46 2,669 --a------ C:\WINDOWS\system32\update60048008.exe
2007-04-04 01:41 2,669 --a------ C:\WINDOWS\system32\update85649185.exe
2007-04-04 01:36 2,669 --a------ C:\WINDOWS\system32\update92169988.exe
2007-04-04 01:31 2,669 --a------ C:\WINDOWS\system32\update57302234.exe
2007-04-04 01:26 5,589 --a------ C:\WINDOWS\system32\update41103699.exe
2007-04-04 01:21 2,669 --a------ C:\WINDOWS\system32\update46784346.exe
2007-04-04 01:16 2,669 --a------ C:\WINDOWS\system32\update09822996.exe
2007-04-04 01:11 2,669 --a------ C:\WINDOWS\system32\update37251702.exe
2007-04-04 01:06 2,669 --a------ C:\WINDOWS\system32\update32112610.exe
2007-04-04 01:00 2,669 --a------ C:\WINDOWS\system32\update48440820.exe
2007-04-04 00:50 2,669 --a------ C:\WINDOWS\system32\update13884502.exe
2007-04-04 00:45 5,589 --a------ C:\WINDOWS\system32\update96129971.exe
2007-04-04 00:40 2,669 --a------ C:\WINDOWS\system32\update71981647.exe
2007-04-04 00:35 17,269 --a------ C:\WINDOWS\system32\update06115131.exe
2007-04-04 00:30 2,669 --a------ C:\WINDOWS\system32\update95296787.exe
2007-04-04 00:25 2,669 --a------ C:\WINDOWS\system32\update89892398.exe
2007-04-04 00:20 2,669 --a------ C:\WINDOWS\system32\update81688334.exe
2007-04-04 00:15 2,669 --a------ C:\WINDOWS\system32\update29535486.exe
2007-04-04 00:04 4,129 --a------ C:\WINDOWS\system32\update67047406.exe
2007-04-03 22:43 39,169 --a------ C:\WINDOWS\system32\update88902577.exe
2007-04-03 22:38 37,709 --a------ C:\WINDOWS\system32\update20282350.exe
2007-04-03 22:33 39,169 --a------ C:\WINDOWS\system32\update24386042.exe
2007-04-03 22:28 37,709 --a------ C:\WINDOWS\system32\update79655920.exe
2007-04-03 22:23 39,169 --a------ C:\WINDOWS\system32\update36841413.exe
2007-04-03 22:18 37,709 --a------ C:\WINDOWS\system32\update44178057.exe
2007-04-03 22:13 39,169 --a------ C:\WINDOWS\system32\update41057528.exe
2007-04-03 22:07 39,169 --a------ C:\WINDOWS\system32\update16966507.exe
2007-04-03 22:05 5,397 --a------ C:\svhost.exe
2007-04-03 22:02 65,024 --a------ C:\WINDOWS\system32\update96307977.exe
2007-04-03 22:02 39,169 --a------ C:\WINDOWS\system32\update15050767.exe
2007-04-03 11:45 19,275 --a------ C:\WINDOWS\system32\ldf500.dll.ren
2007-04-03 11:41 <DIR> d-------- C:\WINDOWS\system32\bak


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-18 18:28 82944 --a------ C:\WINDOWS\system32\ws2_32.dll
2007-04-18 18:28 502272 --a------ C:\WINDOWS\system32\winlogon.exe
2007-04-18 08:35 -------- d-------- C:\Program Files\norton utilities
2007-04-18 00:49 -------- d-------- C:\Program Files\colorgrab
2007-04-04 14:42 -------- d-------- C:\Program Files\lavasoft
2007-04-04 09:43 -------- d-------- C:\Program Files\navnt
2007-04-04 09:25 -------- d-------- C:\Program Files\symantec
2007-04-04 09:25 -------- d-------- C:\Program Files\Common Files\symantec shared
2007-03-30 00:54 581344 --a------ C:\DOCUME~1\Owner\APPLIC~1\gdipfontcachev1.dat
2007-03-15 12:23 497496 --a------ C:\WINDOWS\system32\xceedzip.dll
2007-03-15 12:19 526184 --a------ C:\WINDOWS\system32\xceedcry.dll
2007-03-08 23:39 -------- d-------- C:\Program Files\limewire
2007-03-08 23:29 -------- d-------- C:\DOCUME~1\Owner\APPLIC~1\limewire
2007-02-26 12:53 -------- d-------- C:\DOCUME~1\Owner\APPLIC~1\arcsoft
2007-02-26 12:25 -------- d--h----- C:\Program Files\installshield installation information
2007-02-26 12:25 -------- d-------- C:\Program Files\canon


