Win32/Adware

**paulthomasno6** · 19-07-2007

NOD 32 started flashing this message today:

File C:\DOCUME~1\Gregory\LOCALS~1\Temp\{8A015~1\_extra\ objects\cmdline.dll is infected with probably a variant of Win32/Adware.BHO application. The file can be deleted. It is strongly recommended that you back up any crucial data before you proceed.

I hit delete and rebooted, but as soon as the machine was running again the message reappeared. I've tried several times today with always the same result.

I ran Spybot and AVG scan, neither of them have removed the problem either.

**Neal** · 20-07-2007

go to the read this first section at the top of this forum(STICKY) and scroll down until you get to the hijackthis link install the program and click on do a system scan and save a log file and copy/paste it back here please.

**paulthomasno6** · 21-07-2007

Thanks, and here is the HJT file as requested.

Logfile of HijackThis v1.99.1
Scan saved at 9:23:21 AM, on 21/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PDesk\PDesk.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3S 2.EXE
C:\WINDOWS\mHotkey.exe
C:\Program Files\OptusNet DSL Internet\DSC.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\SkypeIntegration\SkypeIntegration\SkypeClien t.exe
C:\WINDOWS\system32\AlarmS4.exe
C:\Program Files\ISS\BlackICE\blackice.exe
C:\Program Files\Labtec Wireless Desktop\MagicKey.exe
C:\Program Files\nthClock\nthClock.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\Program Files\Labtec Wireless Desktop\OSD.EXE
C:\Program Files\ISS\BlackICE\blackd.exe
C:\WINDOWS\System32\mgabg.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\ISS\BlackICE\rapapp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Gregory\Desktop\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://desktop.optusnet.com.au/dsl/favorites/homepage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.optusnet.com.au/dsl/favorites/homepage
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OptusNet
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [MPS] C:\ACER\PSM.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] "REGSVR32.EXE" /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] "C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe" /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Matrox Powerdesk] "C:\WINDOWS\System32\PDesk\PDesk.exe" /Autolaunch
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [EPSON Stylus C65 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3 S2.EXE" /P23 "EPSON Stylus C65 Series" /O6 "USB001" /M "Stylus C65"
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [Desktop Service Centre] "C:\Program Files\OptusNet DSL Internet\DSC.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Picasa Media Detector] "C:\Program Files\Picasa2\PicasaMediaDetector.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [admtray.exe] "C:\Program Files\Acer\eManager\admtray.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Backup NOW! Scheduler] "C:\Program Files\NewTech Infosystems\NTI Backup NOW! 3\Schdlr32.exe" -s
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [SkypeClient] "C:\Program Files\PDT\VoIPVoiceIntegration\VoIPVoice Integration.exe"
O4 - HKCU\..\Run: [EPSON Stylus C65 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3 S2.EXE" /P23 "EPSON Stylus C65 Series" /M "Stylus C65" /EF "HKCU"
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O4 - Global Startup: AlarmS4.lnk = C:\WINDOWS\system32\AlarmS4.exe
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
O4 - Global Startup: Enable Labtec Wireless Desktop.lnk = C:\Program Files\Labtec Wireless Desktop\MagicKey.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: nthClock.lnk = C:\Program Files\nthClock\nthClock.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://desktop.optusnet.com.au/dsl/favorites/homepage
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1147694644515
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Hardware Monitoring Program (ADMService) - OSA Technologies Inc - C:\Program Files\Acer\eManager\admServ.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\blackd.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINDOWS\System32\mgabg.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\rapapp.exe

**Neal** · 21-07-2007

Did you do a scan with AVG anti-spyware 7.5?

There isn't anything obvious that stands out to me, which means we must dig for it.

So with shovel in hand...

1. Download this file - COMBOFIX
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Post a new hijackthis log also please.

**paulthomasno6** · 21-07-2007

Did you do a scan with AVG anti-spyware 7.5?

I did, Neal, also ran Spybot.

In between my first post and your reply, incidentally, the NOD warning disappeared for a short time. But the next time I restarted the machine it was back.

Here is the Combofix log:

"Gregory" - 2007-07-21 16:52:57 - ComboFix 07-07-14.6 - Service Pack 2 FAT32

((((((((((((((((((((((((( Files Created from 2007-06-21 to 2007-07-21 )))))))))))))))))))))))))))))))

