Help! Got three viruses (new ones)!

**zeal** · 22-12-2006

Hello all, and thanks for taking the time to help me on this issue.

I'm running bitdefender 9 Standard Edition, webroot spysweeper
and spyware doctor.

I performed a system scan on BitDefender,
and I received three new viruses:

DeepScan:Generic.Horst.ED4D209F
Trojan.Hacktool.Prockill.A
Trojan.Clicker.Agent.FF

Here is the log file from Bitdefender:

//-----------------------------------------------------------------
//
// Product: BitDefender 9 Standard
// Version: 9.5
//
// Created on: 21/12/2006 11:38:27
//
//-----------------------------------------------------------------

Virus Statistics

Scan path : C:\
E:\
Folders : 7586
Files : 487427
Archives : 2822
Packed files : 32368
Identified viruses : 5
Infected files : 4
Warnings : 0
Suspect files : 0
Disinfected files : 0
Deleted files : 2
Copied files : 0
Moved files : 1
Renamed files : 0
I/O errors : 131
Scan time : 01:09:25
Scan speed (files/sec) : 117

Spyware Statistics

Memory processes scanned : 47
Memory processes infected : 0
Registry keys scanned : 1638
Registry keys infected : 2
Cookies scanned : 66
Cookies infected : 0
Spyware files infected : 0
Spyware threats detected : 2

Virus definitions : 383887
Scan plugins : 16
Archive plugins : 41
Unpack plugins : 6
Mail plugins : 6
System plugins : 5

Virus scan options
Detection
[X] Scan boot sectors
[X] Scan archives
[X] Scan packed files
[X] Scan email

File mask
[ ] Programs
[X] All files
[ ] User defined extensions:
[ ] Exclude extensions: ;

Action

Infected objects
[ ] Ignore
[X] Disinfect
[ ] Delete
[ ] Copy to quarantine
[ ] Move to quarantine
[ ] Rename
[ ] Prompt user

Second action
[ ] Ignore
[ ] Delete
[ ] Copy to quarantine
[X] Move to quarantine
[ ] Rename
[ ] Prompt user

Virus scan options
[X] Enable warnings
[X] Enable heuristics
[ ] Show all files in log
[X] Report file: C:\Program Files\Softwin\BitDefender9\Logs\vscan_1166719107.l og

Spyware scan options

[X] Memory Processes
[X] Registry keys
[X] Cookies

Summary:

<System>=>HKEY_LOCAL_MACHINE\SOFTWARE\MAGNET Detected: magne3t
<System>=>HKEY_LOCAL_MACHINE\SOFTWARE\MAGNET Deleted
<System> Update
<System>=>HKEY_CLASSES_ROOT\MAGNET Detected: magne2t
<System>=>HKEY_CLASSES_ROOT\MAGNET Deleted
<System> Update
C:\Documents and Settings\All Users\Documents\setup.exe Infected: DeepScan:Generic.Horst.ED4D209F
C:\Documents and Settings\All Users\Documents\setup.exe Disinfection failed
C:\Documents and Settings\All Users\Documents\setup.exe Moved
C:\System Volume Information\_restore{4C681A86-D254-4D79-9EE9-5AAFD98BAE1F}\RP364\A0083061.exe=>(NSIS o)=>lzma_solid_nsis0016 Infected: Trojan.Hacktool.Prockill.A
C:\System Volume Information\_restore{4C681A86-D254-4D79-9EE9-5AAFD98BAE1F}\RP364\A0083061.exe=>(NSIS o)=>lzma_solid_nsis0016 Disinfection failed
C:\System Volume Information\_restore{4C681A86-D254-4D79-9EE9-5AAFD98BAE1F}\RP364\A0083061.exe=>(NSIS o)=>lzma_solid_nsis0016 Move failed
C:\System Volume Information\_restore{4C681A86-D254-4D79-9EE9-5AAFD98BAE1F}\RP364\A0083061.exe=>(NSIS o)=>lzma_solid_nsis0017 Infected: Trojan.Clicker.Agent.FF
C:\System Volume Information\_restore{4C681A86-D254-4D79-9EE9-5AAFD98BAE1F}\RP364\A0083061.exe=>(NSIS o)=>lzma_solid_nsis0017 Disinfection failed
C:\System Volume Information\_restore{4C681A86-D254-4D79-9EE9-5AAFD98BAE1F}\RP364\A0083061.exe=>(NSIS o)=>lzma_solid_nsis0017 Move failed
C:\System Volume Information\_restore{4C681A86-D254-4D79-9EE9-5AAFD98BAE1F}\RP364\A0083061.exe=>(NSIS o)=>lzma_solid_nsis0020=>(NSIS g)=>lzma_solid_nsis0001 Infected: Trojan.Hacktool.Prockill.A
C:\System Volume Information\_restore{4C681A86-D254-4D79-9EE9-5AAFD98BAE1F}\RP364\A0083061.exe=>(NSIS o)=>lzma_solid_nsis0020=>(NSIS g)=>lzma_solid_nsis0001 Disinfection failed
C:\System Volume Information\_restore{4C681A86-D254-4D79-9EE9-5AAFD98BAE1F}\RP364\A0083061.exe=>(NSIS o)=>lzma_solid_nsis0020=>(NSIS g)=>lzma_solid_nsis0001 Move failed

Here is the log file from HijackThis:

