Re-scan so I can see silent runners.


don't run the tool yet please
Please download Webroot SpySweeper from here: SpySweeper

Click the Free Trial link under to "SpySweeper" to download the program.
Install it.
Once the program is installed, it will open.
It will prompt you to update to the latest definitions, click Yes.
Once the definitions are installed, click Sweep Now on the left side.
Click the Start button.
When it's done scanning, click the Next button.
Make sure everything has a check next to it, then click the Next button.
It will remove all of the items found.
Click Session Log in the upper right corner, copy everything in that window.
Click the Summary tab and click Finish.

Paste the contents of the session log you copied into your next reply.



Download CCleaner from here:
http://www.majorgeeks.com/download4191.html
or here:
http://www.filehippo.com/download_ccleaner.html

don't run the tool just yet please.
Install it. The windows tab should be opened in the upper left of the program. Click analyze and then click run cleaner. Just use the windows tab that is up front by default.

1.Uncheck "Cookies" under "Internet Explorer".

2.If you are running Firefox: ,then click on the "Applications" tab and uncheck "Cookies" under "Firefox".



don't scan just yet please
Please download, install, update and scan your system with the free version of Ewido trojan scanner: www.ewido.net/en/download/

1. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".

2. When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.

3. From the main ewido screen, click on UPDATE in the left menu, then click the Start update button.

4. After the update finishes (the status bar at the bottom will display "Update successful"), click on the Scanner button in the left menu, then click on the Start button. This scan can take quite a while to run.


5. If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.


6. When the scan finishes, click on "Save Report". This will create a text file. Please then paste the contents of the text file to this thread, along with a new HijackThis log.


Make sure you are set to normal startup. Click Start -> Run -> Type Msconfig -> Press Enter -> make sure Startup is set to Normal.


Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.


Run Ewido from safe mode please.

Run CCleaner from safe mode.

Run SpySweeper from safe mode


Post Ewido log

Post spysweeper log

Thanks

The only one I could run was the SpySweeper. I couldn't even download the Ewido software, as the page just said "Page cannot be displayed". I could download the CCleaner, but it would not let me install it.

Below is the log from SpySweeper:

********
16:55: | Start of Session, 28 November 2005 |
16:55: Spy Sweeper started
16:55: Sweep initiated using definitions version 556
16:55: Starting Memory Sweep
16 Memory Sweep Complete, Elapsed Time: 00:01:14
16 Starting Registry Sweep
16 Found Adware: apropos
16 HKLM\software\aprps\ (2 subtraces) (ID = 103741)
16 Found Trojan Horse: csrss spamrelayer
16 HKLM\software\microsoft\windows\currentversion\run \ || csrss (ID = 112618)
16 HKU\WRSS_Profile_S-1-5-21-2225589205-4212676017-31143968-1003\software\microsoft\windows\currentversion\run \ || csrss (ID = 112615)
16:57: Registry Sweep Complete, Elapsed Time:00:00:17
16:57: Starting Cookie Sweep
16:57: Found Spy Cookie: 2o7.net cookie
16:57: owner@112.2o7[2].txt (ID = 1958)
16:57: Found Spy Cookie: 888 cookie
16:57: owner@888[1].txt (ID = 2019)
16:57: owner@888[2].txt (ID = 2019)
16:57: Found Spy Cookie: go.com cookie
16:57: owner@abc.go[1].txt (ID = 2729)
16:57: Found Spy Cookie: about cookie
16:57: owner@about[1].txt (ID = 2037)
16:57: Found Spy Cookie: yieldmanager cookie
16:57: owner@ad.yieldmanager[1].txt (ID = 3751)
16:57: Found Spy Cookie: adknowledge cookie
16:57: owner@adknowledge[1].txt (ID = 2072)
16:57: Found Spy Cookie: hbmediapro cookie
16:57: owner@adopt.hbmediapro[2].txt (ID = 2768)
16:57: Found Spy Cookie: specificclick.com cookie
16:57: owner@adopt.specificclick[1].txt (ID = 3400)
16:57: Found Spy Cookie: adrevservice cookie
16:57: owner@adrevservice[1].txt (ID = 2091)
16:57: Found Spy Cookie: adultfriendfinder cookie
16:57: owner@adultfriendfinder[2].txt (ID = 2165)
16:57: Found Spy Cookie: ask cookie
16:57: owner@ask[2].txt (ID = 2245)
16:57: Found Spy Cookie: a cookie
16:57: owner@a[1].txt (ID = 2027)
16:57: Found Spy Cookie: belnk cookie
16:57: owner@belnk[1].txt (ID = 2292)
16:57: Found Spy Cookie: barelylegal cookie
16:57: owner@c.fsx[1].txt (ID = 2286)
16:57: Found Spy Cookie: gostats cookie
16:57: owner@c3.gostats[1].txt (ID = 2748)
16:57: Found Spy Cookie: cassava cookie
16:57: owner@cassava[1].txt (ID = 2362)
16:57: Found Spy Cookie: ccbill cookie
16:57: owner@ccbill[2].txt (ID = 2369)
16:57: Found Spy Cookie: commission junction cookie
16:57: owner@cj[1].txt (ID = 2453)
16:57: Found Spy Cookie: clicks cookie
16:57: owner@clicks[2].txt (ID = 2402)
16:57: owner@cnn.122.2o7[1].txt (ID = 1958)
16:57: owner@contemporarylit.about[2].txt (ID = 2038)
16:57: owner@disney.go[1].txt (ID = 2729)
16:57: owner@dist.belnk[2].txt (ID = 2293)
16:57: Found Spy Cookie: wegcash cookie
16:57: owner@free.wegcash[1].txt (ID = 3682)
16:57: Found Spy Cookie: gamespy cookie
16:57: owner@gamespy[1].txt (ID = 2719)
16:57: owner@gostats[2].txt (ID = 2747)
16:57: owner@go[1].txt (ID = 2728)
16:57: Found Spy Cookie: hypertracker.com cookie
16:57: owner@hypertracker[1].txt (ID = 2817)
16:57: Found Spy Cookie: screensavers.com cookie
16:57: owner@i.screensavers[2].txt (ID = 3298)
16:57: Found Spy Cookie: imlive.com cookie
16:57: owner@imlive[2].txt (ID = 2843)
16:57: Found Spy Cookie: infospace cookie
16:57: owner@infospace[2].txt (ID = 2865)
16:57: owner@microsofteup.112.2o7[1].txt (ID = 1958)
16:57: owner@microsoftwga.112.2o7[1].txt (ID = 1958)
16:57: Found Spy Cookie: touchclarity cookie