2007-07-21 16:51 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-19 19:54 <DIR> d-------- C:\DOCUME~1\Gregory\APPLIC~1\Apple Computer
2007-07-19 19:52 <DIR> d-------- C:\Program Files\QuickTime
2007-07-19 19:52 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-07-19 19:51 <DIR> d-------- C:\Program Files\Apple Software Update
2007-07-19 19:51 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-07-17 08:41 <DIR> d-------- C:\Program Files\KompoZer
2007-07-17 08:41 <DIR> d-------- C:\DOCUME~1\Gregory\APPLIC~1\KompoZer
2007-07-17 08:39 <DIR> d-------- C:\Program Files\WinDirStat
2007-07-17 08:37 <DIR> d-------- C:\Program Files\Audacity
2007-07-17 08:32 299,520 --a------ C:\WINDOWS\uninst.exe
2007-07-17 08:32 <DIR> d-------- C:\Program Files\nthClock
2007-07-16 11:25 23,600 --a------ C:\WINDOWS\system32\drivers\TVICHW32.SYS
2007-07-16 11:23 24,848 --a------ C:\WINDOWS\system32\MSJtEr35.dll
2007-07-16 11:23 143,872 --a------ C:\WINDOWS\system32\unzip32.dll
2007-07-16 11:23 123,664 --a------ C:\WINDOWS\system32\MSJInt35.dll
2007-07-16 09:01 <DIR> d-------- C:\Program Files\Realtek AC97
2007-07-14 06:57 81,768 --a------ C:\WINDOWS\system32\xinput1_3.dll
2007-07-14 06:57 62,744 --a------ C:\WINDOWS\system32\xinput1_2.dll
2007-07-14 06:57 443,752 --a------ C:\WINDOWS\system32\d3dx10_34.dll
2007-07-14 06:57 443,752 --a------ C:\WINDOWS\system32\d3dx10_33.dll
2007-07-14 06:57 3,497,832 --a------ C:\WINDOWS\system32\d3dx9_34.dll
2007-07-14 06:57 3,495,784 --a------ C:\WINDOWS\system32\d3dx9_33.dll
2007-07-14 06:57 3,426,072 --a------ C:\WINDOWS\system32\d3dx9_32.dll
2007-07-14 06:57 266,088 --a------ C:\WINDOWS\system32\xactengine2_8.dll
2007-07-14 06:57 261,480 --a------ C:\WINDOWS\system32\xactengine2_7.dll
2007-07-14 06:57 255,848 --a------ C:\WINDOWS\system32\xactengine2_6.dll
2007-07-14 06:57 251,672 --a------ C:\WINDOWS\system32\xactengine2_5.dll
2007-07-14 06:57 237,848 --a------ C:\WINDOWS\system32\xactengine2_4.dll
2007-07-14 06:57 236,824 --a------ C:\WINDOWS\system32\xactengine2_3.dll
2007-07-14 06:57 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll
2007-07-14 06:57 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2007-07-14 06:57 18,280 --a------ C:\WINDOWS\system32\x3daudio1_2.dll
2007-07-14 06:57 15,128 --a------ C:\WINDOWS\system32\x3daudio1_1.dll
2007-07-14 06:57 1,124,720 --a------ C:\WINDOWS\system32\D3DCompiler_34.dll
2007-07-14 06:57 1,123,696 --a------ C:\WINDOWS\system32\D3DCompiler_33.dll
2007-07-13 21:16 <DIR> d-------- C:\Program Files\XNote Stopwatch
2007-07-13 20:55 <DIR> d-------- C:\DOCUME~1\Gregory\APPLIC~1\fltk.org
2007-07-13 15:35 <DIR> d-------- C:\DOCUME~1\Gregory\APPLIC~1\ChaosPro
2007-07-13 15:34 <DIR> d-------- C:\Program Files\Karen's Power Tools
2007-07-13 15:31 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Karen's Power Tools
2007-07-13 15:05 <DIR> d-------- C:\PMAIL
2007-07-13 14:46 <DIR> d-------- C:\Program Files\1Time
2007-07-13 09:13 <DIR> d-------- C:\Program Files\Sony
2007-07-13 09:12 <DIR> d-------- C:\Program Files\Sony Setup
2007-07-12 20:11 <DIR> d--hs---- C:\FOUND.010
2007-07-12 16:41 <DIR> d-------- C:\Program Files\FDRLab
2007-07-12 16:37 <DIR> d-------- C:\Program Files\FireTune
2007-07-10 07:58 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-07-10 07:58 <DIR> d-------- C:\d6f71058dacd0c1a0f5e1ce062c301
2007-07-10 07:57 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-07-10 07:57 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-07-10 07:57 <DIR> d-------- C:\37d5162f1922e03346491ac67f92ba38
2007-07-10 07:56 <DIR> d-------- C:\277b6bb3f244727fbd9930326f3ec201
2007-07-08 16:21 <DIR> d-------- C:\Program Files\Capture-A-ScreenShot
2007-07-06 12:45 23,552 --a------ C:\WINDOWS\system32\MSMPIDE.DLL
2007-07-06 12:45 116,224 --a------ C:\WINDOWS\system32\pdfcmnnt.dll
2007-07-06 12:45 <DIR> d-------- C:\Program Files\PDFCreator
2007-06-30 20:42 21,656 --a------ C:\WINDOWS\system32\dopdfmn5.dll
2007-06-30 20:42 17,048 --a------ C:\WINDOWS\system32\dopdfmi5.dll
2007-06-30 20:42 <DIR> d-------- C:\Program Files\Softland
2007-06-28 20:53 <DIR> d-------- C:\Program Files\TypeFaster
2007-06-24 12:37 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys

(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))

2007-07-19 00:33:22 192 ----a-w C:\WINDOWS\system32\tbhi.dat
2007-07-19 00:33:22 10 ----a-w C:\WINDOWS\system32\drivers\tmbi.sys
2007-07-17 02

42 15,702 ----a-w C:\WINDOWS\mozver.dat
2007-07-12 08:36:36 737,280 ----a-w C:\WINDOWS\iun6002.exe
2007-06-16 10:20:04 -------- d-----w C:\Program Files\Common Files\Skype
2007-06-11 00:29:12 37,057 ------w C:\WINDOWS\system32\kbpDinput.dll
2007-06-08 11:54:58 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-06-08 11:52:48 -------- d-----w C:\Program Files\MbfLite
2007-06-08 11:30:10 -------- d-----w C:\Program Files\FreeMind
2007-06-06 10:48:22 1,024 ---h--r C:\WINDOWS\system32\ntiembed.dll
2007-06-06 10:48:20 6,912 ----a-w C:\WINDOWS\system32\drivers\NTIDrvr.sys
2007-06-06 10:45:24 1,024 ---h--r C:\WINDOWS\system32\NTIMPEG2.dll
2007-06-06 10:45:24 1,024 ---h--r C:\WINDOWS\system32\NTICDMK32.dll
2007-06-04 00:00:46 -------- d-----w C:\DOCUME~1\Gregory\APPLIC~1\InstallShield
2007-05-21 12:41:18 -------- d-----w C:\Program Files\Zeallsoft
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-13 10:36:38 2,560 ----a-w C:\WINDOWS\_MSRSTRT.EXE
2007-05-11 22:44:40 231,330 ----a-w C:\WINDOWS\uninstall Pinups_F.exe
2007-05-11 22:44:38 1,300,219 ----a-w C:\WINDOWS\Pinups_F.scr
2007-05-07 22:48:56 14,952 ---ha-w C:\WINDOWS\system32\mlfcache.dat
2007-05-05 12:19:40 181,257 ----a-w C:\WINDOWS\system32\PSS - Untitled.SCR
2007-05-05 12:10:10 322,113 ----a-w C:\WINDOWS\system32\My Screensaver.scr
2007-05-05 11:58:16 804,864 ----a-w C:\WINDOWS\system32\ImgX5.dll
2007-05-05 11:58:16 424,960 ----a-w C:\WINDOWS\system32\_ISource21.dll
2007-05-05 11:58:14 129,536 ----a-w C:\WINDOWS\system32\IJL15.dll
2007-04-25 14