Logfile of HijackThis v1.99.1
Scan saved at 11:12:55 AM, on 12/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ATKKBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
E:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Bell\Access Manager\app\TangoService.exe
E:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
E:\Program Files\iTunes\iTunesHelper.exe
C:\program files\softwin\bitdefender9\bdswitch.exe
C:\program files\softwin\bitdefender9\bdnagent.exe
E:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
E:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
E:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\PROGRA~1\Bell\ACCESS~1\app\TangoManager.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
E:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender9\vsserv.exe
c:\program files\softwin\bitdefender9\bdmcon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Dictionary.com - {11359F4A-B191-42d7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\lexbar.dll
O2 - BHO: MainCode Class - {4E9CAE1A-545D-48EA-8EEF-4D1DB6695AD3} - E:\Program Files\Sytexis Software\Web Stream Recorder\wsr_ieplug.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - E:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - E:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Dictionary.com - {11359F4A-B191-42D7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\lexbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [SpySweeper] "E:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [BDSwitchAgent] "c:\program files\softwin\bitdefender9\bdswitch.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "c:\program files\softwin\bitdefender9\bdnagent.exe"
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender9\bdmcon.exe"
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///E:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search &Dictionary - C:\Program files\Lexico\Toolbar\dictionary.htm
O8 - Extra context menu item: Search &Thesaurus - C:\Program files\Lexico\Toolbar\thesaurus.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///E:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///E:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///E:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - E:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - E:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - E:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB73E39-8AD4-43E8-8FBA-0165C2CCDB8B} (GameControl Class) - http://www.king.com/midasa.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.burj-al-arab.com/flashcab/ipix/ipixx.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1148851344609
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://216.237.83.94/activex/AxisCamControl.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab47946.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://spinpalace.microgaming.com/freeplay/FlashAX.cab
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.reference.com/tool...bar/lexico.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7F43D4C6-E494-4DA0-A306-5AE4FE675004}: NameServer = 206.47.244.106 207.236.176.9
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Network Inspector Agent - Fluke Networks, Inc. - E:\Program Files\Fluke Networks\Network Inspector\netengnt.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - E:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Tango Service (TangoService) - Unknown owner - C:\Program Files\Bell\Access Manager\app\TangoService.exe
O23 - Service: Ventrilo - Unknown owner - E:\Program Files\VentSrv\ventrilo_svc.exe (file missing)
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender9\vsserv.exe" /service (file missing)
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - E:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

**Neal** · 23-12-2006

Welcome, log looks ok.

1. Open Spysweeper and click on Options > Program Options and uncheck "load at windows startup".
2. On the left click "shields" and then uncheck everything there.
3. Uncheck "home page shield".
4. Uncheck "automatically restore default without notification".
5. Exit the program.

Spyware Doctor's OnGuard protective functionality may interfere with certain HijackThis fixes we need to make. Please follow these instructions to disable it:

To deactivate Spyware Doctor's OnGuard Tools

From within Spyware Doctor, click the "OnGuard" button on the left side.
Uncheck "Activate OnGuard".

You can reenable it once your system is clean.

INSTRUCTIONS FOR USING AVG ANTI-SPYWARE in "NORMAL MODE"

Download and scan with AVG Anti-Spyware
1. After download, double click on the file to launch the install process.
2. Choose a language, click "OK" and then click "Next".
3. Read the "License Agreement" and click "I Agree".
4. Accept default installation path: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5, click "Next", then click "Install".
5. After setup completes, click "Finish" to start the program automatically or launch AVG Anti-Spyware by double-clicking its icon on your desktop or in the system tray.
6. The main "Status" menu will appear. Select "Change state" to inactivate 'Resident Shield' and 'Automatic Updates'.
7. Then right click on AVG Anti-Spyware in the system tray and uncheck "Start with Windows".
8. Go to Start > Run and type: services.msc

* Press "OK".
* Click the "Extended tab" and scroll down the list to find AVG Anti-Spyware guard.
* When you find the guard service, double-click on it.
* In the Properties Window > General Tab that opens, click the "Stop" button.
* From the drop-down menu next to "Startup Type", click on "Manual".
* Now click "Apply", then "OK" and close the Services window.

9. Select the "Update" button and click "Start update". Wait until you see the "Update succesfull message". If you are having problems with the updater, manually update with the AVG Anti-Spyware Full database installer from HERE .

Once the updates are installed do the following:
1. Click on the "Scanner" button and choose the "Settings" tab.

* Under "How to act?", click on "Recommended actions" and choose "Quarantine" to set default action for detected malware.
* Under "How to Scan?" check all (default).
* Under "Possibly unwanted software" check all (default).
* Under "What to Scan?" make sure "Scan every file" is selected (default).
* Under "Reports" select "Automatically generate report after every scan" and UNcheck "Only if threats were found".

2. Click the "Scan" tab to return to scanning options.
3. Click "Complete System Scan" to start.
4. When the scan has finished you will be presented with a list of infected objects found. Click "Apply all actions" to place the files in Quarantine.

IMPORTANT! Do not save the report before you have clicked the "Apply all actions button". If you do, the log that is created will indicate "No action taken", making it more difficult to interpret the report. So be sure you save it only AFTER clicking the "Apply all actions" button?