16:57: owner@msn.touchclarity[1].txt (ID = 3566)
16:57: Found Spy Cookie: mysearchnow cookie
16:57: owner@mysearchnow[2].txt (ID = 3047)
16:57: Found Spy Cookie: netvenda cookie
16:57: owner@netvenda[1].txt (ID = 3073)
16:57: Found Spy Cookie: aptimus cookie
16:57: owner@network.aptimus[2].txt (ID = 2235)
16:57: Found Spy Cookie: nextag cookie
16:57: owner@nextag[2].txt (ID = 5014)
16:57: Found Spy Cookie: partypoker cookie
16:57: owner@partypoker[2].txt (ID = 3111)
16:57: Found Spy Cookie: pricegrabber cookie
16:57: owner@pcworld.pricegrabber[1].txt (ID = 3186)
16:57: owner@phoenix.about[1].txt (ID = 2038)
16:57: owner@pricegrabber[1].txt (ID = 3185)
16:57: Found Spy Cookie: rn11 cookie
16:57: owner@rn11[2].txt (ID = 3261)
16:57: Found Spy Cookie: sex cookie
16:57: owner@sex[2].txt (ID = 3347)
16:57: Found Spy Cookie: directtrack cookie
16:57: owner@sideshow.directtrack[2].txt (ID = 2528)
16:57: Found Spy Cookie: socalcoeds.com cookie
16:57: owner@socalcoeds[2].txt (ID = 3393)
16:57: Found Spy Cookie: starware.com cookie
16:57: owner@starware[2].txt (ID = 3441)
16:57: Found Spy Cookie: dealtime cookie
16:57: owner@stat.dealtime[2].txt (ID = 2506)
16:57: Found Spy Cookie: reliablestats cookie
16:57: owner@stats1.reliablestats[2].txt (ID = 3254)
16:57: Found Spy Cookie: teensforcash cookie
16:57: owner@teensforcash[1].txt (ID = 3509)
16:57: owner@theaa.touchclarity[1].txt (ID = 3566)
16:57: Found Spy Cookie: toplist cookie
16:57: owner@toplist[2].txt (ID = 3557)
16:57: Found Spy Cookie: sexsearch cookie
16:57: owner@tour.splash.sexsearch[1].txt (ID = 3358)
16:57: Found Spy Cookie: tracking cookie
16:57: owner@tracking[2].txt (ID = 3571)
16:57: Found Spy Cookie: clickzs cookie
16:57: owner@vip.clickzs[2].txt (ID = 2413)
16:57: owner@web.uk.ask[1].txt (ID = 2246)
16:57: Found Spy Cookie: webpower cookie
16:57: owner@webpower[2].txt (ID = 3660)
16:57: owner@webtrends.imlive[1].txt (ID = 2844)
16:57: Found Spy Cookie: camgirlslive cookie
16:57: owner@www.camgirlslive[2].txt (ID = 2345)
16:57: Found Spy Cookie: consumerfreedom.com cookie
16:57: owner@www.consumerfreedom[2].txt (ID = 2460)
16:57: Found Spy Cookie: frenchcum cookie
16:57: owner@www.frenchcum[1].txt (ID = 2707)
16:57: owner@www.netvenda[1].txt (ID = 3074)
16:57: owner@www.screensavers[1].txt (ID = 3298)
16:57: Found Spy Cookie: upspiral cookie
16:57: owner@www.upspiral[2].txt (ID = 3615)
16:57: Found Spy Cookie: web-stat cookie
16:57: owner@www.web-stat[1].txt (ID = 3649)
16:57: Found Spy Cookie: xiti cookie
16:57: owner@xiti[1].txt (ID = 3717)
16:57: Found Spy Cookie: yadro cookie
16:57: owner@yadro[2].txt (ID = 3743)
16:57: Found Spy Cookie: adserver cookie
16:57: owner@z1.adserver[1].txt (ID = 2142)
16:57: Cookie Sweep Complete, Elapsed Time: 00:00:11
16:57: Starting File Sweep
17:01: wingenerics.dll (ID = 50187)
17:08: File Sweep Complete, Elapsed Time: 00:11:10
17:08: Full Sweep has completed. Elapsed time 00:13:07
17:08: Traces Found: 75
********
16:55: | Start of Session, 28 November 2005 |
16:55: Spy Sweeper started
16:55: Program Version 4.5.7 (Build 656) Using Spyware Definitions 556
16:55: | End of Session, 28 November 2005 |