16 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-03-09 09:12:32 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-12-18 04:16 59032 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2005-05-31 01:04 853672 --a------ C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2007-07-12 04:00 501136 --a------ C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E99421FB-68DD-40F0-B4AC-B7027CAE2F1A}]
2004-02-10 14:08 339968 --a------ C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"MPS"="C:\ACER\PSM.EXE" []
"CTHelper"="CTHELPER.EXE" [2003-06-20 14:55 C:\WINDOWS\system32\CTHELPER.EXE]
"AsioReg"="REGSVR32.exe" [2004-08-04 00:56 C:\WINDOWS\system32\regsvr32.exe]
"SBDrvDet"="C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 18:06]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-21 11:52]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-09-29 07:15]
"nwiz"="nwiz.exe" [2006-07-25 10:33 C:\WINDOWS\system32\nwiz.exe]
"CHotkey"="mHotkey.exe" [2003-03-28 17:24 C:\WINDOWS\mHotkey.exe]
"Desktop Service Centre"="C:\Program Files\OptusNet DSL Internet\DSC.exe" [2005-11-30 11:21]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-03-15 05:30]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2006-03-16 08:07]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" []
"admtray.exe"="C:\Program Files\Acer\eManager\admtray.exe" [2004-10-11 17:37]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 17:25]
"Backup NOW! Scheduler"="C:\Program Files\NewTech Infosystems\NTI Backup NOW! 3\Schdlr32.exe" [2004-02-10 15:00]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 15:28 C:\WINDOWS\soundman.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"SkypeClient"="C:\Program Files\PDT\VoIPVoiceIntegration\VoIPVoice Integration.exe" [2005-05-06 21:54]
"EPSON Stylus C65 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\ 3\E_S4I3S2.exe" [2003-11-27 02:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"="C:\PROGRA~1\DVDREG~1\DVDShell.dll" [2004-10-09 15:18]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 20:29]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\safeboot\minimal\AVG Anti-Spyware Guard]

Contents of the 'Scheduled Tasks' folder
2007-07-19 11:51:56 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

************************************************** ************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-21 16:54:05
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************

Completion time: 2007-07-21 16:54:32

--- E O F ---

And the new HJT:

Logfile of HijackThis v1.99.1
Scan saved at 5:06:22 PM, on 21/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PDesk\PDesk.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3S 2.EXE
C:\WINDOWS\mHotkey.exe
C:\Program Files\OptusNet DSL Internet\DSC.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\SkypeIntegration\SkypeIntegration\SkypeClien t.exe
C:\WINDOWS\system32\AlarmS4.exe
C:\Program Files\ISS\BlackICE\blackice.exe
C:\Program Files\Labtec Wireless Desktop\MagicKey.exe
C:\Program Files\nthClock\nthClock.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\Program Files\Labtec Wireless Desktop\OSD.EXE
C:\Program Files\ISS\BlackICE\blackd.exe
C:\WINDOWS\System32\mgabg.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\ISS\BlackICE\rapapp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Gregory\Desktop\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://desktop.optusnet.com.au/dsl/favorites/homepage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.optusnet.com.au/dsl/favorites/homepage
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [MPS] C:\ACER\PSM.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] "REGSVR32.EXE" /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] "C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe" /r
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [Desktop Service Centre] "C:\Program Files\OptusNet DSL Internet\DSC.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Picasa Media Detector] "C:\Program Files\Picasa2\PicasaMediaDetector.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [admtray.exe] "C:\Program Files\Acer\eManager\admtray.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Backup NOW! Scheduler] "C:\Program Files\NewTech Infosystems\NTI Backup NOW! 3\Schdlr32.exe" -s
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [SkypeClient] "C:\Program Files\PDT\VoIPVoiceIntegration\VoIPVoice Integration.exe"
O4 - HKCU\..\Run: [EPSON Stylus C65 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3 S2.EXE" /P23 "EPSON Stylus C65 Series" /M "Stylus C65" /EF "HKCU"
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O4 - Global Startup: AlarmS4.lnk = C:\WINDOWS\system32\AlarmS4.exe
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
O4 - Global Startup: Enable Labtec Wireless Desktop.lnk = C:\Program Files\Labtec Wireless Desktop\MagicKey.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: nthClock.lnk = C:\Program Files\nthClock\nthClock.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://desktop.optusnet.com.au/dsl/favorites/homepage
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1147694644515
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Hardware Monitoring Program (ADMService) - OSA Technologies Inc - C:\Program Files\Acer\eManager\admServ.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\blackd.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINDOWS\System32\mgabg.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\rapapp.exe

ADDITIONAL INFO - This message is copied from the window that opened when I clicked on the NOD32 warning bubble:

C:\DOCUME~1\Gregory\LOCALS~1\Temp\{0151E~1\_extra\ objects\cmdline.dll - probably a variant of Win32/Adware.BHO application

It appears to be slightly different from the original message.

**Neal** · 21-07-2007

To clean your temp folder, recycle bin, etc..please download this free tool:

CCleaner

Don't install any Toolbars, or other programs, should it ask you!Just uncheck the option of installing the Yahoo toolbar.
It will put a shortcut on your Desktop.