5. Click on "Save Report" to view all completed scans. Click on the most recent scan you just performed and select "Save report as" - the default file name will be in date/time format as follows: Report-Scan-20060620-142816.txt. Save to your desktop. A copy of each report will also be saved in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports\
6. Exit AVG Anti-Spyware when done and submit the log report in your next response.

Close all open windows, programs, and DO NOT USE the computer while AVG Anti-Spyware is scanning. If Explorer or other programs are open during the scan that means certain files will also be in use. Some malware will insert itself and hide in areas that are "protected" by Windows when the files are being used. This can hamper AVG Anti-Spyware's ability to clean properly and may result in reinfection.

New hijackthis log also please.

**zeal** · 24-12-2006

Here is the log file from AVG Anti-Spyware:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 11

25 AM 12/24/2006

+ Scan result:

C:\WINDOWS\Golden Palace Casino PT setup.exe -> Adware.Casino : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1957994488-682003330-512205415-1004\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{C95FE080-8F5D-11D2-A20B-00AA003C157A} -> Adware.Generic : Cleaned with backup (quarantined).
E:\Program Files\Boilsoft ASF Converter\ASFConverter.exe -> Backdoor.Agent.xn : Cleaned with backup (quarantined).
:mozilla.36:C:\Documents and Settings\KhoShtip\Application Data\Mozilla\Firefox\Profiles\w6gye7a3.default\coo kies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.37:C:\Documents and Settings\KhoShtip\Application Data\Mozilla\Firefox\Profiles\w6gye7a3.default\coo kies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.38:C:\Documents and Settings\KhoShtip\Application Data\Mozilla\Firefox\Profiles\w6gye7a3.default\coo kies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.93:C:\Documents and Settings\KhoShtip\Application Data\Mozilla\Firefox\Profiles\w6gye7a3.default\coo kies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.94:C:\Documents and Settings\KhoShtip\Application Data\Mozilla\Firefox\Profiles\w6gye7a3.default\coo kies.txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\KhoShtip\Cookies\khoshtip@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.802:C:\Documents and Settings\KhoShtip\Application Data\Mozilla\Firefox\Profiles\w6gye7a3.default\coo kies.txt -> TrackingCookie.Adocean : Cleaned.
:mozilla.803:C:\Documents and Settings\KhoShtip\Application Data\Mozilla\Firefox\Profiles\w6gye7a3.default\coo kies.txt -> TrackingCookie.Adocean : Cleaned.
:mozilla.270:C:\Documents and Settings\KhoShtip\Application Data\Mozilla\Firefox\Profiles\w6gye7a3.default\coo kies.txt -> TrackingCookie.Clickbank : Cleaned.
C:\Documents and Settings\KhoShtip\Cookies\khoshtip@e-2dj6wjk4kiajico.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.609:C:\Documents and Settings\KhoShtip\Application Data\Mozilla\Firefox\Profiles\w6gye7a3.default\coo kies.txt -> TrackingCookie.Findwhat : Cleaned.
:mozilla.266:C:\Documents and Settings\KhoShtip\Application Data\Mozilla\Firefox\Profiles\w6gye7a3.default\coo kies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.275:C:\Documents and Settings\KhoShtip\Application Data\Mozilla\Firefox\Profiles\w6gye7a3.default\coo kies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.443:C:\Documents and Settings\KhoShtip\Application Data\Mozilla\Firefox\Profiles\w6gye7a3.default\coo kies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.556:C:\Documents and Settings\KhoShtip\Application Data\Mozilla\Firefox\Profiles\w6gye7a3.default\coo kies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.658:C:\Documents and Settings\KhoShtip\Application Data\Mozilla\Firefox\Profiles\w6gye7a3.default\coo kies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.641:C:\Documents and Settings\KhoShtip\Application Data\Mozilla\Firefox\Profiles\w6gye7a3.default\coo kies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.642:C:\Documents and Settings\KhoShtip\Application Data\Mozilla\Firefox\Profiles\w6gye7a3.default\coo kies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.643:C:\Documents and Settings\KhoShtip\Application Data\Mozilla\Firefox\Profiles\w6gye7a3.default\coo kies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.127:C:\Documents and Settings\KhoShtip\Application Data\Mozilla\Firefox\Profiles\w6gye7a3.default\coo kies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.128:C:\Documents and Settings\KhoShtip\Application Data\Mozilla\Firefox\Profiles\w6gye7a3.default\coo kies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.129:C:\Documents and Settings\KhoShtip\Application Data\Mozilla\Firefox\Profiles\w6gye7a3.default\coo kies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.130:C:\Documents and Settings\KhoShtip\Application Data\Mozilla\Firefox\Profiles\w6gye7a3.default\coo kies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.216:C:\Documents and Settings\KhoShtip\Application Data\Mozilla\Firefox\Profiles\w6gye7a3.default\coo kies.txt -> TrackingCookie.Weborama : Cleaned.

