My home PC has recently been infected by the Dropped:Trojan.Hoax.Renos.C virus. It has hijacked my browser and has irrevocably changed my homepage to About:blank. Unfortunately, my AV software has deleted some of the infected/spyware files and my browser can no longer access the internet, so I cannot download the software as advised on previous threads. I'm not sure if there are any more but the AV software I have tells me that there are three suspect files remaining - C:|WINDOWS\system32\atmclk.exe; dcomcfg.exe and regperf.exe. Any suggestions?

Garry

Please follow all of Owen's instructions HERE once you have completed that post your log on the Spyware, Adware and Viruses board

Thank you for your reply to my call for help. Unfortunately, because my browswer no longer works, I can't download the required programmes from the web. Is there any other way to solve my problem? If I download the programmes to a CD via a laptop and then transfer them to the PC, will that work?
Garry.

Yes that should work fine.

Thanks for your very swift response. After a lot of messing about with my PC, laptop and CDs, here is the initial Hijack This scan log:

Logfile of HijackThis v1.99.1
Scan saved at 20:27:28, on 18/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\atmclk.exe
C:\WINDOWS\system32\dcomcfg.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\sstray.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 8.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\SmartM\BlueOpal\Utilities\BlueTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\BullGuard Software\BullGuard 5.0\BullGuard.exe
C:\Program Files\Idigicon\Anti Spam 2005\pcspamer.exe
C:\Program Files\Idigicon\Internet Protector 2005\ip2005.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Idigicon Anonysurf\SWebPriv.exe
C:\Program Files\SmartM\BlueOpal\Utilities\ObexDefaultServer. exe
C:\Program Files\BullGuard Software\BullGuard 5.0\BullGuardUpdate.exe
C:\Program Files\SmartM\BlueOpal\Utilities\ObexDefaultServer. exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hijack This\hijackthis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.evesham.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by evesham.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http://24.0.248.11:9997
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = local
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Nothing - {686a161d-5bd1-4999-8832-6393f41e564c} - C:\WINDOWS\system32\hp100.tmp
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 8.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [BlueTray] C:\Program Files\SmartM\BlueOpal\Utilities\BlueTray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BullGuard] "C:\Program Files\BullGuard Software\BullGuard 5.0\BullGuard.exe"
O4 - HKCU\..\Run: [Anty Spamer] C:\Program Files\Idigicon\Anti Spam 2005\pcspamer.exe
O4 - HKCU\..\Run: [GuardDog] C:\Program Files\Idigicon\Internet Protector 2005\ip2005.exe
O4 - Startup: Idigicon Anonysurf.lnk = C:\Program Files\Idigicon Anonysurf\SWebPriv.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.evesham.com/
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://systemdoctor.com/download/200...reeInstall.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BullGuard LiveUpdate (BGLiveSvc) - BullGuard, Ltd. - C:\Program Files\BullGuard Software\BullGuard 5.0\BullGuardUpdate.exe
O23 - Service: BullGuard Main (BGMainSvc) - Unknown owner - C:\WINDOWS\System32\svchost.exe" -k bg5 (file missing)
O23 - Service: BullGuard File Monitoring (BsFileSpy) - Unknown owner - C:\WINDOWS\System32\svchost.exe" -k bg5 (file missing)
O23 - Service: BullGuard Firewall (BsFirewall) - Unknown owner - C:\WINDOWS\System32\svchost.exe" -k bg5 (file missing)
O23 - Service: BullGuard Email Monitoring (BsMailProxy) - Unknown owner - C:\WINDOWS\System32\svchost.exe" -k bg5 (file missing)

Garry

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply (if unsure of your results).
DO NOT RUN ANY OTHER OPTIONS UNTIL REQUESTED TO.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm





If infected files were listed above, please proceed as follows:

STEP # 2 - Cleaning

Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.



Please download, install, update and scan your system with the free (trial) version of Ewido TROJAN scanner
[Developed for Windows 2000 and XP]:

1. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
2. When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
3. From the main ewido screen, click on update in the left menu, then click the Start update button.
   
   
4. We will be using this tool in a later step.

Note: Ewido is a free trial product for 14 days. Since Ewido is a trial version, the realtime guard and automatic update will stop functioning after 14 days. We are not installing the guard because it might interfere with the cleanup or the malware removal process. You can use Ewido as an on-demand scanner (recommended) but you will have to manually update the definition file each time you scan. If you decide to purchase Ewido, you can enable the 'Realtime Protect' and 'Automatic Update' functions by clicking on the 'Status' bar (Top left) and clicking on both items under "Your Security Status".

Reboot your computer in Safe Mode.

• If the computer is running, shut down Windows, and then turn off the power.
• Wait 30 seconds, and then turn the computer on.
• Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
• Ensure that the Safe Mode option is selected.
• Press Enter. The computer then begins to start in Safe mode.
• Login on your usual account.

______________________________

Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
______________________________

Clean out your Temporary Internet files. Proceed like this:

• Quit Internet Explorer and quit any instances of Windows Explorer.
• Click Start, click Control Panel, and then double-click Internet Options.
• On the General tab, click Delete Files under Temporary Internet Files.
• In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
• On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
• Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
• Click OK.

Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.
______________________________

Close ALL open Windows / Programs / Folders. Please start Ewido, and run a full scan.

• Click on Scanner
• Click on Settings
  • Under How to scan all boxes should be checked
  • Under Unwanted Software all boxes should be checked
  • Under What to scan select Scan every file
  • Click on Ok
• Click on Complete System Scan to start the scan process.
• Let the program scan the machine.

If Ewido finds anything, it will pop up a notification. When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says Perform action on all infections and put a checkmark in the box next to Create encrypted backup, then choose clean and click Ok.

Once the scan has completed, there will be a button located on the bottom of the screen named Save Report.

• Click Save Report button
• Save the report to your Desktop

Close Ewido and Reboot in Normal Mode.
______________________________

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #3 - Delete Trusted zone by typing 3 and press Enter
Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter.

Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.
______________________________

Please post:

1. c:\rapport.txt
2. Ewido log
3. A new HijackThis log

You may need several replies to post the requested logs, otherwise they might get cut off.

Thank you for your response. I followed the instructions as best I could but came across a couple of challenges in that the software didn't give exactly the responses indicated and I couldn't see all the window for the ewido programme. This being the case I ran a report before quarantining the infected files and after, just to be sure. Also, I should point out that I still cannot connect to the internet using IE6 browser, although access to email accounts has been unaffected throughout. I will send each log in a separate post. Here is the first.

SmitFraudFix v2.62

Scan done at 2147.21, 21/06/2006
Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix\Smitfr audFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\SharedTaskScheduler]
"{5aaf6542-f4ba-4df4-873d-4902ecbe794c}"="acheweed"


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\atmclk.exe Deleted
C:\WINDOWS\system32\dcomcfg.exe Deleted
C:\WINDOWS\system32\hp???.tmp Deleted
C:\WINDOWS\system32\ld????.tmp Deleted
C:\WINDOWS\system32\ot.ico Deleted
C:\WINDOWS\system32\regperf.exe Deleted
C:\WINDOWS\system32\simpole.tlb Deleted
C:\WINDOWS\system32\stdole3.tlb Deleted
C:\WINDOWS\system32\ts.ico Deleted
C:\WINDOWS\system32\1024\ Deleted
C:\DOCUME~1\ALLUSE~1\Desktop\Online Security Guide.url Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

Garry

This is the first ewido scan report:

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 22:44:56 21/06/2006

+ Scan result:



C:\WINDOWS\Downloaded Program Files\USDR6_0001_D08M0404NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.l : No action taken.
C:\Documents and Settings\Marilyn\Cookies\Cookies\marilyn@doublecli ck[1].txt -> TrackingCookie.Doubleclick : No action taken.
C:\Documents and Settings\Callum\Cookies\Cookies\callum@webpdp.gato r[2].txt -> TrackingCookie.Gator : No action taken.
C:\Documents and Settings\Callum\Cookies\callum@ehg-evesham.hitbox[2].txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\Callum\Cookies\callum@hitbox[2].txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\Callum\Cookies\callum@counter2.hitslink[2].txt -> TrackingCookie.Hitslink : No action taken.
C:\Program Files\Media-Codec -> Trojan.Small : No action taken.
C:\Program Files\Media-Codec\uninst.exe -> Trojan.Small : No action taken.


::Report end

.......and this is the second one:

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 22:48:58 21/06/2006

+ Scan result:



C:\WINDOWS\Downloaded Program Files\USDR6_0001_D08M0404NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.l : Cleaned with backup (quarantined).
C:\Documents and Settings\Marilyn\Cookies\Cookies\marilyn@doublecli ck[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Callum\Cookies\Cookies\callum@webpdp.gato r[2].txt -> TrackingCookie.Gator : Cleaned with backup (quarantined).
C:\Documents and Settings\Callum\Cookies\callum@ehg-evesham.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Documents and Settings\Callum\Cookies\callum@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Documents and Settings\Callum\Cookies\callum@counter2.hitslink[2].txt -> TrackingCookie.Hitslink : Cleaned with backup (quarantined).
C:\Program Files\Media-Codec -> Trojan.Small : Cleaned with backup (quarantined).
C:\Program Files\Media-Codec\uninst.exe -> Trojan.Small : Cleaned with backup (quarantined).


::Report end

Garry

Finally, here is the second hijack this scan log:

Logfile of HijackThis v1.99.1
Scan saved at 23:06:28, on 21/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\sstray.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 8.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\SmartM\BlueOpal\Utilities\BlueTray.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\BullGuard Software\BullGuard 5.0\BullGuard.exe
C:\Program Files\Idigicon\Anti Spam 2005\pcspamer.exe
C:\Program Files\Idigicon\Internet Protector 2005\ip2005.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Idigicon Anonysurf\SWebPriv.exe
C:\Program Files\BullGuard Software\BullGuard 5.0\BullGuardUpdate.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\SmartM\BlueOpal\Utilities\ObexDefaultServer. exe
C:\Program Files\SmartM\BlueOpal\Utilities\ObexDefaultServer. exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hijack This\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.evesham.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.evesham.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by evesham.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http://24.0.248.11:9997
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = local
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 8.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [BlueTray] C:\Program Files\SmartM\BlueOpal\Utilities\BlueTray.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BullGuard] "C:\Program Files\BullGuard Software\BullGuard 5.0\BullGuard.exe"
O4 - HKCU\..\Run: [Anty Spamer] C:\Program Files\Idigicon\Anti Spam 2005\pcspamer.exe
O4 - HKCU\..\Run: [GuardDog] C:\Program Files\Idigicon\Internet Protector 2005\ip2005.exe
O4 - Startup: Idigicon Anonysurf.lnk = C:\Program Files\Idigicon Anonysurf\SWebPriv.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.evesham.com/
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://systemdoctor.com/download/200...reeInstall.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BullGuard LiveUpdate (BGLiveSvc) - BullGuard, Ltd. - C:\Program Files\BullGuard Software\BullGuard 5.0\BullGuardUpdate.exe
O23 - Service: BullGuard Main (BGMainSvc) - Unknown owner - C:\WINDOWS\System32\svchost.exe" -k bg5 (file missing)
O23 - Service: BullGuard File Monitoring (BsFileSpy) - Unknown owner - C:\WINDOWS\System32\svchost.exe" -k bg5 (file missing)
O23 - Service: BullGuard Firewall (BsFirewall) - Unknown owner - C:\WINDOWS\System32\svchost.exe" -k bg5 (file missing)
O23 - Service: BullGuard Email Monitoring (BsMailProxy) - Unknown owner - C:\WINDOWS\System32\svchost.exe" -k bg5 (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe

Garry