Hi,


You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download AproposFix from here:
http://swandog46.geekstogo.com/aproposfix.exe

Save it to your desktop but do NOT run it yet.

Then please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.


Once in Safe Mode, please double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.

When the tool is finished, please reboot back into normal mode, and post a new HijackThis log, along with the entire contents of the log.txt file in the aproposfix folder.

After the above try those scans again and post a new hijackthis log hopefully from normal mode.

Try silentrunners again please.

Alright Neal. Used AprosFix, but still cannot download Ewido or run Cleaner.

Here is the log AprosFix gave me. A new hijackthis is below.

Log of AproposFix v1



************

Running from directory:
C:\Documents and Settings\Owner\My Documents\Michael\DAL Help\aproposfix

************

Registry entries found:

[HKEY_LOCAL_MACHINE\Software\C5XOEAyEhUp5]
"Device"="\\\\.\\IpFLane"
"DriverPath"="C:\\WINDOWS\\system32\\drivers\\smcl tmgr.sys"
"DriverName"="AudsMgr"
"HideUninstallerName"="C:\\Program Files\\Tclffice\\qt-etmgr.exe"
"UninstallerPath"="C:\\WINDOWS\\system32\\dpwups.e xe"
"UninstallerRegKey"="HKEY_LOCAL_MACHINE\\SOFTWARE\ \Microsoft\\Windows\\CurrentVersion\\Uninstall\\{A 3A27E5F-FF64-49D6-A5D9-5B84C3D424F4}"
"UninstallerParams"="/CTUN"
"HDll"="C:\\WINDOWS\\system32\\mshdosx.dll"
"ServerAddress"="adchannel.contextplus.net"
"LegalNote"="http://adchannel.contextplus.net/legal-note/nonbranded.html"
"PartnerId"="CP.IST2"
"InstallationId"="{X5867b5c-735e-149c-2d20-242c969e95c1}"
"PageFiltering"=dword:00000001
"ClientName"="C:\\Program Files\\Tclffice\\dfsigest.exe"
"AutoUpdater"="C:\\WINDOWS\\system32\\nlsalspl.exe "

************

Removing hidden service:
Service AudsMgr removed.

Removing hidden folder:
Deletion of folder Tclffice succeeded!

Deleting files:

Deletion of file C:\WINDOWS\system32\drivers\smcltmgr.sys succeeded!
Deletion of file C:\WINDOWS\system32\nlsalspl.exe succeeded!
Deletion of file C:\WINDOWS\system32\mshdosx.dll succeeded!
Deletion of file C:\WINDOWS\system32\dpwups.exe succeeded!

Backing up files:
Done!