Uncheck cookies

Before first use:
Select Options then Advanced.
UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

Click on CCleaner to start it. Then click "Run Cleaner", just use the windows tab up front by default.

Then Reboot (Exit)

Suspicious Files/Folders

Check out these strange folders and see if anything is in them:

C:\37d5162f1922e03346491ac67f92ba38
C:\277b6bb3f244727fbd9930326f3ec201

Scan these:

C:\WINDOWS\iun6002.exe
C:\WINDOWS\system32\kbpDinput.dll
C:\WINDOWS\uninstall Pinups_F.exe
C:\WINDOWS\Pinups_F.scr
C:\WINDOWS\system32\My Screensaver.scr

Scan these one at a time here:

Go to next site:
http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

C:\WINDOWS\iun6002.exe

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results as well in your next reply.

If that one is to busy here is another option:

http://virusscan.jotti.org

And

http://www.kaspersky.com/scanforvirus.html

Then...

Do an online scan (scan only tool) with Kaspersky WebScanner
[Internet Explorer required]

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make sure that the following are selected:
- Scan using the following Anti-Virus database:
  - Extended (if available otherwise Standard)
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK
Now under select a target to scan:
- Select My Computer
This program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.

Post the results of the scan back here please and a new hijackthis log.

**paulthomasno6** · 22-07-2007

Results of the VirusTotal scan:

C:\WINDOWS\uninstall Pinups_F.exe
eSafe 7.0.15.0 2007.07.19 suspicious Trojan/Worm

C:\WINDOWS\Pinups_F.scr
eSafe 7.0.15.0 2007.07.19 suspicious Trojan/Worm

I can't run the Kaspersky scanner. The ActiveX download fails.
My IE security setting is Medium, as required, but it also says I need Administrator rights. This is a home comp and I'm the only one who uses it so I don't understand why I don't have Admin rights.

**Neal** · 22-07-2007

What about the folders?

What about the other files I asked you to scan?

Try this for an online scanner:

Go here BitDefender and run an online scan with BitDefender (you will need to use Internet Explorer for this scan). When the ActiveX Control has loaded, click on "Click here to scan" and grab a coffee.

When BitDefender completes the scan, select the "Detected Problems" tab. Click on "Click here to export scan". Save the file as an HTML to your Desktop. Then click on the saved file and allow it to open with your browser. Go to Edit - Select All then copy/paste that log back here. Post back and let us know what it found (post the log).

And post a new HJT log also..

**paulthomasno6** · 23-07-2007

Neal,
Here's the complete results from VirusTotal, BitDefender and HJT logs.

BitDefender worked fine, no problems at all with the ActiveX download BTW.

C:\37d5162f1922e03346491ac67f92ba38
File update.exe
Antivirus Version Last Update Result
AhnLab-V3 2007.7.21.0 2007.07.20 no virus found
AntiVir 7.4.0.44 2007.07.21 no virus found
Authentium 4.93.8 2007.07.20 no virus found
Avast 4.7.997.0 2007.07.22 no virus found
AVG 7.5.0.476 2007.07.21 no virus found
BitDefender 7.2 2007.07.22 no virus found
CAT-QuickHeal 9.00 2007.07.20 no virus found
ClamAV devel-20070416 2007.07.22 no virus found
DrWeb 4.33 2007.07.22 no virus found
eSafe 7.0.15.0 2007.07.19 no virus found
eTrust-Vet 30.8.3797 2007.07.20 no virus found
Ewido 4.0 2007.07.22 no virus found
FileAdvisor 1 2007.07.22 no virus found
Fortinet 2.91.0.0 2007.07.22 no virus found
F-Prot 4.3.2.48 2007.07.20 no virus found
F-Secure 6.70.13030.0 2007.07.21 no virus found
Ikarus T3.1.1.8 2007.07.22 no virus found
Kaspersky 4.0.2.24 2007.07.22 no virus found
McAfee 5079 2007.07.20 no virus found
Microsoft 1.2704 2007.07.22 no virus found
NOD32v2 2411 2007.07.21 no virus found
Norman 5.80.02 2007.07.20 no virus found
Panda 9.0.0.4 2007.07.22 no virus found
Sophos 4.19.0 2007.07.17 no virus found
Sunbelt 2.2.907.0 2007.07.21 no virus found
Symantec 10 2007.07.22 no virus found
TheHacker 6.1.7.151 2007.07.22 no virus found
VBA32 3.12.2.1 2007.07.21 no virus found
VirusBuster 4.3.26:9 2007.07.21 no virus found
Webwasher-Gateway 6.0.1 2007.07.22 no virus found

Additional information
File size: 716000 bytes
MD5: 0b630c8656b1ea82c82b929d51fa351b
SHA1: 2be63bbb8e54a471bbc4bda98c9157903e821be2

File updspapi.dll
Antivirus Version Last Update Result
AhnLab-V3 2007.7.21.0 2007.07.20 no virus found
AntiVir 7.4.0.44 2007.07.21 no virus found
Authentium 4.93.8 2007.07.20 no virus found
Avast 4.7.997.0 2007.07.22 no virus found
AVG 7.5.0.476 2007.07.21 no virus found
BitDefender 7.2 2007.07.22 no virus found
CAT-QuickHeal 9.00 2007.07.20 no virus found
ClamAV devel-20070416 2007.07.22 no virus found
DrWeb 4.33 2007.07.22 no virus found
eSafe 7.0.15.0 2007.07.19 no virus found
eTrust-Vet 30.8.3797 2007.07.20 no virus found
Ewido 4.0 2007.07.22 no virus found
FileAdvisor 1 2007.07.22 no virus found
Fortinet 2.91.0.0 2007.07.22 no virus found
F-Prot 4.3.2.48 2007.07.20 no virus found
F-Secure 6.70.13030.0 2007.07.21 no virus found
Ikarus T3.1.1.8 2007.07.22 no virus found
Kaspersky 4.0.2.24 2007.07.22 no virus found
McAfee 5079 2007.07.20 no virus found
Microsoft 1.2704 2007.07.22 no virus found
NOD32v2 2411 2007.07.21 no virus found
Norman 5.80.02 2007.07.20 no virus found
Panda 9.0.0.4 2007.07.22 no virus found
Sophos 4.19.0 2007.07.17 no virus found
Sunbelt 2.2.907.0 2007.07.21 no virus found
Symantec 10 2007.07.22 no virus found
TheHacker 6.1.7.151 2007.07.22 no virus found
VBA32 3.12.2.1 2007.07.21 no virus found
VirusBuster 4.3.26:9 2007.07.21 no virus found
Webwasher-Gateway 6.0.1 2007.07.22 no virus found