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F} C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} C:\Program Files\Yahoo!\Common\yiesrvc.dll
{601ED020-FB6C-11D3-87D8-0050DA59922B} C:\Program Files\WS_FTP Pro\wsbho2k0.dll
{65D886A2-7CA7-479B-BB95-14D1EFB7946A} C:\Program Files\Yahoo!\Common\YIeTagBm.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"vptray"="C:\\PROGRA~1\\NavNT\\vptray.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"CyberScurb"="\"C:\\Program Files\\CyberScrub Trial\\silent.exe\" /R"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EM_EXEC]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="EM_EXEC"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
"item"="HPDJ Taskbar Utility"
"hkey"="HKLM"
"key"="Run"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="KHALMNPR"
"hkey"="HKLM"
"command"="KHALMNPR.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKCU"
"command"="\\Program\\"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="KHALMNPR"
"hkey"="HKLM"
"command"="KHALMNPR.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OESYFplugin]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKCU"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WIAWizardMenu]
"item"="WIAWizardMenu"
"command"="RUNDLL32.EXE C:\\WINDOWS\\system32\\sti_ci.dll,WiaCreateWizardMenu"
"hkey"="HKLM"
"key"="RunOnce"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"XCOMM"=dword:00000002
"bdss"=dword:00000002
"Adobe LM Service"=dword:00000003

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0

*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_RUNTIME


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\RegCure Program Check.job
C:\WINDOWS\tasks\RegCure.job
C:\WINDOWS\tasks\XoftSpy.job
C:\WINDOWS\tasks\XoftSpySE 2.job
C:\WINDOWS\tasks\XoftSpySE.job

********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

? [1140]
? [1484]

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...


scan completed successfully
hidden processes: 2
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-04-18 18:45:19 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-04-18 18:45

here is the combofix quarantine log:

Hi Alison,

Do you have some things disabled with msconfig? If so, could you please reenable them long enough to get me a fresh HijackThis log? HijackThis cannot see anything disabled in that way.

Please also run these for me :

Download and Save blacklight to your desktop.
F-Secure Blacklight: https://europe.f-secure.com/blacklight/try.shtml
Double-click blbeta.exe then accept the agreement.
click > scan then > next,
You'll see a list of all items found.
Don't choose rename yet! I want to see the log first, because legit items can also be present there...
There must be also a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)
Post the contents of the log in your next reply.

Download Silent Runners.zip and extract it to a new folder on your Desktop.

• Run the Silent Runners.vbs file.
• You will receive a prompt: "Do you want to skip supplementary searches?" - click "NO."
• If your antivirus has a script blocker, you will get a warning asking if you want to allow Silent Runners.vbs to run.
• This script is not malicious so please allow it.
• A text file will appear in the folder - it's not done, let it run. (It won't appear to be doing anything!)
• Once the "All Done!" prompt flashes up, open the text file, and copy & paste it in your next reply.

Also, please let me know how your computer is running.

