Am I infected with some new malware or is it a Windows problem?

**Mors Victrix** · 29-08-2006

Hi! I do not wish to take too much space on your site so please read my problem here:
http://www.d-a-l.com/help/showthread.php?t=46503

I decided to post some logs to see If you can make something of them:
Logfile of HijackThis v1.99.1
Scan saved at 12:18:58, on 29.8.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Comodo\Personal Firewall\cmdagent.exe
C:\Program Files\Comodo\BackUp\CmdBkSvc.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Comodo\Personal Firewall\CPF.exe
C:\Program Files\Comodo\LaunchPad\CLPTray.exe
C:\Program Files\Memzip\memzipr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Dejan\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.kaspersky.com/kos/english/kavwebscan.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/rlid...date?clid=1033
F3 - REG:win.ini: run=
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\SiteAdv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - (no file)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\SiteAdv.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Comodo Personal Firewall] C:\Program Files\Comodo\Personal Firewall\CPF.exe sysrestart
O4 - HKLM\..\Run: [Comodo Launch Pad Tray] C:\Program Files\Comodo\LaunchPad\CLPTray.exe
O4 - HKLM\..\Run: [CB Active User] C:\Program Files\Comodo\BackUp\CmdBkStart.exe
O4 - HKCU\..\Run: [MemoryZipperPlus] C:\Program Files\Memzip\memzipr.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O11 - Options group: [INTERNATIONAL] International*
O11 - Options group: [TABS] Tabbed Browsing
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in) -
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in) -
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} -
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {557F70CC-5800-4122-B711-AA29DBEAC0CC} - (no file)
O20 - Winlogon Notify: SASWinLogon - C:\WINDOWS\
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspn et_state.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Personal Firewall\cmdagent.exe
O23 - Service: ComodoBackupService - COMODO - C:\Program Files\Comodo\BackUp\CmdBkSvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

IceSword Kernel Module log:

\WINDOWS\system32\ntkrnlpa.exe
\WINDOWS\system32\hal.dll
\WINDOWS\system32\KDCOM.DLL
\WINDOWS\system32\BOOTVID.dll
ACPI.sys
\WINDOWS\system32\DRIVERS\WMILIB.SYS
pci.sys
isapnp.sys
pciide.sys
\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
viaidexp.sys
MountMgr.sys
ftdisk.sys
dmload.sys
dmio.sys
siside.sys
PartMgr.sys
VolSnap.sys
atapi.sys
SiSRaid.sys
\WINDOWS\system32\DRIVERS\SCSIPORT.SYS
disk.sys
\WINDOWS\System32\DRIVERS\CLASSPNP.SYS
fltmgr.sys
sr.sys
FSTOPW.SYS
PxHelp20.sys
KSecDD.sys
Ntfs.sys
NDIS.sys
inspect.sys
viaagp.sys
speedfan.sys
sisperf.sys
sisidex.sys
Mup.sys
giveio.sys
gagp30kx.sys
\SystemRoot\System32\DRIVERS\processr.sys
\SystemRoot\system32\DRIVERS\ati2mtag.sys
\SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
\SystemRoot\system32\DRIVERS\imapi.sys
\SystemRoot\System32\DRIVERS\cdrom.sys
\SystemRoot\System32\DRIVERS\redbook.sys
\SystemRoot\System32\DRIVERS\ks.sys
\SystemRoot\system32\drivers\smwdm.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\aeaudio.sys
\SystemRoot\system32\drivers\senfilt.sys
\SystemRoot\system32\DRIVERS\usbohci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\sisnicxp.sys
\SystemRoot\system32\DRIVERS\fdc.sys
\SystemRoot\system32\DRIVERS\serial.sys
\SystemRoot\system32\DRIVERS\serenum.sys
\SystemRoot\System32\DRIVERS\parport.sys
\SystemRoot\System32\DRIVERS\i8042prt.sys
\SystemRoot\System32\DRIVERS\mouclass.sys
\SystemRoot\System32\DRIVERS\kbdclass.sys
\SystemRoot\System32\DRIVERS\audstub.sys
\SystemRoot\System32\DRIVERS\rasl2tp.sys
\SystemRoot\System32\DRIVERS\ndistapi.sys
\SystemRoot\System32\DRIVERS\ndiswan.sys
\SystemRoot\System32\DRIVERS\raspppoe.sys
\SystemRoot\System32\DRIVERS\raspptp.sys
\SystemRoot\System32\DRIVERS\TDI.SYS
\SystemRoot\System32\DRIVERS\psched.sys
\SystemRoot\System32\DRIVERS\msgpc.sys
\SystemRoot\System32\DRIVERS\ptilink.sys
\SystemRoot\System32\DRIVERS\raspti.sys
\SystemRoot\System32\DRIVERS\rdpdr.sys
\SystemRoot\System32\DRIVERS\termdd.sys
\SystemRoot\System32\DRIVERS\swenum.sys
\SystemRoot\System32\DRIVERS\update.sys
\SystemRoot\System32\DRIVERS\mssmbios.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\DRIVERS\flpydisk.sys
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\Drivers\mnmdd.SYS
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\System32\DRIVERS\rasacd.sys
\SystemRoot\System32\DRIVERS\ipsec.sys
\SystemRoot\System32\DRIVERS\tcpip.sys
\SystemRoot\System32\DRIVERS\cmdmon.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\System32\drivers\afd.sys
\SystemRoot\System32\DRIVERS\netbios.sys
\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
\SystemRoot\System32\DRIVERS\wanarp.sys
\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
\SystemRoot\System32\DRIVERS\rdbss.sys
\SystemRoot\System32\DRIVERS\mrxsmb.sys
\??\C:\WINDOWS\system32\drivers\ikhlayer.sys
\??\C:\WINDOWS\system32\drivers\ikhfile.sys
\SystemRoot\System32\Drivers\Fips.SYS
\??\C:\Program Files\ewido anti-spyware 4.0\guard.sys
\??\C:\Program Files\AntiVir PersonalEdition Classic\avgio.sys
\SystemRoot\System32\Drivers\Fastfat.SYS
\SystemRoot\System32\Drivers\Cdfs.SYS
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\watchdog.sys
\SystemRoot\System32\drivers\dxg.sys
\SystemRoot\System32\drivers\dxgthk.sys
\SystemRoot\System32\ati2dvag.dll
\SystemRoot\System32\ati2cqag.dll
\SystemRoot\System32\atikvmag.dll
\SystemRoot\System32\ati3duag.dll
\SystemRoot\System32\ativvaxx.dll
\??\C:\WINDOWS\system32\socketlock.sys
\SystemRoot\System32\DRIVERS\ndisuio.sys
\SystemRoot\System32\Drivers\ParVdm.SYS
\??\C:\WINDOWS\system32\Drivers\mchInjDrv.sys
\??\C:\Program Files\AntiVir PersonalEdition Classic\avgntflt.sys
\SystemRoot\System32\Drivers\HTTP.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\system32\drivers\wdmaud.sys
\SystemRoot\system32\drivers\sysaudio.sys
\SystemRoot\System32\DRIVERS\secdrv.sys
\SystemRoot\system32\drivers\kmixer.sys
\SystemRoot\System32\Drivers\IsDrv118.sys
\WINDOWS\system32\ntdll.dll
C:\WINDOWS\System32\giveio.sys
C:\WINDOWS\System32\speedfan.sys

IceSword Started Service log:

Service Name:AntiVirScheduler Display Name:AntiVir PersonalEdition Classic Scheduler
Service Name:AntiVirService Display Name:AntiVir PersonalEdition Classic Guard
Service Name:Ati HotKey Poller Display Name:Ati HotKey Poller
Service Name:AudioSrv Display Name:Windows Audio
Service Name:CmdAgent Display Name:Comodo Application Agent
Service Name:ComodoBackupService Display Name:ComodoBackupService
Service Name:CryptSvc Display Name:Cryptographic Services
Service Name

comLaunch Display Name

COM Server Process Launcher
Service Name

hcp Display Name

HCP Client
Service Name

iskeeper Display Name

iskeeper
Service Name

nscache Display Name

NS Client
Service Name:Eventlog Display Name:Event Log
Service Name:EventSystem Display Name:COM+ Event System
Service Name:lanmanserver Display Name:Server
Service Name:lanmanworkstation Display Name:Workstation
Service Name:Netman Display Name:Network Connections
Service Name:Nla Display Name:Network Location Awareness (NLA)
Service Name:PlugPlay Display Name:Plug and Play
Service Name:ProtectedStorage Display Name:Protected Storage
Service Name:RasMan Display Name:Remote Access Connection Manager
Service Name:RpcSs Display Name:Remote Procedure Call (RPC)
Service Name:SamSs Display Name:Security Accounts Manager
Service Name:SDhelper Display Name:PC Tools Spyware Doctor
Service Name:SENS Display Name:System Event Notification
Service Name:ShellHWDetection Display Name:Shell Hardware Detection
Service Name:Spooler Display Name:Print Spooler
Service Name:srservice Display Name:System Restore Service
Service Name:stisvc Display Name:Windows Image Acquisition (WIA)
Service Name:TapiSrv Display Name:Telephony
Service Name:TermService Display Name:Terminal Services
Service Name:Themes Display Name:Themes
Service Name:WinDefend Display Name:Windows Defender Service
Service Name:winmgmt Display Name:Windows Management Instrumentation
Service Name:wuauserv Display Name:Automatic Updates
Service Name:WZCSVC Display Name:Wireless Zero Configuration

**Mors Victrix** · 30-08-2006

Pleas help me. I can't change a name of any folder. If I do, I get the error message and explorer terminates/restarts. If I make a new folder, I can't give it a name. Heeeeeeeeeeeeeelp!

I've reinstalled Windows, but it doesn't help.

**VopThis** · 30-08-2006

I've reinstalled Windows, but it doesn't help.

Do you mean that you did a repair install? That will not change the nature of the issues noted below.

You appear to have had a duplication of tool functionality in two (2) categories which would cause conflicts and serious performance problems:

Antivirus - Comodo and 'AntiVir PersonalEdition Classic'.
Spyware - Spyware Doctor, WINDOWS DEFENDER, and SPYBOTSD TEATIMER.

You need to disable or uninstall one of the antivirus tools if there are two (2) such tools running. Uninstall or disable both WINDOWS DEFENDER and SPYBOTSD TEATIMER.

You were not running HijackThis (HJT) from a desired location. You really need to setup a dedicated folder for HJT items – to avoid horrible clutter and/or potential lost backup issues.

It's best that the HijackThis tool NOT be located in its current location (particularly on your Desktop or in a TEMP folder). This way you can more easily undo any changes if something goes wrong.

Create a new folder in your C: Drive.
Name the FOLDER HijackThis (or HJT) such as C:\Program Files\HijackThis or C:\HJT and move the HijackThis.exe file into it.
Run HJT from there (and revise your shortcut accordingly).

POST A REVISED HIJACKTHIS LOG for review:
Reboot and post a new HijackThis log with any feedback as appropriate - how things are now behaving: any new or remaining apparent issues.

**Mors Victrix** · 30-08-2006

Originally Posted by VopThis

Do you mean that you did a repair install? That will not change the nature of the issues noted below.

Yes, a repair install... When I did I got error message that setup can't delete explorer.exe. I tried to do it manualy and failed.

Originally Posted by VopThis

You appear to have had a duplication of tool functionality in two (2) categories which would cause conflicts and serious performance problems:

Antivirus - Comodo and 'AntiVir PersonalEdition Classic'.
Spyware - Spyware Doctor, WINDOWS DEFENDER, and SPYBOTSD TEATIMER.

You need to disable or uninstall one of the antivirus tools if there are two (2) such tools running. Uninstall or disable both WINDOWS DEFENDER and SPYBOTSD TEATIMER.

I do not have Comodo antivirus installed, but I do have Comodo backup and Comodo Firewall. I have always just one resident antivirus at a time. I also do not have Spyware Doctor startup. SDhelp is just somekind of a passive aplication or BHO I cant terminate or disable from starting. But resident scanner from Spyware doctor does not start and when I do start it manually, I close any other AS aplication. It takes much ram. The only AS application that starts up and stays resident is Win defender. I use Spybot teatimer just to check for any changes at startup, after that I always close it... I did boot one time after disabling everything I culd from above (used Startup Mechanic and StartupManager) just to check and the problem remained. Also I had all of these aplications way before the problem I have began... Except Comodo backup, but I uninstalled it and the problem remained. So I installed it back again. I need it to backup my work.

Originally Posted by VopThis

You were not running HijackThis (HJT) from a desired location. You really need to setup a dedicated folder for HJT items – to avoid horrible clutter and/or potential lost backup issues.

It's best that the HijackThis tool NOT be located in its current location (particularly on your Desktop or in a TEMP folder). This way you can more easily undo any changes if something goes wrong.

Create a new folder in your C: Drive.
Name the FOLDER HijackThis (or HJT) such as C:\Program Files\HijackThis or C:\HJT and move the HijackThis.exe file into it.
Run HJT from there (and revise your shortcut accordingly).

POST A REVISED HIJACKTHIS LOG for review:
Reboot and post a new HijackThis log with any feedback as appropriate - how things are now behaving: any new or remaining apparent issues.

I was suprised to see that I succeded in creting and NAMING a folder to my desire.

I am now on my girlfriends Win account and it seems it does not have this problem. But I still can't delete any folders I previusly created and then got the error - the allready ''corrupded'' ones ( I hope you checked the link to the description of my problem).

Logfile of HijackThis v1.99.1
Scan saved at 22:00:25, on 30.8.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Memzip\memzipr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\SiteAdv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - (no file)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\SiteAdv.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MemoryZipperPlus] C:\Program Files\Memzip\memzipr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O11 - Options group: [TABS] Tabbed Browsing
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in) -
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in) -
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {557F70CC-5800-4122-B711-AA29DBEAC0CC} - (no file)
O20 - Winlogon Notify: SASWinLogon - C:\WINDOWS\
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspn et_state.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Personal Firewall\cmdagent.exe
O23 - Service: ComodoBackupService - COMODO - C:\Program Files\Comodo\BackUp\CmdBkSvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

I will also post the log from My Win account. Maybe there's a difference.

**VopThis** · 30-08-2006

Are you currently using SUPERantispyware (the path is both odd and likely currently non-functional)? Might want to uninstall that, if applicable, because of that anomoly (valid PATH should be in Program Files) and/or fix the following HJT line item:

O20 - Winlogon Notify: SASWinLogon - C:\WINDOWS\

Also, is it possible that SUPERantispyware is also running when 'Windows Defender' is running?

Running a 'Repair Install' while there are active agents trying to prevent potentially inappropriate changes is a possible consequence of the above and similar tools. Disable 'Windows Defender' and all other similar tools before running the following fixes:

Disable Windows Defender

Open Windows Defender
Click Tools
Click General Settings
Scroll down to Real Time Protection Options
Uncheck Turn on Real Time Protection (recommended)
Close Windows Defender

SELECT HijackThis FIX ITEMS: Scan with HijackThis and place a check next to these items:

O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in) -
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -

O18 - Filter: text/html - {557F70CC-5800-4122-B711-AA29DBEAC0CC} - (no file)

Make sure that all browser windows and internet links are closed, even this one!
CLICK ’FIX CHECKED’ with HijackThis.

POST A REVISED HIJACKTHIS LOG for review:
Reboot and post a new HijackThis log with any feedback as appropriate - how things are now behaving: any new or remaining apparent issues.

Am I infected with some new malware or is it a Windows problem?

Am I infected with some new malware or is it a Windows problem?

Similar Threads

New Windows netbooks may harbor malware

Virus and Malware Problem....

Malware infected PC

Malware problem

Windows ME Shutdown & malware problems