::Report end

Log file for HijackThis:

Logfile of HijackThis v1.99.1
Scan saved at 11:31:14 AM, on 12/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ATKKBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
E:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Bell\Access Manager\app\TangoService.exe
E:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
E:\Program Files\iTunes\iTunesHelper.exe
C:\program files\softwin\bitdefender9\bdswitch.exe
C:\program files\softwin\bitdefender9\bdnagent.exe
E:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
E:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
E:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\PROGRA~1\Bell\ACCESS~1\app\TangoManager.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender9\vsserv.exe
c:\program files\softwin\bitdefender9\bdmcon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Documents and Settings\KhoShtip\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Dictionary.com - {11359F4A-B191-42d7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\lexbar.dll
O2 - BHO: MainCode Class - {4E9CAE1A-545D-48EA-8EEF-4D1DB6695AD3} - E:\Program Files\Sytexis Software\Web Stream Recorder\wsr_ieplug.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - E:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - E:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Dictionary.com - {11359F4A-B191-42D7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\lexbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [BDSwitchAgent] "c:\program files\softwin\bitdefender9\bdswitch.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "c:\program files\softwin\bitdefender9\bdnagent.exe"
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender9\bdmcon.exe"
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///E:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search &Dictionary - C:\Program files\Lexico\Toolbar\dictionary.htm
O8 - Extra context menu item: Search &Thesaurus - C:\Program files\Lexico\Toolbar\thesaurus.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///E:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///E:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///E:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - E:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - E:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - E:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB73E39-8AD4-43E8-8FBA-0165C2CCDB8B} (GameControl Class) - http://www.king.com/midasa.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.burj-al-arab.com/flashcab/ipix/ipixx.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1148851344609
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://216.237.83.94/activex/AxisCamControl.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab47946.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://spinpalace.microgaming.com/freeplay/FlashAX.cab
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.reference.com/tool...bar/lexico.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7F43D4C6-E494-4DA0-A306-5AE4FE675004}: NameServer = 206.47.244.106 207.236.176.9
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Network Inspector Agent - Fluke Networks, Inc. - E:\Program Files\Fluke Networks\Network Inspector\netengnt.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - E:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Tango Service (TangoService) - Unknown owner - C:\Program Files\Bell\Access Manager\app\TangoService.exe
O23 - Service: Ventrilo - Unknown owner - E:\Program Files\VentSrv\ventrilo_svc.exe (file missing)
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender9\vsserv.exe" /service (file missing)
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - E:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

Thank you!

**Neal** · 24-12-2006

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with HijackThis fixes. So please disable TeaTimer by doing the following:

Run Spybot-S&D
Go to the Mode menu, and make sure "Advanced Mode" is selected
On the left hand side, choose Tools -> Resident
Uncheck "Resident TeaTimer" and OK any prompts

You can reenable TeaTimer once your system is clean.

Run hijackthis and click on scan button and put checks next to these:

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://spinpalace.microgaming.com/freeplay/FlashAX.cab

Nothing open but hijackthis and click on "fix checked".

Reboot and tell me how your computer is behaving now please.

**zeal** · 24-12-2006

Hello Neal, my computer behaves just fine before the virus and after the virus,
however after completing the most recent task you posted, I re-ran AVG Anti-Virus again and pretty much all of what was deleted before came back.
As well the virus DeepScan.Generic.Horst in Bitdefender is still present.

Here are the log files for AVG Anti-Spyware, Bitdefender, and Hijack this respectively taking into account the removal of TeaTimer as well:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 4:14:00 PM 12/24/2006

+ Scan result:

C:\System Volume Information\_restore{4C681A86-D254-4D79-9EE9-5AAFD98BAE1F}\RP380\A0083690.exe -> Adware.Casino : Cleaned.
E:\System Volume Information\_restore{4C681A86-D254-4D79-9EE9-5AAFD98BAE1F}\RP380\A0083689.exe -> Backdoor.Agent.xn : Cleaned.
:mozilla.118:C:\Documents and Settings\KhoShtip\Application Data\Mozilla\Firefox\Profiles\w6gye7a3.default\coo kies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.68:C:\Documents and Settings\KhoShtip\Application Data\Mozilla\Firefox\Profiles\w6gye7a3.default\coo kies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.799:C:\Documents and Settings\KhoShtip\Application Data\Mozilla\Firefox\Profiles\w6gye7a3.default\coo kies.txt -> TrackingCookie.Adocean : Cleaned.
:mozilla.11:C:\Documents and Settings\KhoShtip\Application Data\Mozilla\Firefox\Profiles\w6gye7a3.default\coo kies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.276:C:\Documents and Settings\KhoShtip\Application Data\Mozilla\Firefox\Profiles\w6gye7a3.default\coo kies.txt -> TrackingCookie.Clickbank : Cleaned.
:mozilla.53:C:\Documents and Settings\KhoShtip\Application Data\Mozilla\Firefox\Profiles\w6gye7a3.default\coo kies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.611:C:\Documents and Settings\KhoShtip\Application Data\Mozilla\Firefox\Profiles\w6gye7a3.default\coo kies.txt -> TrackingCookie.Findwhat : Cleaned.
:mozilla.273:C:\Documents and Settings\KhoShtip\Application Data\Mozilla\Firefox\Profiles\w6gye7a3.default\coo kies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.280:C:\Documents and Settings\KhoShtip\Application Data\Mozilla\Firefox\Profiles\w6gye7a3.default\coo kies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.447:C:\Documents and Settings\KhoShtip\Application Data\Mozilla\Firefox\Profiles\w6gye7a3.default\coo kies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.559:C:\Documents and Settings\KhoShtip\Application Data\Mozilla\Firefox\Profiles\w6gye7a3.default\coo kies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.656:C:\Documents and Settings\KhoShtip\Application Data\Mozilla\Firefox\Profiles\w6gye7a3.default\coo kies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.7:C:\Documents and Settings\KhoShtip\Application Data\Mozilla\Firefox\Profiles\w6gye7a3.default\coo kies.txt -> TrackingCookie.Onestat : Cleaned.
:mozilla.9:C:\Documents and Settings\KhoShtip\Application Data\Mozilla\Firefox\Profiles\w6gye7a3.default\coo kies.txt -> TrackingCookie.Onestat : Cleaned.
:mozilla.28:C:\Documents and Settings\KhoShtip\Application Data\Mozilla\Firefox\Profiles\w6gye7a3.default\coo kies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.30:C:\Documents and Settings\KhoShtip\Application Data\Mozilla\Firefox\Profiles\w6gye7a3.default\coo kies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.31:C:\Documents and Settings\KhoShtip\Application Data\Mozilla\Firefox\Profiles\w6gye7a3.default\coo kies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.32:C:\Documents and Settings\KhoShtip\Application Data\Mozilla\Firefox\Profiles\w6gye7a3.default\coo kies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.642:C:\Documents and Settings\KhoShtip\Application Data\Mozilla\Firefox\Profiles\w6gye7a3.default\coo kies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.150:C:\Documents and Settings\KhoShtip\Application Data\Mozilla\Firefox\Profiles\w6gye7a3.default\coo kies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.34:C:\Documents and Settings\KhoShtip\Application Data\Mozilla\Firefox\Profiles\w6gye7a3.default\coo kies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.35:C:\Documents and Settings\KhoShtip\Application Data\Mozilla\Firefox\Profiles\w6gye7a3.default\coo kies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.36:C:\Documents and Settings\KhoShtip\Application Data\Mozilla\Firefox\Profiles\w6gye7a3.default\coo kies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.37:C:\Documents and Settings\KhoShtip\Application Data\Mozilla\Firefox\Profiles\w6gye7a3.default\coo kies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.38:C:\Documents and Settings\KhoShtip\Application Data\Mozilla\Firefox\Profiles\w6gye7a3.default\coo kies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.39:C:\Documents and Settings\KhoShtip\Application Data\Mozilla\Firefox\Profiles\w6gye7a3.default\coo kies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.40:C:\Documents and Settings\KhoShtip\Application Data\Mozilla\Firefox\Profiles\w6gye7a3.default\coo kies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.41:C:\Documents and Settings\KhoShtip\Application Data\Mozilla\Firefox\Profiles\w6gye7a3.default\coo kies.txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\KhoShtip\Cookies\khoshtip@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.224:C:\Documents and Settings\KhoShtip\Application Data\Mozilla\Firefox\Profiles\w6gye7a3.default\coo kies.txt -> TrackingCookie.Weborama : Cleaned.

::Report end

------------------------------------------------------------------------

//-----------------------------------------------------------------
//
// Product: BitDefender 9 Standard
// Version: 9.5
//
// Created on: 24/12/2006 16:14:27
//
//-----------------------------------------------------------------

Virus Statistics

Scan path : C:\
E:\
Folders : 7572
Files : 498178
Archives : 2650
Packed files : 32290
Identified viruses : 1
Infected files : 1
Warnings : 0
Suspect files : 0
Disinfected files : 0
Deleted files : 0
Copied files : 0
Moved files : 1
Renamed files : 0
I/O errors : 32
Scan time : 00:59:33
Scan speed (files/sec) : 139

Spyware Statistics

Memory processes scanned : 40
Memory processes infected : 0
Registry keys scanned : 1640
Registry keys infected : 0
Cookies scanned : 71
Cookies infected : 0
Spyware files infected : 0
Spyware threats detected : 0

Virus definitions : 385670
Scan plugins : 16
Archive plugins : 41
Unpack plugins : 6
Mail plugins : 6
System plugins : 5

Virus scan options

Detection
[X] Scan boot sectors
[X] Scan archives
[X] Scan packed files
[X] Scan email

File mask
[ ] Programs
[X] All files
[ ] User defined extensions:
[ ] Exclude extensions: ;

Action

Infected objects
[ ] Ignore
[X] Disinfect
[ ] Delete
[ ] Copy to quarantine
[ ] Move to quarantine
[ ] Rename
[ ] Prompt user

Second action
[ ] Ignore
[ ] Delete
[ ] Copy to quarantine
[X] Move to quarantine
[ ] Rename
[ ] Prompt user

Virus scan options
[X] Enable warnings
[X] Enable heuristics
[ ] Show all files in log
[X] Report file: C:\Program Files\Softwin\BitDefender9\Logs\vscan_1166994867.l og

Spyware scan options

[X] Memory Processes
[X] Registry keys
[X] Cookies

Summary:

C:\Documents and Settings\All Users\Documents\setup.exe Infected: DeepScan:Generic.Horst.DF4A1C80
C:\Documents and Settings\All Users\Documents\setup.exe Disinfection failed
C:\Documents and Settings\All Users\Documents\setup.exe Moved
-------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 5:26:24 PM, on 12/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
E:\Program Files\iTunes\iTunesHelper.exe
C:\program files\softwin\bitdefender9\bdswitch.exe
C:\program files\softwin\bitdefender9\bdnagent.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
E:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
E:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\ATKKBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
E:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Bell\Access Manager\app\TangoService.exe
E:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender9\vsserv.exe
E:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Bell\ACCESS~1\app\TangoManager.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\KhoShtip\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Dictionary.com - {11359F4A-B191-42d7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\lexbar.dll
O2 - BHO: MainCode Class - {4E9CAE1A-545D-48EA-8EEF-4D1DB6695AD3} - E:\Program Files\Sytexis Software\Web Stream Recorder\wsr_ieplug.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - E:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - E:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Dictionary.com - {11359F4A-B191-42D7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\lexbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [BDSwitchAgent] "C:\Program Files\Softwin\BitDefender9\bdswitch.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files\Softwin\BitDefender9\bdnagent.exe"
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender9\bdmcon.exe"
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///E:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search &Dictionary - C:\Program files\Lexico\Toolbar\dictionary.htm
O8 - Extra context menu item: Search &Thesaurus - C:\Program files\Lexico\Toolbar\thesaurus.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///E:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///E:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///E:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - E:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - E:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - E:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB73E39-8AD4-43E8-8FBA-0165C2CCDB8B} (GameControl Class) - http://www.king.com/midasa.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.burj-al-arab.com/flashcab/ipix/ipixx.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1148851344609
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://216.237.83.94/activex/AxisCamControl.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab47946.cab
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.reference.com/tool...bar/lexico.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7F43D4C6-E494-4DA0-A306-5AE4FE675004}: NameServer = 206.47.244.106 207.236.176.9
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Network Inspector Agent - Fluke Networks, Inc. - E:\Program Files\Fluke Networks\Network Inspector\netengnt.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - E:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Tango Service (TangoService) - Unknown owner - C:\Program Files\Bell\Access Manager\app\TangoService.exe
O23 - Service: Ventrilo - Unknown owner - E:\Program Files\VentSrv\ventrilo_svc.exe (file missing)
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender9\vsserv.exe" /service (file missing)
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - E:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

----------------------------------------------------------------------

Sorry for the delays, the scans take a long time to do, hence the delayed responses, much appreciated.

**Neal** · 24-12-2006

There is nothing available on the net about this:

DeepScan:Generic.Horst.DF4A1C80

Since you have Tango that could be a false positive, read below:

http://www.bleepingcomputer.com/star...exe-11911.html

Open Hijackthis.

Click the "Open the Misc Tools" section Button.

Click the "Open Uninstall Manager" Button.

Click the "Save list..." Button.

Save it to your desktop. Copy and paste the contents into your reply.

Download Silent runners.Vbs post the log it creates please
http://www.silentrunners.org/sr_scriptuse.html click yes to the suplimentry searchs
Wait until there is a All Done message !!, Then open and post the log next to it.
Your antivirus script protection might interfear or alert, please allow it to run after a bit box will say done.

Thanks.

**zeal** · 25-12-2006

Ok just before I post the results, I received an email
from Bitdefender Support and I performed these actions:

"The present email message contains all pieces of information you need to clean
up your computer.
---
[How to disable the Virus Shield or Real Time protection]
In order to disable the Real Time protection please open BitDefender, go to
'Antivirus' -> 'Shield' and click 'Real Time Protection is enabled'; this
message will change to 'Real Time Protection is disabled'.

[How to clean files from System Restore]
In order to remove the malware present in your System Restore area please read
the following KB article:
http://kb.bitdefender.com/KB2-en--Cleaning-infected-files-from-the-Windows-XP-System-Restore.html"

I performed another Antivirus Scan with BD, and DeepScan.Generic.Horst. did not show up, phew. I ran the AVG Spyware program again, it still found the same things as before.

Here are the log files you requested.

Access Manager
Ad-Aware SE Personal
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Download Manager 2.0 (Remove Only)
Adobe Flash Player 9 ActiveX
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 7.0.8
Adobe Stock Photos 1.0
Adobe Stock Photos 1.0
Advanced RealMedia Export Plug-in for Premiere 6.0
ASUS Enhanced Display Driver
Atlantic Lounge
Audio Recorder for FREE v5.6
AVG Anti-Spyware 7.5
Bingo Cafe
BingoLiner
BitComet 0.63
BitDefender 9 Standard
BJ_Calculatoor
Boilsoft ASF Converter 2.68
Bulent's Screen Recorder 3
CanBet Casino
Casino Classic
Cleaner 5 EZ
ConvertXtoDVD 2.0.12
DAEMON Tools
DiscJuggler
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
Easy GIF Animator 3.5
Efficient Networks SpeedStream DSL
FL Studio 5
Fluke Networks Network Inspector V5.0
Geisha Bingo
Global Trading System
Golden Palace Casino
High Definition Audio Driver Package - KB835221
HijackThis 1.99.1
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
HP Memories Disc
HP Photo and Imaging 2.0 - All-in-One
HP Photo and Imaging 2.0 - All-in-One Drivers
HP Photo and Imaging 2.0 - hp psc 1200 series
hp psc 1200 series
Imagetrix
iPod for Windows 2006-01-10
iPodSync 2.28
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_09
Java 2 Runtime Environment, SE v1.4.2_13
Java 2 SDK, SE v1.4.2_13
LimeWire PRO 4.10.0
LogViewer
Macromedia Dreamweaver 8
Macromedia Extension Manager
Macromedia Flash MX 2004
Macromedia Shockwave Player
Marketiva
Marvell Miniport Driver
MetaTrader 4.00
MGold Casino
MG-SOFT MIB Browser
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional with FrontPage
Microsoft User-Mode Driver Framework Feature Pack 1.0.0 (Pre-Release 5348)
mIRC
Mozilla Firefox (1.5.0.7)
Mozilla Firefox (2.0.0.1)
MSN
MSN Messenger 7.0
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
NVIDIA Drivers
PokerRoom.com (remove only)
QuickTime
RealPlayer
Realtek High Definition Audio Driver
RoyalDoyle Blackjack
Ruby Fortune Casino
Secure Game Player
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB926255)
Sky Kings Casino
Skype 2.5
SpeechRedist
Spy Sweeper
Spybot - Search & Destroy 1.4
Spyware Doctor 3.8
Steam(TM)
Stellar Phoenix DMR 1.0
the 123 of digital imaging Interactive Learning Suite Version 3
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
VegasTop Casino
VideoLAN VLC media player 0.8.5
Web Page Maker V2.3
Web Stream Recorder (remove only)
WinAce Archiver 2.0
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinPcap 3.1 beta3
WinRAR archiver
WM Recorder + RM Recorder 10.1
Yahoo! Browser Services
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger

-----------------------------------------------------------------

"Silent Runners.vbs", revision 49, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run \ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run \ {++}
"NvCplDaemon" = ""RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"nwiz" = ""nwiz.exe" /install" ["NVIDIA Corporation"]
"NvMediaCenter" = ""RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]
"Motive SmartBridge" = "C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe" [file not found]
"iTunesHelper" = ""E:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Computer, Inc."]
"High Definition Audio Property Page Shortcut" = "HDAudPropShortcut.exe" ["Windows (R) Server 2003 DDK provider"]
"BDSwitchAgent" = ""C:\Program Files\Softwin\BitDefender9\bdswitch.exe"" [null data]
"BDNewsAgent" = ""C:\Program Files\Softwin\BitDefender9\bdnagent.exe"" ["SOFTWIN S.R.L"]
"BDMCon" = ""C:\Program Files\Softwin\BitDefender9\bdmcon.exe"" ["SOFTWIN S.R.L."]
"AlcWzrd" = "ALCWZRD.EXE" ["RealTek Semicoductor Corp."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{11359F4A-B191-42d7-905A-594F8CF0387B}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Dictionary.com"
\InProcServer32\(Default) = "C:\WINDOWS\Downloaded Program Files\lexbar.dll" ["www.typeless.com"]
{4E9CAE1A-545D-48EA-8EEF-4D1DB6695AD3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "MainCode Class"
\InProcServer32\(Default) = "E:\Program Files\Sytexis Software\Web Stream Recorder\wsr_ieplug.dll" ["Sytexis Software"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "E:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Yahoo! IE Services Button"
\InProcServer32\(Default) = "E:\Program Files\Yahoo!\Common\yiesrvc.dll" ["Yahoo! Inc."]
{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}\(Default) = (no title provided)
-> {HKLM...CLSID} = "PCTools Site Guard"
\InProcServer32\(Default) = "E:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll" ["PC Tools"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll" ["Sun Microsystems, Inc."]
{B56A7D7D-6927-48C8-A975-17DF180C71AC}\(Default) = (no title provided)
-> {HKLM...CLSID} = "PCTools Browser Monitor"
\InProcServer32\(Default) = "E:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll" ["PC Tools"]

HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "E:\Program Files\WinRAR\rarext.dll" [null data]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "E:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
-> {HKLM...CLSID} = "YMailShellExt Class"
\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."]
"{11359F4A-B191-42D7-905A-594F8CF0387B}" = "Dictionary.com"
-> {HKLM...CLSID} = "Dictionary.com"
\InProcServer32\(Default) = "C:\WINDOWS\Downloaded Program Files\lexbar.dll" ["www.typeless.com"]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "E:\Program Files\Realplayer\rpshell.dll" ["RealNetworks, Inc."]
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universal Plug and Play Devices"
-> {HKLM...CLSID} = "Universal Plug and Play Devices"
\InProcServer32\(Default) = "C:\WINDOWS\system32\upnpui.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellExecuteHooks\
<<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["Anti-Malware Development a.s."]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\
<<!>> "AppInit_DLLs" = "sockspy.dll" [null data]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> WRNotifier\DLLName = "WRLogonNTF.dll" ["Webroot Software, Inc."]

HKLM\Software\Classes\Folder\shellex\ColumnHandler s\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "E:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandler s\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "E:\Program Files\WinRAR\rarext.dll" [null data]
Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}"
-> {HKLM...CLSID} = "YMailShellExt Class"
\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMen uHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "E:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHa ndlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "E:\Program Files\WinRAR\rarext.dll" [null data]

Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System\

"DisableRegistryTools" = (REG_DWORD) hex:0x00000000
{Prevent access to registry editing tools}

HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Devices: Allow undock without having to log on}

Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Loca l Settings\Application Data\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\KhoShtip\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Startup items in "KhoShtip" & "All Users" startup folders:
----------------------------------------------------------

C:\Documents and Settings\KhoShtip\Start Menu\Programs\Startup
"Adobe Gamma" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Reader Speed Launch" -> shortcut to: "E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"hp psc 1000 series" -> shortcut to: "E:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe" ["Hewlett-Packard Co."]
"hpoddt01.exe" -> shortcut to: "E:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" ["Hewlett-Packard"]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]