Additional information
File size: 371424 bytes
MD5: e58ab8bfffc584dba6f7ec2f83f32b68
SHA1: 855d7c624feb67140dfbd7f07269eae98b15c23d

File wpdinstallutil.dll
Antivirus Version Last Update Result
AhnLab-V3 2007.7.21.0 2007.07.20 no virus found
AntiVir 7.4.0.44 2007.07.21 no virus found
Authentium 4.93.8 2007.07.20 no virus found
Avast 4.7.997.0 2007.07.22 no virus found
AVG 7.5.0.476 2007.07.21 no virus found
BitDefender 7.2 2007.07.22 no virus found
CAT-QuickHeal 9.00 2007.07.20 no virus found
ClamAV devel-20070416 2007.07.22 no virus found
DrWeb 4.33 2007.07.22 no virus found
eSafe 7.0.15.0 2007.07.19 no virus found
eTrust-Vet 30.8.3797 2007.07.20 no virus found
Ewido 4.0 2007.07.22 no virus found
FileAdvisor 1 2007.07.22 no virus found
Fortinet 2.91.0.0 2007.07.22 no virus found
F-Prot 4.3.2.48 2007.07.20 no virus found
F-Secure 6.70.13030.0 2007.07.22 no virus found
Ikarus T3.1.1.8 2007.07.22 no virus found
Kaspersky 4.0.2.24 2007.07.22 no virus found
McAfee 5079 2007.07.20 no virus found
Microsoft 1.2704 2007.07.22 no virus found
NOD32v2 2411 2007.07.21 no virus found
Norman 5.80.02 2007.07.20 no virus found
Panda 9.0.0.4 2007.07.22 no virus found
Sophos 4.19.0 2007.07.17 no virus found
Sunbelt 2.2.907.0 2007.07.21 no virus found
Symantec 10 2007.07.22 no virus found
TheHacker 6.1.7.151 2007.07.22 no virus found
VBA32 3.12.2.1 2007.07.21 no virus found
VirusBuster 4.3.26:9 2007.07.21 no virus found
Webwasher-Gateway 6.0.1 2007.07.22 no virus found

Additional information
File size: 13312 bytes
MD5: 204b8c231c8b15fcbb3f3e83dc5c4b1f
SHA1: 8815c9d071fcd87babba5c4342bde563c93825a8

C:\277b6bb3f244727fbd9930326f3ec201
File update.exe
Antivirus Version Last Update Result
AhnLab-V3 2007.7.21.0 2007.07.20 no virus found
AntiVir 7.4.0.44 2007.07.22 no virus found
Authentium 4.93.8 2007.07.20 no virus found
Avast 4.7.997.0 2007.07.22 no virus found
AVG 7.5.0.476 2007.07.22 no virus found
BitDefender 7.2 2007.07.23 no virus found
CAT-QuickHeal 9.00 2007.07.20 no virus found
ClamAV devel-20070416 2007.07.23 no virus found
DrWeb 4.33 2007.07.22 no virus found
eSafe 7.0.15.0 2007.07.22 no virus found
eTrust-Vet 30.8.3797 2007.07.20 no virus found
Ewido 4.0 2007.07.22 no virus found
FileAdvisor 1 2007.07.23 no virus found
Fortinet 2.91.0.0 2007.07.22 no virus found
F-Prot 4.3.2.48 2007.07.20 no virus found
F-Secure 6.70.13030.0 2007.07.22 no virus found
Ikarus T3.1.1.8 2007.07.22 no virus found
Kaspersky 4.0.2.24 2007.07.23 no virus found
McAfee 5079 2007.07.20 no virus found
Microsoft 1.2704 2007.07.22 no virus found
NOD32v2 2411 2007.07.21 no virus found
Norman 5.80.02 2007.07.20 no virus found
Panda 9.0.0.4 2007.07.22 no virus found
Sophos 4.19.0 2007.07.17 no virus found
Sunbelt 2.2.907.0 2007.07.21 no virus found
Symantec 10 2007.07.23 no virus found
TheHacker 6.1.7.151 2007.07.22 no virus found
VBA32 3.12.2.1 2007.07.21 no virus found
VirusBuster 4.3.26:9 2007.07.22 no virus found
Webwasher-Gateway 6.0.1 2007.07.23 no virus found

Additional information
File size: 742192 bytes
MD5: b9fa27bea6b6fb59cd79aa46e58f9176
SHA1: fe65b899ed5a8c095a7e6a996e48fab5097482a0