Removing registry entries:

REGEDIT4

[-HKEY_CURRENT_USER\Software\C5XOEAyEhUp5]
[-HKEY_LOCAL_MACHINE\Software\C5XOEAyEhUp5]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\{A3A27E5F-FF64-49D6-A5D9-5B84C3D424F4}]

Done!

Finished!


Here's the HijackThis log:


Logfile of HijackThis v1.99.1
Scan saved at 14:33:46, on 29/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hijackthis\Hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:/HP/REGION/start.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://C:/HP/REGION/start.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-uk3.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk3.hpwis.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [TIxDSL] C:\PROGRA~1\FREESE~2\BIN\WIN2K\tidslmon.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: ChatSpace Full Java Client 3.1.0.248 - http://chat-b2.wanadoo.co.uk/Java/cfs31248.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1112461530794
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1130160745031
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\btxppanel.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe

Nice work Apropos Trojan is gone now.

Try this online Trojan scanner:

TrojanScanner


Rescan with spysweeper also and post a new log from that please.
Spysweeper needs to quarantine everything it finds, the last log did not quarantine anything and it shows another Trojan we got to get quarantined or deleted someway


Also if you have access to an uninfected computer you can download Ewido to that and burn to CD and see if you can get it to work like that.

Also go here and see if you can scan with HOUSECALL

http://housecall.trendmicro.com/

I've just run the a2 scanner and here's is what it found and removed.

a² Report
Filename Diagnosis
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb94.tmp\KillProcDLL.dll Riskware.RiskTool.Win32.PsKill.h
C:\Documents and Settings\Administrator\Local Settings\Temp\nse3.tmp\KillProcDLL.dll Riskware.RiskTool.Win32.PsKill.h
C:\Documents and Settings\Administrator\Local Settings\Temp\nse9A.tmp\KillProcDLL.dll Riskware.RiskTool.Win32.PsKill.h
C:\Documents and Settings\Administrator\Local Settings\Temp\nshA3.tmp\KillProcDLL.dll Riskware.RiskTool.Win32.PsKill.h
C:\Documents and Settings\Administrator\Local Settings\Temp\nsi9D.tmp\KillProcDLL.dll Riskware.RiskTool.Win32.PsKill.h
C:\Documents and Settings\Administrator\Local Settings\Temp\nsp97.tmp\KillProcDLL.dll Riskware.RiskTool.Win32.PsKill.h
C:\Documents and Settings\Administrator\Local Settings\Temp\nsvA0.tmp\KillProcDLL.dll Riskware.RiskTool.Win32.PsKill.h
C:\Documents and Settings\Owner\Cookies\owner@247realmedia[1].txt Trace.TrackingCookie
C:\Documents and Settings\Owner\Cookies\owner@adtech[2].txt Trace.TrackingCookie
C:\Documents and Settings\Owner\Cookies\owner@bluestreak[1].txt Trace.TrackingCookie
C:\Documents and Settings\Owner\Cookies\owner@bs.serving-sys[1].txt Trace.TrackingCookie
C:\Documents and Settings\Owner\Cookies\owner@casalemedia[1].txt Trace.TrackingCookie
C:\Documents and Settings\Owner\Cookies\owner@cgi-bin[1].txt Trace.TrackingCookie
C:\Documents and Settings\Owner\Cookies\owner@common[1].txt Trace.TrackingCookie
C:\Documents and Settings\Owner\Cookies\owner@companieshouse.gov[1].txt Trace.TrackingCookie
C:\Documents and Settings\Owner\Cookies\owner@com[2].txt Trace.TrackingCookie
C:\Documents and Settings\Owner\Cookies\owner@edge.ru4[2].txt Trace.TrackingCookie
C:\Documents and Settings\Owner\Cookies\owner@etype.adbureau[2].txt Trace.TrackingCookie
C:\Documents and Settings\Owner\Cookies\owner@gammae[2].txt Trace.TrackingCookie
C:\Documents and Settings\Owner\Cookies\owner@indextools[1].txt Trace.TrackingCookie
C:\Documents and Settings\Owner\Cookies\owner@media.putfile[2].txt Trace.TrackingCookie
C:\Documents and Settings\Owner\Cookies\owner@medianewsgroup[2].txt Trace.TrackingCookie
C:\Documents and Settings\Owner\Cookies\owner@mediaonenetwork[1].txt Trace.TrackingCookie
C:\Documents and Settings\Owner\Cookies\owner@mediauk[1].txt Trace.TrackingCookie
C:\Documents and Settings\Owner\Cookies\owner@popcap[1].txt Trace.TrackingCookie
C:\Documents and Settings\Owner\Cookies\owner@popmatters[1].txt Trace.TrackingCookie
C:\Documents and Settings\Owner\Cookies\owner@questionmarket[1].txt Trace.TrackingCookie
C:\Documents and Settings\Owner\Cookies\owner@serving-sys[1].txt Trace.TrackingCookie
C:\Documents and Settings\Owner\Cookies\owner@statcounter[1].txt Trace.TrackingCookie
C:\Documents and Settings\Owner\Cookies\owner@tradedoubler[1].txt Trace.TrackingCookie
C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[1].txt Trace.TrackingCookie
C:\Documents and Settings\Owner\Cookies\owner@web4.realtracker[2].txt Trace.TrackingCookie
C:\Documents and Settings\Owner\Cookies\owner@webtrends.thisis.co[1].txt Trace.TrackingCookie
C:\Documents and Settings\Owner\Cookies\owner@webtrendssdc.covers[1].txt Trace.TrackingCookie
C:\Documents and Settings\Owner\Cookies\owner@windowsmedia[1].txt Trace.TrackingCookie
C:\Documents and Settings\Owner\Cookies\owner@zedo[2].txt Trace.TrackingCookie
C:\Documents and Settings\Owner\Local Settings\Temp\nsb3.tmp\KillProcDLL.dll Riskware.RiskTool.Win32.PsKill.h
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\4TIJKLYN\adv661[1].htm Trojan-Dropper.VBS.Inor.cz