Enabled Scheduled Tasks:
------------------------

"FRU Task #Hewlett-Packard#hp psc 1200 series#1137700981" -> launches: "E:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe -I "#Hewlett-Packard#hp psc 1200 series#1137700981"" [empty string]
"wrSpySweeperTrialSweep" -> launches: "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /ScheduleSweep=wrSpySweeperTrialSweep" ["Webroot Software, Inc."]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\Protocol_Catalog9\Catalog_Entries\ {++}
00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range:
%SystemRoot%\system32\mswsock.dll [MS], 1 - 3

Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{4D5C8C2A-D075-11D0-B416-00C04FB90376}"
-> {HKLM...CLSID} = "Microsoft CommBand"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{11359F4A-B191-42D7-905A-594F8CF0387B}"
-> {HKLM...CLSID} = "Dictionary.com"
\InProcServer32\(Default) = "C:\WINDOWS\Downloaded Program Files\lexbar.dll" ["www.typeless.com"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{11359F4A-B191-42D7-905A-594F8CF0387B}" = "Lexico"
-> {HKLM...CLSID} = "Dictionary.com"
\InProcServer32\(Default) = "C:\WINDOWS\Downloaded Program Files\lexbar.dll" ["www.typeless.com"]

Explorer Bars

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\(Default) = (no title provided)
-> {HKLM...CLSID} = "&Yahoo! Messenger"
\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\yhexbmesca.dll" ["Yahoo! Inc."]

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\(Default) = (no title provided)
-> {HKLM...CLSID} = "&Yahoo! Messenger"
\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\yhexbmesca.dll" ["Yahoo! Inc."]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.5.0_10"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_10"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll" ["Sun Microsystems, Inc."]

{2D663D1A-8670-49D9-A1A5-4C56B4E14E84}\
"ButtonText" = "Spyware Doctor"
"CLSIDExtension" = "{A1EDC4A1-940F-48E0-8DFD-E38F1D501021}"
-> {HKLM...CLSID} = "PCTools Browser Monitor"
\InProcServer32\(Default) = "E:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll" ["PC Tools"]

{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\
"ButtonText" = "Yahoo! Services"
"CLSIDExtension" = "{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}"
-> {HKLM...CLSID} = "Yahoo! IE Services Button"
\InProcServer32\(Default) = "E:\Program Files\Yahoo!\Common\yiesrvc.dll" ["Yahoo! Inc."]

{85D1F590-48F4-11D9-9669-0800200C9A66}\
"MenuText" = "Uninstall BitDefender Online Scanner v8"
"Exec" = "%windir%\bdoscandel.exe" [null data]

{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}\
"ButtonText" = "PartyPoker.com"
"MenuText" = "PartyPoker.com"
"Exec" = "E:\Program Files\PartyGaming\PartyPoker\RunApp.exe" [file not found]

{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

ATK Keyboard Service, ATKKeyboardService, "C:\WINDOWS\ATKKBService.exe" ["ASUSTeK COMPUTER INC."]
BitDefender Communicator, XCOMM, ""C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service" ["Softwin"]
BitDefender Desktop Update Service, LIVESRV, ""C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service" ["SOFTWIN S.R.L."]
BitDefender Scan Server, bdss, ""C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service" [null data]
BitDefender Virus Shield, VSSERV, ""C:\Program Files\Softwin\BitDefender9\vsserv.exe" /service" ["SOFTWIN S.R.L."]
iPodService, iPodService, "E:\Program Files\iPod\bin\iPodService.exe" ["Apple Computer, Inc."]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
PC Tools Spyware Doctor, SDhelper, "E:\Program Files\Spyware Doctor\sdhelp.exe" ["PC Tools Research Pty Ltd"]
PCTEL Speaker Phone, Pctspk, "C:\WINDOWS\system32\pctspk.exe" ["PCtel, Inc."]
Pml Driver HPZ12, Pml Driver HPZ12, "C:\WINDOWS\system32\HPZipm12.exe" ["HP"]
Tango Service, TangoService, "C:\Program Files\Bell\Access Manager\app\TangoService.exe" [null data]
Webroot Spy Sweeper Engine, WebrootSpySweeperService, "E:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" ["Webroot Software, Inc."]

Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monito rs\
hpzsnt07\Driver = "hpzsnt07.dll" ["HP"]
Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]

----------
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 68 seconds.
---------- (total run time: 138 seconds)

**Neal** · 25-12-2006

Everything looks ok, when done we can flush your system restore createing a new restore point and that wont show up again in a scan.

I would uninstall limewire.

All those casino programs you got is a great way to get infected also.

Is everything ok?

**zeal** · 25-12-2006

Actually tried to remove the casino programs from add/remove,
but it wouldn't complete it. Will format the computer soon

I ran the AVG Spyware program again, it still found the same things as before.
That's the only thing left.

**Neal** · 26-12-2006

Will format the computer soon

Good Luck.

Help! Got three viruses (new ones)!

Help! Got three viruses (new ones)!

Similar Threads

I think I may have some viruses please look

viruses..need help

Help, How to I get rid of these viruses???

I have viruses, help ME!

Spyware/Viruses Please help (I have HJT log!)