File wudfcustom.dll
Antivirus Version Last Update Result
AhnLab-V3 2007.7.21.0 2007.07.20 no virus found
AntiVir 7.4.0.44 2007.07.22 no virus found
Authentium 4.93.8 2007.07.20 no virus found
Avast 4.7.997.0 2007.07.22 no virus found
AVG 7.5.0.476 2007.07.22 no virus found
BitDefender 7.2 2007.07.23 no virus found
CAT-QuickHeal 9.00 2007.07.20 no virus found
ClamAV devel-20070416 2007.07.23 no virus found
DrWeb 4.33 2007.07.22 no virus found
eSafe 7.0.15.0 2007.07.22 no virus found
eTrust-Vet 30.8.3797 2007.07.20 no virus found
Ewido 4.0 2007.07.22 no virus found
FileAdvisor 1 2007.07.23 no virus found
Fortinet 2.91.0.0 2007.07.22 no virus found
F-Prot 4.3.2.48 2007.07.20 no virus found
F-Secure 6.70.13030.0 2007.07.22 no virus found
Ikarus T3.1.1.8 2007.07.22 no virus found
Kaspersky 4.0.2.24 2007.07.23 no virus found
McAfee 5079 2007.07.20 no virus found
Microsoft 1.2704 2007.07.22 no virus found
NOD32v2 2411 2007.07.21 no virus found
Norman 5.80.02 2007.07.20 no virus found
Panda 9.0.0.4 2007.07.22 no virus found
Sophos 4.19.0 2007.07.17 no virus found
Sunbelt 2.2.907.0 2007.07.21 no virus found
Symantec 10 2007.07.23 no virus found
TheHacker 6.1.7.151 2007.07.22 no virus found
VBA32 3.12.2.1 2007.07.23 no virus found
VirusBuster 4.3.26:9 2007.07.22 no virus found
Webwasher-Gateway 6.0.1 2007.07.23 no virus found

Additional information
File size: 58368 bytes
MD5: acc352f1cf1694c87f0590996a887c91
SHA1: 0001ab38a34c5a495328807605953b0ff15fcc63

C:\WINDOWS\iun6002.exe
Antivirus Version Last Update Result
AhnLab-V3 2007.7.21.0 2007.07.20 no virus found
AntiVir 7.4.0.44 2007.07.22 no virus found
Authentium 4.93.8 2007.07.20 no virus found
Avast 4.7.997.0 2007.07.22 no virus found
AVG 7.5.0.476 2007.07.22 no virus found
BitDefender 7.2 2007.07.23 no virus found
CAT-QuickHeal 9.00 2007.07.20 no virus found
ClamAV devel-20070416 2007.07.23 no virus found
DrWeb 4.33 2007.07.22 no virus found
eSafe 7.0.15.0 2007.07.22 no virus found
eTrust-Vet 30.8.3797 2007.07.20 no virus found
Ewido 4.0 2007.07.22 no virus found
FileAdvisor 1 2007.07.23 no virus found
Fortinet 2.91.0.0 2007.07.22 no virus found
F-Prot 4.3.2.48 2007.07.20 no virus found
F-Secure 6.70.13030.0 2007.07.22 no virus found
Ikarus T3.1.1.8 2007.07.22 no virus found
Kaspersky 4.0.2.24 2007.07.23 no virus found
McAfee 5079 2007.07.20 no virus found
Microsoft 1.2704 2007.07.22 no virus found
NOD32v2 2411 2007.07.21 no virus found
Norman 5.80.02 2007.07.20 no virus found
Panda 9.0.0.4 2007.07.22 no virus found
Sophos 4.19.0 2007.07.17 no virus found
Sunbelt 2.2.907.0 2007.07.21 no virus found
Symantec 10 2007.07.23 no virus found
TheHacker 6.1.7.151 2007.07.22 no virus found
VBA32 3.12.2.1 2007.07.23 no virus found
VirusBuster 4.3.26:9 2007.07.22 no virus found
Webwasher-Gateway 6.0.1 2007.07.23 no virus found

Additional information
File size: 737280 bytes
MD5: 456462905091db042141487fe030e3c9
SHA1: bb57b4850528c3c8d9bf159fb5b9f414ddc7d5d7

C:\WINDOWS\system32\kbpDinput.dll
Antivirus Version Last Update Result
AhnLab-V3 2007.7.21.0 2007.07.20 no virus found
AntiVir 7.4.0.44 2007.07.22 no virus found
Authentium 4.93.8 2007.07.20 no virus found
Avast 4.7.997.0 2007.07.22 no virus found
AVG 7.5.0.476 2007.07.22 no virus found
BitDefender 7.2 2007.07.23 no virus found
CAT-QuickHeal 9.00 2007.07.20 no virus found
ClamAV devel-20070416 2007.07.23 no virus found
DrWeb 4.33 2007.07.22 no virus found
eSafe 7.0.15.0 2007.07.22 no virus found
eTrust-Vet 30.8.3797 2007.07.20 no virus found
Ewido 4.0 2007.07.22 no virus found
FileAdvisor 1 2007.07.23 no virus found
Fortinet 2.91.0.0 2007.07.22 no virus found
F-Prot 4.3.2.48 2007.07.20 no virus found
F-Secure 6.70.13030.0 2007.07.22 no virus found
Ikarus T3.1.1.8 2007.07.22 no virus found
Kaspersky 4.0.2.24 2007.07.23 no virus found
McAfee 5079 2007.07.20 no virus found
Microsoft 1.2704 2007.07.22 no virus found
NOD32v2 2411 2007.07.21 no virus found
Norman 5.80.02 2007.07.20 no virus found
Panda 9.0.0.4 2007.07.22 no virus found
Sophos 4.19.0 2007.07.17 no virus found
Sunbelt 2.2.907.0 2007.07.21 no virus found
Symantec 10 2007.07.23 no virus found
TheHacker 6.1.7.151 2007.07.22 no virus found
VBA32 3.12.2.1 2007.07.23 no virus found
VirusBuster 4.3.26:9 2007.07.22 no virus found
Webwasher-Gateway 6.0.1 2007.07.23 no virus found

Additional information
File size: 37057 bytes
MD5: 85b58d9551597d4d74722b57fb852b86
SHA1: 17a7b1a02b376da30311ab8219b6baf43d9bed70

C:\WINDOWS\uninstall Pinups_F.exe
Antivirus Version Last Update Result
AhnLab-V3 2007.7.21.0 2007.07.20 no virus found
AntiVir 7.4.0.44 2007.07.22 no virus found
Authentium 4.93.8 2007.07.20 no virus found
Avast 4.7.997.0 2007.07.22 no virus found
AVG 7.5.0.476 2007.07.22 no virus found
BitDefender 7.2 2007.07.23 no virus found
CAT-QuickHeal 9.00 2007.07.20 no virus found
ClamAV devel-20070416 2007.07.23 no virus found
DrWeb 4.33 2007.07.22 no virus found
eSafe 7.0.15.0 2007.07.22 suspicious Trojan/Worm
eTrust-Vet 30.8.3797 2007.07.20 no virus found
Ewido 4.0 2007.07.22 no virus found
FileAdvisor 1 2007.07.23 no virus found
Fortinet 2.91.0.0 2007.07.22 no virus found
F-Prot 4.3.2.48 2007.07.20 no virus found
F-Secure 6.70.13030.0 2007.07.22 no virus found
Ikarus T3.1.1.8 2007.07.22 no virus found
Kaspersky 4.0.2.24 2007.07.23 no virus found
McAfee 5079 2007.07.20 no virus found
Microsoft 1.2704 2007.07.22 no virus found
NOD32v2 2411 2007.07.21 no virus found
Norman 5.80.02 2007.07.20 no virus found
Panda 9.0.0.4 2007.07.22 no virus found
Sophos 4.19.0 2007.07.17 no virus found
Sunbel t 2.2.907.0 2007.07.21 no virus found
Symantec 10 2007.07.23 no virus found
TheHacker 6.1.7.151 2007.07.22 no virus found
VBA32 3.12.2.1 2007.07.23 no virus found
VirusBuster 4.3.26:9 2007.07.22 no virus found
Webwasher-Gateway 6.0.1 2007.07.23 no virus found

Additional information
File size: 231330 bytes
MD5: 8f8a9b6ce7f3f4dd2942fb535b8a64a9
SHA1: 38002c4464ffead598651384d8c166610f1316f3

C:\WINDOWS\Pinups_F.scr
Antivirus Version Last Update Result
AhnLab-V3 2007.7.21.0 2007.07.20 no virus found
AntiVir 7.4.0.44 2007.07.22 no virus found
Authentium 4.93.8 2007.07.20 no virus found
Avast 4.7.997.0 2007.07.22 no virus found
AVG 7.5.0.476 2007.07.22 no virus found
BitDefender 7.2 2007.07.23 no virus found
CAT-QuickHeal 9.00 2007.07.20 no virus found
ClamAV devel-20070416 2007.07.23 no virus found
DrWeb 4.33 2007.07.22 no virus found
eSafe 7.0.15.0 2007.07.22 suspicious Trojan/Worm
eTrust-Vet 30.8.3797 2007.07.20 no virus found
Ewido 4.0 2007.07.22 no virus found
FileAdvisor 1 2007.07.23 no virus found
Fortinet 2.91.0.0 2007.07.22 no virus found
F-Prot 4.3.2.48 2007.07.20 no virus found
F-Secure 6.70.13030.0 2007.07.22 no virus found
Ikarus T3.1.1.8 2007.07.22 no virus found
Kaspersky 4.0.2.24 2007.07.23 no virus found
McAfee 5079 2007.07.20 no virus found
Microsoft 1.2704 2007.07.22 no virus found
NOD32v2 2411 2007.07.21 no virus found
Norman 5.80.02 2007.07.20 no virus found
Panda 9.0.0.4 2007.07.22 no virus found
Sophos 4.19.0 2007.07.17 no virus found
Sunbelt 2.2.907.0 2007.07.21 no virus found
Symantec 10 2007.07.23 no virus found
TheHacker 6.1.7.151 2007.07.22 no virus found
VBA32 3.12.2.1 2007.07.23 no virus found
VirusBuster 4.3.26:9 2007.07.22 no virus found
Webwasher-Gateway 6.0.1 2007.07.23 no virus found

Additional information
File size: 1300219 bytes
MD5: 6d7c1ecff13103462226ec1904f9e387
SHA1: 71d9329eaa4a8cc4bb0d0b56945bc93de33ddd0d
packers: UPX
packers: UPX
packers: UPX

C:\WINDOWS\system32\My Screensaver.scr
Antivirus Version Last Update Result
AhnLab-V3 2007.7.21.0 2007.07.20 no virus found
AntiVir 7.4.0.44 2007.07.22 no virus found
Authentium 4.93.8 2007.07.20 no virus found
Avast 4.7.997.0 2007.07.22 no virus found
AVG 7.5.0.476 2007.07.22 no virus found
BitDefender 7.2 2007.07.23 no virus found
CAT-QuickHeal 9.00 2007.07.20 no virus found
ClamAV devel-20070416 2007.07.23 no virus found
DrWeb 4.33 2007.07.22 no virus found
eSafe 7.0.15.0 2007.07.22 no virus found
eTrust-Vet 30.8.3797 2007.07.20 no virus found
Ewido 4.0 2007.07.22 no virus found
FileAdvisor 1 2007.07.23 no virus found
Fortinet 2.91.0.0 2007.07.22 no virus found
F-Prot 4.3.2.48 2007.07.20 no virus found
F-Secure 6.70.13030.0 2007.07.22 no virus found
Ikarus T3.1.1.8 2007.07.22 no virus found
Kaspersky 4.0.2.24 2007.07.23 no virus found
McAfee 5079 2007.07.20 no virus found
Microsoft 1.2704 2007.07.22 no virus found
NOD32v2 2411 2007.07.21 no virus found
Norman 5.80.02 2007.07.20 no virus found
Panda 9.0.0.4 2007.07.22 no virus found
Sophos 4.19.0 2007.07.17 no virus found
Sunbelt 2.2.907.0 2007.07.21 no virus found
Symantec 10 2007.07.23 no virus found
TheHacker 6.1.7.151 2007.07.22 no virus found
VBA32 3.12.2.1 2007.07.23 no virus found
VirusBuster 4.3.26:9 2007.07.22 no virus found
Webwasher-Gateway 6.0.1 2007.07.23 no virus found