Right, as well as scanning with the above, I also re-swept with Spysweeper. I quaranteened it all and deleted it. The log is below.

The new HijackThis log is after it. Has it got rid of anything else?

********
14:20: | Start of Session, 01 December 2005 |
14:20: Spy Sweeper started
14:20: Sweep initiated using definitions version 575
14:20: Starting Memory Sweep
14 Memory Sweep Complete, Elapsed Time: 00:01:21
14 Starting Registry Sweep
14 Found Trojan Horse: trojan-backdoor-securemulti
14 HKLM\software\microsoft\windows\currentversion\run \ || csrss (ID = 112618)
14:22: HKU\WRSS_Profile_S-1-5-21-2225589205-4212676017-31143968-1003\software\microsoft\windows\currentversion\run \ || csrss (ID = 112615)
14:22: Registry Sweep Complete, Elapsed Time:00:00:18
14:22: Starting Cookie Sweep
14:22: Found Spy Cookie: 2o7.net cookie
14:22: owner@112.2o7[2].txt (ID = 1958)
14:22: Found Spy Cookie: 247realmedia cookie
14:22: owner@247realmedia[1].txt (ID = 1953)
14:22: Found Spy Cookie: yieldmanager cookie
14:22: owner@ad.yieldmanager[1].txt (ID = 3751)
14:22: Found Spy Cookie: adtech cookie
14:22: owner@adtech[2].txt (ID = 2155)
14:22: Found Spy Cookie: falkag cookie
14:22: owner@as-us.falkag[2].txt (ID = 2650)
14:22: Found Spy Cookie: ask cookie
14:22: owner@ask[1].txt (ID = 2245)
14:22: Found Spy Cookie: a cookie
14:22: owner@a[1].txt (ID = 2027)
14:22: Found Spy Cookie: belnk cookie
14:22: owner@belnk[1].txt (ID = 2292)
14:22: Found Spy Cookie: bluestreak cookie
14:22: owner@bluestreak[1].txt (ID = 2314)
14:22: Found Spy Cookie: bs.serving-sys cookie
14:22: owner@bs.serving-sys[1].txt (ID = 2330)
14:22: Found Spy Cookie: burstnet cookie
14:22: owner@burstnet[1].txt (ID = 2336)
14:22: Found Spy Cookie: zedo cookie
14:22: owner@c2.zedo[1].txt (ID = 3763)
14:22: owner@c4.zedo[2].txt (ID = 3763)
14:22: Found Spy Cookie: casalemedia cookie
14:22: owner@casalemedia[1].txt (ID = 2354)
14:22: owner@dist.belnk[2].txt (ID = 2293)
14:22: Found Spy Cookie: adbureau cookie
14:22: owner@etype.adbureau[1].txt (ID = 2060)
14:22: Found Spy Cookie: maxserving cookie
14:22: owner@maxserving[2].txt (ID = 2966)
14:22: Found Spy Cookie: passion cookie
14:22: owner@passion[1].txt (ID = 3113)
14:22: Found Spy Cookie: questionmarket cookie
14:22: owner@questionmarket[1].txt (ID = 3217)
14:22: Found Spy Cookie: realmedia cookie
14:22: owner@realmedia[1].txt (ID = 3235)
14:22: Found Spy Cookie: serving-sys cookie
14:22: owner@serving-sys[1].txt (ID = 3343)
14:22: Found Spy Cookie: statcounter cookie
14:22: owner@statcounter[1].txt (ID = 3447)
14:22: Found Spy Cookie: tribalfusion cookie
14:22: owner@tribalfusion[2].txt (ID = 3589)
14:22: Found Spy Cookie: realtracker cookie
14:22: owner@web4.realtracker[2].txt (ID = 3242)
14:22: Found Spy Cookie: adserver cookie
14:22: owner@z1.adserver[1].txt (ID = 2142)
14:22: owner@zedo[1].txt (ID = 3762)
14:22: Cookie Sweep Complete, Elapsed Time: 00:00:09
14:22: Starting File Sweep
14:34: File Sweep Complete, Elapsed Time: 00:12:14
14:34: Full Sweep has completed. Elapsed time 00:14:17
14:34: Traces Found: 28
14:36: Removal process initiated
14:36: Quarantining All Traces: trojan-backdoor-securemulti
14:37: Quarantining All Traces: 2o7.net cookie
14:37: Quarantining All Traces: 247realmedia cookie
14:37: Quarantining All Traces: yieldmanager cookie
14:37: Quarantining All Traces: adtech cookie
14:37: Quarantining All Traces: falkag cookie
14:37: Quarantining All Traces: ask cookie
14:37: Quarantining All Traces: a cookie
14:37: Quarantining All Traces: belnk cookie
14:37: Quarantining All Traces: bluestreak cookie
14:37: Quarantining All Traces: bs.serving-sys cookie
14:37: Quarantining All Traces: burstnet cookie
14:37: Quarantining All Traces: zedo cookie
14:37: Quarantining All Traces: casalemedia cookie
14:37: Quarantining All Traces: adbureau cookie
14:37: Quarantining All Traces: maxserving cookie
14:37: Quarantining All Traces: passion cookie
14:37: Quarantining All Traces: questionmarket cookie
14:37: Quarantining All Traces: realmedia cookie
14:37: Quarantining All Traces: serving-sys cookie
14:37: Quarantining All Traces: statcounter cookie
14:37: Quarantining All Traces: tribalfusion cookie
14:37: Quarantining All Traces: realtracker cookie
14:37: Quarantining All Traces: adserver cookie
14:37: Removal process completed. Elapsed time 00:00:29
14:38: Deletion from quarantine initiated
14:38: Processing: realmedia cookie
14:38: Processing: 247realmedia cookie
14:38: Processing: realtracker cookie
14:38: Processing: adbureau cookie
14:38: Processing: burstnet cookie
14:38: Processing: ask cookie
14:38: Processing: bs.serving-sys cookie
14:38: Processing: a cookie
14:38: Processing: belnk cookie
14:38: Processing: casalemedia cookie
14:38: Processing: yieldmanager cookie
14:38: Processing: adserver cookie
14:38: Processing: falkag cookie
14:38: Processing: maxserving cookie
14:38: Processing: tribalfusion cookie
14:38: Processing: 2o7.net cookie
14:38: Processing: passion cookie
14:38: Processing: questionmarket cookie
14:38: Processing: serving-sys cookie
14:38: Processing: statcounter cookie
14:38: Processing: adtech cookie
14:38: Processing: bluestreak cookie
14:38: Processing: zedo cookie
14:38: Processing: trojan-backdoor-securemulti
14:38: Deletion from quarantine completed. Elapsed time 00:00:00
********

Here is a new HijackThis log.

Logfile of HijackThis v1.99.1
Scan saved at 14:39:59, on 01/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hijackthis\Hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:/HP/REGION/start.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://C:/HP/REGION/start.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-uk3.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk3.hpwis.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [TIxDSL] C:\PROGRA~1\FREESE~2\BIN\WIN2K\tidslmon.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: ChatSpace Full Java Client 3.1.0.248 - http://chat-b2.wanadoo.co.uk/Java/cfs31248.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1112461530794
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1130160745031
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\btxppanel.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe

So I take it you are only able to run HJT from safe mode.

Does Norton work now?




www.sysinternals.com/files/rootkitrevealer.zip


Please download RootKitRevealer from here:
http://www.sysinternals.com/files/rootkitrevealer.zip
Unzip it to the desktop, run it, and click Scan. This will generate a log file; please post the entire contents of the log file here for me to see.