Thank you!
tea

BL beta log::

04/18/07 19:34:51 [Info]: BlackLight Engine 1.0.61 initialized
04/18/07 19:34:51 [Info]: OS: 5.1 build 2600 (Service Pack 2)
04/18/07 19:34:51 [Note]: 7019 4
04/18/07 19:34:51 [Note]: 7005 0
04/18/07 19:34:56 [Note]: 7006 0
04/18/07 19:34:56 [Note]: 7011 1860
04/18/07 19:34:56 [Note]: 7026 0
04/18/07 19:34:57 [Note]: 7026 0
04/18/07 19:34:57 [Note]: 7024 3
04/18/07 19:34:57 [Info]: Hidden process: C:\Program Files\Internet Explorer\iexplore.exe
04/18/07 19:34:57 [Note]: 7024 3
04/18/07 19:34:57 [Info]: Hidden process: C:\Program Files\Internet Explorer\IEXPLORE.EXE
04/18/07 19:35:03 [Note]: FSRAW library version 1.7.1021


Hijack this log::

Logfile of HijackThis v1.99.1
Scan saved at 7:44:38 PM, on 4/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Speed Disk\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NavNT\vptray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\fsbl.exe
C:\WINDOWS\System32\WScript.exe
C:\Program Files\HIJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.guru.com/login.cfm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.guru.com/login.cfm
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: WsftpBrowserHelper Class - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] \Program\
O4 - HKCU\..\RunOnce: [CyberScurb] "C:\Program Files\CyberScrub Trial\silent.exe" /R
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Blue eye Calibration.lnk = C:\Program Files\LaCie blue eye 2\Tools\CLCalibrationLoader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Backgammon - http://download.games.yahoo.com/games/clients/y/at0_x.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Utilities\NPROTECT.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe


ok?
the only item in black light list is iexplore.exe
. . . . . .

"Silent Runners.vbs", revision R50, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"OESYFplugin" = "(empty string)" [file not found]
"LDM" = "\Program\" [file not found]