Additional information
File size: 322113 bytes
MD5: 84d7946bcc5cf996f5fb370db200a0bc
SHA1: ca5f98e88ae6339909fe3a71d0edf95baf4a181e
packers: ASPACK
packers: Aspack

BitDefender Scan Results

[General]
App = "BitDefender Online Scanner v8"
Date = 23:07:2007
Time = 09:18:52
Scan Path = A:\;C:\;D:\;E:\;

[Engines Info]
Virus Definitions = 639946
Engine build = "AVCORE v1.0 (build 2410) (i386) (Jun 12 2007 21:08:27)"
Scan plugins = 14
Archive plugins = 38
Unpack plugins = 6
E-mail plugins = 6
System plugins = 1

[Scan Statistics]
Folders = 5878
Files = 327662
Archives = 8336
Packed files = 7655
Identified viruses = 1
Infected files = 4
Warnings = 0
Suspect files = 0
Disinfected files = 0
Deleted files = 4
Copied files = 0
Moved files = 0
Renamed files = 0
I/O Errors = 44

[Scan Settings]
SecondAction = Delete
FirstAction = Disinfect
Heuristics = 1
Enable Warnings = 1
Exclude Ext =
Extensions = *;
Scan Emails = 1
Scan Archives = 1
Scan Packed = 1
Scan Files = 1
Scan Boot = 1
Verify Memory = 0

[Scan Results]
Line00000011 = "C:\Documents and Settings\Gregory\Desktop\ccsetup141.exe Infected with: Trojan.Downloader.Zlob.AADO"
Line00000010 = "C:\Documents and Settings\Gregory\Desktop\ccsetup141.exe Disinfection failed"
Line00000009 = "C:\Documents and Settings\Gregory\Desktop\ccsetup141.exe Deleted"
Line00000008 = "C:\Program Files\CCleaner\uninst.exe Infected with: Trojan.Downloader.Zlob.AADO"
Line00000007 = "C:\Program Files\CCleaner\uninst.exe Disinfection failed"
Line00000006 = "C:\Program Files\CCleaner\uninst.exe Deleted"
Line00000005 = "C:\System Volume Information\_restore{82A131D4-0484-4431-80E7-EED76E95359F}\RP532\A0074078.exe Infected with: Trojan.Downloader.Zlob.AADO"
Line00000004 = "C:\System Volume Information\_restore{82A131D4-0484-4431-80E7-EED76E95359F}\RP532\A0074078.exe Disinfection failed"
Line00000003 = "C:\System Volume Information\_restore{82A131D4-0484-4431-80E7-EED76E95359F}\RP532\A0074078.exe Deleted"
Line00000002 = "C:\System Volume Information\_restore{82A131D4-0484-4431-80E7-EED76E95359F}\RP532\A0074079.exe Infected with: Trojan.Downloader.Zlob.AADO"
Line00000001 = "C:\System Volume Information\_restore{82A131D4-0484-4431-80E7-EED76E95359F}\RP532\A0074079.exe Disinfection failed"
Line00000000 = "C:\System Volume Information\_restore{82A131D4-0484-4431-80E7-EED76E95359F}\RP532\A0074079.exe Deleted"

HJT Logfile

Logfile of HijackThis v1.99.1
Scan saved at 9:30:51 AM, on 23/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\mHotkey.exe
C:\Program Files\OptusNet DSL Internet\DSC.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3S 2.EXE
C:\Program Files\SkypeIntegration\SkypeIntegration\SkypeClien t.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\AlarmS4.exe
C:\Program Files\ISS\BlackICE\blackice.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Labtec Wireless Desktop\MagicKey.exe
C:\Program Files\nthClock\nthClock.exe
C:\Program Files\Labtec Wireless Desktop\OSD.EXE
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\WINDOWS\System32\mgabg.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\ISS\BlackICE\rapapp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Gregory\Desktop\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://desktop.optusnet.com.au/dsl/favorites/homepage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [MPS] C:\ACER\PSM.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] "REGSVR32.EXE" /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] "C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe" /r
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [Desktop Service Centre] "C:\Program Files\OptusNet DSL Internet\DSC.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Picasa Media Detector] "C:\Program Files\Picasa2\PicasaMediaDetector.exe"
O4 - HKLM\..\Run: [admtray.exe] "C:\Program Files\Acer\eManager\admtray.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Backup NOW! Scheduler] "C:\Program Files\NewTech Infosystems\NTI Backup NOW! 3\Schdlr32.exe" -s
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [SkypeClient] "C:\Program Files\PDT\VoIPVoiceIntegration\VoIPVoice Integration.exe"
O4 - HKCU\..\Run: [EPSON Stylus C65 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3 S2.EXE" /P23 "EPSON Stylus C65 Series" /M "Stylus C65" /EF "HKCU"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O4 - Global Startup: AlarmS4.lnk = C:\WINDOWS\system32\AlarmS4.exe
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
O4 - Global Startup: Enable Labtec Wireless Desktop.lnk = C:\Program Files\Labtec Wireless Desktop\MagicKey.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: nthClock.lnk = C:\Program Files\nthClock\nthClock.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://desktop.optusnet.com.au/dsl/favorites/homepage
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1147694644515
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Hardware Monitoring Program (ADMService) - OSA Technologies Inc - C:\Program Files\Acer\eManager\admServ.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\blackd.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINDOWS\System32\mgabg.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\rapapp.exe

**Neal** · 23-07-2007

Thank you for that information.

Any better?

Win32/Adware

Win32/Adware

Similar Threads

win32

HELP- not-a-virus:AdWare.Win32.Cydoor

Win32:Zlob-BN & Win32:Small-TF...HELP(RESOLVED)

win32 problem

win32 ad-agent(adw)