1. Please download dllcompare (A scanner to locate hidden DLL files) from this locations:
DLLCompare
2. When you execute dllcompare.exe, by default the c:\windows\system32 is selected. This can be changed to scan you entire computer for any file type - Simply select the path and check off the box labelled "Include SubDirectories"
3. Click on "Locate.com" and allow the scan to complete.
4. After the scan has finished click on "Compare" to scan for the files that Windows does not see. This step will take a few minutes to run.
5. If the box at the bottom of the screen contains any files, these are the ones that are hidden - Click on "Make a Log of what was Found".
6. When prompted to "View Log File" click on "Yes".
7. Notepad will open with the log file contents.
8. In Notepad, click on "Edit" => "Select All" => "Edit" = "Copy" and post the contents as a reply to this message.

Thanks.




Download http://www.bleepingcomputer.com/files/winpfind.php

Extract WinPFind.zip to your c:\ folder.

Reboot your computer into Safe Mode

Then open c:\WinPFind and double-click on WinPFind.exe. When the program is open, click on the Start Scan button to scart scanning your computer. Be patient as this scan may take a while. When it is done, it will show a log and tell you the scan is completed. Reboot your computer back to normal mode and and post the contents of c:\WinPFind\WinPFind.txt as a reply to this topic.

Originally Posted by Neal

So I take it you are only able to run HJT from safe mode.
Does Norton work now?

Yep, HJT only works from safe mode. The screen just goes blank if I try and do it from Normal. And Norton still does not work, all I get is an error message.

I tried to download RootKitRevealer, but had the same problem as ewido - "Page could not be displayed"

Here is the log from DLLCompare

* DLLCompare Log version()
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found "
________________________________________________

2,127 items found: 2,126 files, 1 directory.
Total of file sizes: 423,996,892 bytes 404.35 M

Administrator Account = True

--------------------End log---------------------


Here is the log from WinPFind (it wil be over two posts)

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
qoologic 02/12/2005 14:43:48 203302 C:\WinPFind.zip

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 10/10/2005 11:42:28 72019968 C:\WINDOWS\MEMORY.DMP
aspack 10/10/2005 11:42:28 72019968 C:\WINDOWS\MEMORY.DMP

Checking %System% folder...
PEC2 21/07/2001 21:15:34 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PEC2 09/08/2005 22:14:00 692736 C:\WINDOWS\SYSTEM32\DivX.dll
PECompact2 09/08/2005 22:14:00 692736 C:\WINDOWS\SYSTEM32\DivX.dll
PTech 04/11/2005 16:27:24 534280 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL
PECompact2 02/11/2005 05:34:18 2368864 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 02/11/2005 05:34:18 2368864 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 04/08/2004 0736 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 04/08/2004 0744 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 21/07/2001 21:23:44 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
PTech 04/08/2004 05:41:38 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
02/12/2005 14:45:44 S 2048 C:\WINDOWS\bootstat.dat
29/11/2005 14:26:50 H 24 C:\WINDOWS\p5Yxl
01/12/2005 16:47:06 H 54156 C:\WINDOWS\QTFont.qfn
25/10/2005 12:27:02 H 0 C:\WINDOWS\INF\oem25.inf
11/10/2005 19:43:36 H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\6752e343d22c025be1f290a6267a146d\BIT6.tmp
12/11/2005 22:29:10 HS 2 C:\WINDOWS\SYSTEM32\netstat.com
22/11/2005 15:30:24 HS 2 C:\WINDOWS\SYSTEM32\taskkill.com
05/10/2005 20:33:38 S 12849 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896424.cat
05/10/2005 01:17:40 S 21737 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896688.cat
02/12/2005 14:45:56 H 12288 C:\WINDOWS\SYSTEM32\config\default.LOG
02/12/2005 14:46:02 H 1024 C:\WINDOWS\SYSTEM32\config\SAM.LOG
02/12/2005 14:45:46 H 16384 C:\WINDOWS\SYSTEM32\config\SECURITY.LOG
02/12/2005 14:46:14 H 94208 C:\WINDOWS\SYSTEM32\config\software.LOG
02/12/2005 14:45:54 H 1122304 C:\WINDOWS\SYSTEM32\config\system.LOG
09/11/2005 14:25:38 H 1024 C:\WINDOWS\SYSTEM32\config\systemprofile\NTUSER.DA T.LOG
02/12/2005 14:00:12 HS 2528 C:\WINDOWS\SYSTEM32\drivers\etc\hosts
22/11/2005 15:30:24 HS 2476 C:\WINDOWS\SYSTEM32\drivers\etc\hosts.20051122-163240.backup
23/11/2005 17:45:48 HS 2528 C:\WINDOWS\SYSTEM32\drivers\etc\hosts.20051123-205854.backup
24/11/2005 15:23:42 HS 2528 C:\WINDOWS\SYSTEM32\drivers\etc\hosts.20051124-160822.backup
01/12/2005 14:41:24 HS 2528 C:\WINDOWS\SYSTEM32\drivers\etc\hosts.msn
23/11/2005 23:13:02 HS 74240 C:\WINDOWS\SYSTEM32\mavlko\csrss.exe
02/12/2005 14:44:16 HS 310 C:\WINDOWS\SYSTEM32\mavlko\csrss.ini
23/11/2005 23:13:18 HS 24576 C:\WINDOWS\SYSTEM32\mavlko\smss.exe
02/12/2005 14:44:34 H 6 C:\WINDOWS\Tasks\SA.DAT
24/11/2005 14:26:54 HS 616448 C:\WINDOWS\Temp\2e75k0rc.TMP