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\ {++}
"CyberScurb" = ""C:\Program Files\CyberScrub Trial\silent.exe" /R" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"vptray" = "C:\PROGRA~1\NavNT\vptray.exe" ["Symantec Corporation"]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"Logitech Hardware Abstraction Layer" = "KHALMNPR.EXE" ["Logitech Inc."]
"Kernel and Hardware Abstraction Layer" = "KHALMNPR.EXE" ["Logitech Inc."]
"MSConfig" = "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\(Default) = (no title provided)
-> {HKLM...CLSID} = "UberButton Class"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\yiesrvc.dll" ["Yahoo!"]
{601ED020-FB6C-11D3-87D8-0050DA59922B}\(Default) = (no title provided)
-> {HKLM...CLSID} = "WsftpBrowserHelper Class"
\InProcServer32\(Default) = "C:\Program Files\WS_FTP Pro\wsbho2k0.dll" ["Ipswitch, Inc. 81 Hartwell Ave. Lexington, MA"]
{65D886A2-7CA7-479B-BB95-14D1EFB7946A}\(Default) = (no title provided)
-> {HKLM...CLSID} = "YahooTaggedBM Class"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\YIeTagBm.dll" ["Yahoo! Inc."]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
{AE7CD045-E861-484f-8273-0445EE161910}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Conversion Toolbar Helper"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{68f32140-2ca3-11d0-acc1-444553540000}" = "PicaView"
-> {HKLM...CLSID} = "PicaView Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\ACDSYS~1\PicaView\PicaView.dll" ["ACD Systems, Ltd."]
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}" = "LDVP Shell Extensions"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}" = "Adobe.Acrobat.ContextMenu"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
"{880E1C60-DBEB-11D3-A4C4-A58C7193AA36}" = "CyberScrub Context Menu Shell Extension"
-> {HKLM...CLSID} = "CyberScrub Context Menu Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\CYBERS~1\cybshell.dll" ["CyberScrub LLC"]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
-> {HKLM...CLSID} = "YMailShellExt Class"
\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{52B87208-9CCF-42C9-B88E-069281105805}" = "Trojan Remover Shell Extension"
-> {HKLM...CLSID} = "Trojan Remover Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1\Trshlex.dll" ["Simply Super Software"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
<<!>> NavLogon\DLLName = "C:\WINDOWS\system32\NavLogon.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
CyberScrub\(Default) = "{880E1C60-DBEB-11D3-A4C4-A58C7193AA36}"
-> {HKLM...CLSID} = "CyberScrub Context Menu Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\CYBERS~1\cybshell.dll" ["CyberScrub LLC"]
DropStuff Context Menu\(Default) = "{2e336dc0-54f8-11d1-abd5-447270537466}"
-> {HKLM...CLSID} = "DropStuff Context Menu"
\InProcServer32\(Default) = "C:\Program Files\Aladdin Systems\StuffIt 7.0\DropStuff\ShellDS.dll" ["Aladdin Systems, Inc."]
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
PicaView\(Default) = "{68f32140-2ca3-11d0-acc1-444553540000}"
-> {HKLM...CLSID} = "PicaView Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\ACDSYS~1\PicaView\PicaView.dll" ["ACD Systems, Ltd."]
Trojan Remover\(Default) = "{52B87208-9CCF-42C9-B88E-069281105805}"
-> {HKLM...CLSID} = "Trojan Remover Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1\Trshlex.dll" ["Simply Super Software"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
WS_FTP\(Default) = "{797F3885-5429-11D4-8823-0050DA59922B}"
-> {HKLM...CLSID} = "RtClkCtxMenu Class"
\InProcServer32\(Default) = "C:\Program Files\WS_FTP Pro\wsftpsi.dll" ["Ipswitch, Inc. 81 Hartwell Ave. Lexington MA"]
Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}"
-> {HKLM...CLSID} = "YMailShellExt Class"
\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
CyberScrub\(Default) = "{880E1C60-DBEB-11D3-A4C4-A58C7193AA36}"
-> {HKLM...CLSID} = "CyberScrub Context Menu Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\CYBERS~1\cybshell.dll" ["CyberScrub LLC"]
DropStuff Context Menu\(Default) = "{2e336dc0-54f8-11d1-abd5-447270537466}"
-> {HKLM...CLSID} = "DropStuff Context Menu"
\InProcServer32\(Default) = "C:\Program Files\Aladdin Systems\StuffIt 7.0\DropStuff\ShellDS.dll" ["Aladdin Systems, Inc."]
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
Trojan Remover\(Default) = "{52B87208-9CCF-42C9-B88E-069281105805}"
-> {HKLM...CLSID} = "Trojan Remover Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1\Trshlex.dll" ["Simply Super Software"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
WS_FTP\(Default) = "{797F3885-5429-11D4-8823-0050DA59922B}"
-> {HKLM...CLSID} = "RtClkCtxMenu Class"
\InProcServer32\(Default) = "C:\Program Files\WS_FTP Pro\wsftpsi.dll" ["Ipswitch, Inc. 81 Hartwell Ave. Lexington MA"]


Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\

"GeneralTab" = (REG_DWORD) hex:0x00000000
{Disable the General page}

"SecurityTab" = (REG_DWORD) hex:0x00000000
{Disable the Security page}

"ConnectionsTab" = (REG_DWORD) hex:0x00000000
{Disable the Connections page}

"ProgramsTab" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"PrivacyTab" = (REG_DWORD) hex:0x00000000
{Disable the Privacy page}

"AdvancedTab" = (REG_DWORD) hex:0x00000000
{Disable the Advanced page}

"ResetWebSettings" = (REG_DWORD) hex:0x00000000
{Disable the Reset Web Settings feature}

"Settings" = (REG_DWORD) hex:0x00000000
{Prevent the deletion of temporary Internet files and cookies}

"CertifPers" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"CertifSite" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"CertifPub" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"Profiles" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"FormSuggest" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"Ratings" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"ContentTab" = (REG_DWORD) hex:0x00000000
{Disable the Content page}

"ConnWiz Admin Lock" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions\

"NoBrowserOptions" = (REG_DWORD) hex:0x00000000
{Tools menu: Disable Internet Options... menu option}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Startup items in "Owner" & "All Users" startup folders:
-------------------------------------------------------

C:\Documents and Settings\Owner\Start Menu\Programs\Startup
"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"Adobe Gamma" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"Blue eye Calibration" -> shortcut to: "C:\Program Files\LaCie blue eye 2\Tools\CLCalibrationLoader.exe" ["ColorLogic"]


Enabled Scheduled Tasks:
------------------------

"RegCure Program Check" -> launches: "C:\Program Files\RegCure\RegCure.exe ShowReminders" [null data]
"RegCure" -> launches: "C:\Program Files\RegCure\RegCure.exe -t" [null data]
"XoftSpy" -> launches: "C:\Program Files\XoftSpy\XoftSpy.exe -t" [file not found]
"XoftSpySE 2" -> launches: "C:\Program Files\XoftSpySE\XoftSpy.exe ShowReminders" ["ParetoLogic"]
"XoftSpySE" -> launches: "C:\Program Files\XoftSpySE\XoftSpy.exe -t" ["ParetoLogic"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 11
%SystemRoot%\system32\rsvpsp.dll [MS], 12 - 13


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}"
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}"
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{182EC0BE-5110-49C8-A062-BEB1D02A220B}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\(Default) = (no title provided)
-> {HKLM...CLSID} = "&Yahoo! Messenger"
\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll" ["Yahoo! Inc."]

HKLM\Software\Classes\CLSID\{014DA6CE-189F-421A-88CD-07CFE51CFF10}\(Default) = "My Search Bar Quick View"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_06"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]

{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\
"ButtonText" = "Yahoo! Services"
"CLSIDExtension" = "{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}"
-> {HKLM...CLSID} = "UberButton Class"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\yiesrvc.dll" ["Yahoo!"]

{669695BC-A811-4A9D-8CDF-BA8C795F261C}\
"ButtonText" = "Run DAP"
"Exec" = "C:\PROGRA~1\DAP\DAP.EXE" ["SpeedBit Ltd."]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\System32\Ati2evxx.exe" ["ATI Technologies Inc."]
DefWatch, DefWatch, ""C:\Program Files\NavNT\defwatch.exe"" ["Symantec Corporation"]
Norton AntiVirus Client, Norton AntiVirus Server, ""C:\Program Files\NavNT\rtvscan.exe"" ["Symantec Corporation"]
Norton Unerase Protection, NProtectService, "C:\Program Files\Norton Utilities\NPROTECT.EXE" ["Symantec Corporation"]
Speed Disk service, Speed Disk service, "C:\Program Files\Speed Disk\nopdb.exe" ["Symantec Corporation"]
Symantec Network Drivers Service, SNDSrvc, ""C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe"" ["Symantec Corporation"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Adobe PDF Port\Driver = "C:\WINDOWS\System32\AdobePDF.dll" ["Adobe Systems Incorporated."]
hpzlnt04\Driver = "hpzlnt04.dll" ["HP"]
HPZLNT09\Driver = "hpzlnt09.dll" ["HP"]


----------
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 370 seconds.
---------- (total run time: 476 seconds)

before I went to sleep, I rebooted and norton antivirus caught the windows/system 32/main.sys and quarantined it.
it's infected.
I keep getting pop ups of quarantined normal system files.
I'll give you a norton log of quarantines.
and my machine is really really slow now.
it says trojan. pandex under properties on this file.
???

Hi Alison,

Yes, I figured as much. :( ComboFix says your winlogon is infected as well. As much as I hate to say it, it would be best, and safest, for you to reformat and reinstall the OS. This malware may have already done damage that we cannot undo, and the only way to promise you a trustworthy and safe machine is to reformat. :( The stuff is just downright nasty these days.

Let me know what you decide to do.

tea

I can't reformat for about 2 weeks due to nasty work schedules.
is there a fix we can try in the meantime?

Hi Teacup!
Does this look right?
if so, can you give me instructions?
thanks,
alison

HOW TO REMOVE Trojan.Pandex!inf :

1. Temporarily disable System Restore (Windows Me/XP). [how to]

2. Download Kaspersky AntiVirus Personal Edition (Trial) and save it to a desired location on your Hard Drive.

3. After downloading, browse where the file was saved and double click to install it.

4. After installation, connect to internet and download all necessary updates.

5. Reboot your computer in SafeMode [how to]

6. Run Kaspersky and do a full scan of your computer. Delete all infected files.

7. In order to make sure that the threat is completely eliminated from your computer, carry out a full scan of your computer using AntiVirus and Antispyware Software. Another way to delete the virus using various Antivirus Program without the need to install can be done with Online Virus Scanner.

Don't disable your systen restore....if something goes wrong, then you will have nothing to go back to! An infected restore point is better than none, don't you agree?

ok, this is what I did.
I bought kaspersky, I uninstalled the ummm, um hum, norton antivirus, and I'll starting from scratch.
then I'll run it and see what I come up with.
the online scan was able to identify most of my critters.
so I'll let you know and maybe, cross fingers, I won't need a clean install.
?
stand by.
alison

The ummm, um hum, norton antivirus, (I agree completely) tends to do a bad job of uninstalling. Do a scan with HijackThis, and if there's any entries for Norton left in there, then run this: The Norton uninstall tool uninstalls ALL Norton 2004/2005/2006 products from your computer. It also uninstalls Norton Ghost 10.0/9.0/2003. http://service1.symantec.com/SUPPORT/tsgen...005033108162039

Standing by...........

thanks for norton help.
also,
kaspersky takes years to scan.
when it finds a virus or trojan, I delete all, right?

That system has (and probably still is) so heavily infected with rootkits that the only option is to reformat. The member has been playing for some time trying to clean the computer while it kept getting worse. Scheduled tasks from Silent Runners show instances of XoftSpy and RegCure set to run. No the greatest combo but it attests to an infection that has been there for a while.

Once you have infected system files, its time to reformat. I remember when Bube.d was around. Only KAV could remove it from explorer without damaging it. Other than that one exception, it was reformat. In this case, the system most likely has been so severely compromised that I would not be comfortable with anything less than reformat. That is the only way to be sure its clean. At this point, I would re-iterate the situation and point out that due to the compromise the system is an extreme security risk and should not, under any circumstances, be used for production work, nor connected to the internet in any manner. It is critical that it be taken off line, and reformatted.

If the member has trouble with that, well, it is their computer and they are free to do as they please. But we would be less than responsible by suggesting anything else but reformat.

That's my opinion and what I would do were it my log....

steve, thanks, didn't want to hear that, but I know it'll solve all the sluggish problems.
thanks,
will do it begining of week.
thanks again.
I know it's the responsible thing.
thanks,
alison ;)
you both are fantastic, thanks for all your help!!!!!

Reformatting is never an easy decision. I usually ask myself "If my computer was severely infected, would I reformat, or try to fix". The answer dictates my action.

In your case, the more important question to ask is how did my computer get this bad??? Do I have adequate protection? In my opinion, if you are active on the internet, a minimum consists of AntiVirus, AntiTrojan, AntiSpyware, and firewall. Depending on the anti-virus program you use, the AntiTrojan may not be needed. If you use Kaspersky or NOD32, along with a top rated AntiSpyware program, then the anti-trojan may not be needed. Whichever firewall you choose, outbound protection is mandatory.

Another step you can take is to purchase a router, even if there is only one computer attached to it. It offers an additional level of protection and the cost in minimal.

Many infections today are the result of social engineering and not brute force. Phishing emails, attachments, clicking on unknown links are just some examples. I suspect habits and usage are responsible for the exploits you have.

I have been actively online since the late 1970's (even before the interet as we know it) and have yet to be infected. Partially from the protection I have installed, and partially from surfing habits the reduce risk to a minimum.

When you get set back up, I'll be happy to answer any questions you may have.