Checking for CPL files...
Microsoft Corporation 04/08/2004 0758 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 04/08/2004 0758 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Broadcom Corporation 01/10/2004 14:40:16 266299 C:\WINDOWS\SYSTEM32\btcpl.cpl
Microsoft Corporation 04/08/2004 0758 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Conexant Systems 10/07/2001 19:13:12 316416 C:\WINDOWS\SYSTEM32\csacpl.cpl
Microsoft Corporation 04/08/2004 0758 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 04/08/2004 0758 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 04/08/2004 0758 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Intel Corporation 07/08/2001 16:00:08 94208 C:\WINDOWS\SYSTEM32\igfxcpl.cpl
Microsoft Corporation 04/08/2004 0758 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 04/08/2004 0758 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 04/08/2004 0758 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 04/08/2004 0758 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 26/08/2005 17:14:42 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 18/08/2001 05:37:02 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 04/08/2004 0758 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 18/08/2001 05:37:02 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 04/08/2004 0758 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 04/08/2004 0758 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 04/08/2004 0758 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Sun Microsystems 05/10/2001 12:53:54 45151 C:\WINDOWS\SYSTEM32\plugincpl131_01.cpl
Microsoft Corporation 04/08/2004 0758 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft Corporation 04/08/2004 0758 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 18/08/2001 05:37:02 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 04/08/2004 0758 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 04/08/2004 0758 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 26/05/2005 03:16:30 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 18/08/2001 05:37:02 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 18/08/2001 05:37:02 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 18/08/2001 05:37:02 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 26/05/2005 03:16:30 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
28/11/2005 20:16:00 1768 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
16/09/2005 12:32:18 677 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BTTray.lnk
02/09/2001 05:35:58 HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini

Checking files in %ALLUSERSPROFILE%\Application Data folder...
01/09/2001 22:25:52 HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
10/10/2005 21:33:44 1755 C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache

Checking files in %USERPROFILE%\Startup folder...
02/09/2001 05:35:58 HS 84 C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
01/09/2001 22:25:52 HS 62 C:\Documents and Settings\Administrator\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved]
=

[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Of fline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Op en With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Op en With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Sy mantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a 2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex \ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex \ContextMenuHandlers\a2ContMenu
{AB77609F-2178-4E6F-9C4B-44AC179D937A} = C:\PROGRA~1\A-SQUA~1\A2CONT~1.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex \ContextMenuHandlers\SpySweeper
{7C9D5882-CB4A-4090-96C8-430BFE8B795B} = C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex \ContextMenuHandlers\Symantec.Norton.Antivirus.IEC ontextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shel lex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shel lex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shel lex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shel lex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex \ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex \ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex \ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex \ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex \ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex \ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{9ECB9560-04F9-4bbc-943D-298DDF1699E1}
CNisExtBho Class = C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{B56A7D7D-6927-48C8-A975-17DF180C71AC}
PCTools Browser Monitor = C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}
CNavExtBho Class = C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{9455301C-CF6B-11D3-A266-00C04F689C50}
Encarta &Researcher = C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} = Norton Internet Security : C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
{8B68564D-53FD-4293-B80C-993A9F3988EE} = Wanadoo : C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2D663D1A-8670-49D9-A1A5-4C56B4E14E84}
ButtonText = Spyware Doctor :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{85d1f590-48f4-11d9-9669-0800200c9a66}
MenuText = Uninstall BitDefender Online Scanner v8 :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9455301C-CF6B-11D3-A266-00C04F689C50}
ButtonText = Researcher :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CCA281CA-C863-46ef-9331-5C8D4460577F}
ButtonText = @btrez.dll,-4015 :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll