results from the Ewido scan.
-
See if you can reboot into safe mode and run the scans.
Now reboot into safe mode by tapping your F8 key upon restart and safe mode screen appears, select safe mode and press enter.
-
it will not scan all way through even on safe mode it is shutting down even after five minutes of use think there is a virus in but somehow seems to shut comp down and evade virus ill send another hijack if i can thanks
-
Logfile of HijackThis v1.99.1
Scan saved at 01:15, on 06-11-13
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\ProcessGuard\dcsuserprot.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\Voyager 105 ADSL Modem\d@@@@ent.exe
C:\Program Files\Lexmark 4300 Series\lxcemon.exe
C:\Program Files\Lexmark 4300 Series\ezprint.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\ProcessGuard\pgaccount.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\lxcecoms.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Dawn\My Documents\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.madasafish.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [D@@@@ENTEXE] C:\Program Files\Voyager 105 ADSL Modem\d@@@@ent.exe
O4 - HKLM\..\Run: [LXCECATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCEtim e.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxcemon.exe] "C:\Program Files\Lexmark 4300 Series\lxcemon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 4300 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1157778854921
O17 - HKLM\System\CCS\Services\Tcpip\..\{371F7D60-1D13-4B02-8299-637F67DD6C33}: NameServer = 80.189.92.2 80.189.94.2
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: DiamondCS ProcessGuard Service v3.410 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcecoms.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
-
That is very bad news indeed if you can't do scans.
Look in add/remove program and remove spywarebot and reboot afterwards.
Try this:
Download Silent runners.Vbs post the log it creates please
http://www.silentrunners.org/sr_scriptuse.html click yes to the suplimentry searchs
Wait until there is a All Done message !!, Then open and post the log next to it.
Your antivirus script protection might interfear or alert, please allow it to run after a bit box will say done.
Also sometimes malware hides from hijackthis.exe so i want you to go to hijackthis.exe and right click on it and rename it foolyou.exe and post a new hijackthis log from the newly renamed hijackthis.exe.
-
"Silent Runners.vbs", revision 49, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Run \ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"msnmsgr" = ""C:\Program Files\MSN Messenger\msnmsgr.exe" /background" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Run \ {++}
"InCD" = "C:\Program Files\Ahead\InCD\InCD.exe" ["Ahead Software AG"]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"DSLSTATEXE" = "C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe icon" ["GlobespanVirata, Inc."]
"D@@@@ENTEXE" = "C:\Program Files\Voyager 105 ADSL Modem\d@@@@ent.exe" [null data]
"LXCECATS" = "rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCEtim e.dll,_RunDLLEntry@16" [MS]
"lxcemon.exe" = ""C:\Program Files\Lexmark 4300 Series\lxcemon.exe"" ["Lexmark International, Inc."]
"EzPrint" = ""C:\Program Files\Lexmark 4300 Series\ezprint.exe"" ["Lexmark International Inc."]
"FaxCenterServer" = ""C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s" [null data]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"SpywareBot" = "C:\Program Files\SpywareBot\SpywareBot.exe -boot" ["SpywareBot Company"]
"Adobe Photo Downloader" = ""C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"" ["Adobe Systems Incorporated"]
"!1_pgaccount" = ""C:\Program Files\ProcessGuard\pgaccount.exe"" ["DiamondCS"]
"kav" = ""C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"" ["Kaspersky Lab"]
"(Default)" = "(empty string)" [file not found]
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{4A368E80-174F-4872-96B5-0B27DDD11DB2}\(Default) = "SpywareGuard Download Protection"
-> {HKLM...CLSID} = "SpywareGuardDLBLOCK.CBrowserHelper"
\InProcServer32\(Default) = "C:\Program Files\SpywareGuard\dlprotect.dll" [null data]
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{950FF917-7A57-46BC-8017-59D9BF474000}" = "Shell Extension for CDRW"
-> {HKLM...CLSID} = "Shell Extension for CDRW"
\InProcServer32\(Default) = "C:\Program Files\Ahead\InCD\incdshx.dll" ["Ahead Software AG"]
"{26F05DD3-6EDC-48C8-B2D6-8754AB9B0F8B}" = "AntiSpywarePopMenu Shell Extension"
-> {HKLM...CLSID} = "AntiSpywarePopMenu ContextMenu Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\Defenza\ANTISP~1.DLL" [file not found]
"{85E0B171-04FA-11D1-B7DA-00A0C90348D6}" = "Web Anti-Virus"
-> {HKLM...CLSID} = "Web Anti-Virus"
\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll" ["Kaspersky Lab"]
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
-> {HKLM...CLSID} = "My Sharing Folders"
\InProcServer32\(Default) = "C:\Program Files\MSN Messenger\fsshext.8.0.0812.00.dll" [MS]
"{81559C35-8464-49F7-BB0E-07A383BEF910}" = (no title provided)
-> {HKLM...CLSID} = "SpywareGuard.Handler"
\InProcServer32\(Default) = "C:\Program Files\SpywareGuard\spywareguard.dll" [null data]
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellExecuteHooks\
<<!>> "{81559C35-8464-49F7-BB0E-07A383BEF910}" = (no title provided)
-> {HKLM...CLSID} = "SpywareGuard.Handler"
\InProcServer32\(Default) = "C:\Program Files\SpywareGuard\spywareguard.dll" [null data]
HKLM\System\CurrentControlSet\Control\Session Manager\
<<!>> "BootExecute" = "autocheck autochk *"|"stera" [file not found]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> klogon\DLLName = "C:\WINDOWS\system32\klogon.dll" ["Kaspersky Lab"]
HKLM\Software\Classes\Folder\shellex\ColumnHandler s\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]
HKLM\Software\Classes\*\shellex\ContextMenuHandler s\
AntiSpywarePopMenu\(Default) = "{26F05DD3-6EDC-48C8-B2D6-8754AB9B0F8B}"
-> {HKLM...CLSID} = "AntiSpywarePopMenu ContextMenu Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\Defenza\ANTISP~1.DLL" [file not found]
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\shellex.dll" ["Kaspersky Lab"]
HKLM\Software\Classes\Folder\shellex\ContextMenuHa ndlers\
AntiSpywarePopMenu\(Default) = "{26F05DD3-6EDC-48C8-B2D6-8754AB9B0F8B}"
-> {HKLM...CLSID} = "AntiSpywarePopMenu ContextMenu Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\Defenza\ANTISP~1.DLL" [file not found]
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\shellex.dll" ["Kaspersky Lab"]
Group Policies {policy setting}:
--------------------------------
Note: detected settings may not have any effect.
HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System\
"DisableRegistryTools" = (REG_DWORD) hex:0x00000000
{Prevent access to registry editing tools}
HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\System\
"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Shutdown: Allow system to be shut down without having to log on}
"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Devices: Allow undock without having to log on}
Active Desktop and Wallpaper:
-----------------------------
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Loca l Settings\Application Data\Microsoft\Wallpaper1.bmp"
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Dawn\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"
Enabled Screen Saver:
---------------------
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\logon.scr" [MS]
Startup items in "Dawn" & "All Users" startup folders:
------------------------------------------------------
C:\Documents and Settings\Dawn\Start Menu\Programs\Startup
"SpywareGuard" -> shortcut to: "C:\Program Files\SpywareGuard\sgmain.exe" [null data]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Explorer Bars
HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
HKLM\Software\Classes\CLSID\{85E0B171-04FA-11D1-B7DA-00A0C90348D6}\(Default) = "Web Anti-Virus"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll" ["Kaspersky Lab"]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E}\
"ButtonText" = "Web Anti-Virus"
{85D1F590-48F4-11D9-9669-0800200C9A66}\
"MenuText" = "Uninstall BitDefender Online Scanner v8"
"Exec" = "%windir%\bdoscandel.exe" [null data]
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\System32\Ati2evxx.exe" ["ATI Technologies Inc."]
DiamondCS ProcessGuard Service v3.410, DCSPGSRV, ""C:\Program Files\ProcessGuard\dcsuserprot.exe"" ["DiamondCS"]
InCD Helper, InCDsrv, "C:\Program Files\Ahead\InCD\InCDsrv.exe" ["Ahead Software AG"]
Kaspersky Anti-Virus 6.0, AVP, ""C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r" ["Kaspersky Lab"]
lxce_device, lxce_device, "C:\WINDOWS\system32\lxcecoms.exe -service" ["Lexmark International, Inc."]
SoundMAX Agent Service, SoundMAX Agent Service (default), "C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe" ["Analog Devices, Inc."]
Print Monitors:
---------------
HKLM\System\CurrentControlSet\Control\Print\Monito rs\
4300 Series Port\Driver = "lxcelmpm.DLL" ["Lexmark International, Inc."]
Lexmark Print-2-Fax Port\Driver = "LXPRMON.DLL" [null data]
----------
<<!>>: Suspicious data at a malware launch point.
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 272 seconds, including 22 seconds for message boxes)
-
I have tried to remove spybot but cannot get rid of all cannot find whats left keeps popping up in the bottom bar sorry this seems to be a night mare thanks for looking again??
-
"Silent Runners.vbs", revision 49, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Run \ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"msnmsgr" = ""C:\Program Files\MSN Messenger\msnmsgr.exe" /background" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Run \ {++}
"InCD" = "C:\Program Files\Ahead\InCD\InCD.exe" ["Ahead Software AG"]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"DSLSTATEXE" = "C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe icon" ["GlobespanVirata, Inc."]
"D@@@@ENTEXE" = "C:\Program Files\Voyager 105 ADSL Modem\d@@@@ent.exe" [null data]
"LXCECATS" = "rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCEtim e.dll,_RunDLLEntry@16" [MS]
"lxcemon.exe" = ""C:\Program Files\Lexmark 4300 Series\lxcemon.exe"" ["Lexmark International, Inc."]
"EzPrint" = ""C:\Program Files\Lexmark 4300 Series\ezprint.exe"" ["Lexmark International Inc."]
"FaxCenterServer" = ""C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s" [null data]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"SpywareBot" = "C:\Program Files\SpywareBot\SpywareBot.exe -boot" ["SpywareBot Company"]
"Adobe Photo Downloader" = ""C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"" ["Adobe Systems Incorporated"]
"!1_pgaccount" = ""C:\Program Files\ProcessGuard\pgaccount.exe"" ["DiamondCS"]
"kav" = ""C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"" ["Kaspersky Lab"]
"(Default)" = "(empty string)" [file not found]
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{4A368E80-174F-4872-96B5-0B27DDD11DB2}\(Default) = "SpywareGuard Download Protection"
-> {HKLM...CLSID} = "SpywareGuardDLBLOCK.CBrowserHelper"
\InProcServer32\(Default) = "C:\Program Files\SpywareGuard\dlprotect.dll" [null data]
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{950FF917-7A57-46BC-8017-59D9BF474000}" = "Shell Extension for CDRW"
-> {HKLM...CLSID} = "Shell Extension for CDRW"
\InProcServer32\(Default) = "C:\Program Files\Ahead\InCD\incdshx.dll" ["Ahead Software AG"]
"{26F05DD3-6EDC-48C8-B2D6-8754AB9B0F8B}" = "AntiSpywarePopMenu Shell Extension"
-> {HKLM...CLSID} = "AntiSpywarePopMenu ContextMenu Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\Defenza\ANTISP~1.DLL" [file not found]
"{85E0B171-04FA-11D1-B7DA-00A0C90348D6}" = "Web Anti-Virus"
-> {HKLM...CLSID} = "Web Anti-Virus"
\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll" ["Kaspersky Lab"]
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
-> {HKLM...CLSID} = "My Sharing Folders"
\InProcServer32\(Default) = "C:\Program Files\MSN Messenger\fsshext.8.0.0812.00.dll" [MS]
"{81559C35-8464-49F7-BB0E-07A383BEF910}" = (no title provided)
-> {HKLM...CLSID} = "SpywareGuard.Handler"
\InProcServer32\(Default) = "C:\Program Files\SpywareGuard\spywareguard.dll" [null data]
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellExecuteHooks\
<<!>> "{81559C35-8464-49F7-BB0E-07A383BEF910}" = (no title provided)
-> {HKLM...CLSID} = "SpywareGuard.Handler"
\InProcServer32\(Default) = "C:\Program Files\SpywareGuard\spywareguard.dll" [null data]
HKLM\System\CurrentControlSet\Control\Session Manager\
<<!>> "BootExecute" = "autocheck autochk *"|"stera" [file not found]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> klogon\DLLName = "C:\WINDOWS\system32\klogon.dll" ["Kaspersky Lab"]
HKLM\Software\Classes\Folder\shellex\ColumnHandler s\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]
HKLM\Software\Classes\*\shellex\ContextMenuHandler s\
AntiSpywarePopMenu\(Default) = "{26F05DD3-6EDC-48C8-B2D6-8754AB9B0F8B}"
-> {HKLM...CLSID} = "AntiSpywarePopMenu ContextMenu Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\Defenza\ANTISP~1.DLL" [file not found]
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\shellex.dll" ["Kaspersky Lab"]
HKLM\Software\Classes\Folder\shellex\ContextMenuHa ndlers\
AntiSpywarePopMenu\(Default) = "{26F05DD3-6EDC-48C8-B2D6-8754AB9B0F8B}"
-> {HKLM...CLSID} = "AntiSpywarePopMenu ContextMenu Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\Defenza\ANTISP~1.DLL" [file not found]
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\shellex.dll" ["Kaspersky Lab"]
Group Policies {policy setting}:
--------------------------------
Note: detected settings may not have any effect.
HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System\
"DisableRegistryTools" = (REG_DWORD) hex:0x00000000
{Prevent access to registry editing tools}
HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\System\
"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Shutdown: Allow system to be shut down without having to log on}
"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Devices: Allow undock without having to log on}
Active Desktop and Wallpaper:
-----------------------------
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Loca l Settings\Application Data\Microsoft\Wallpaper1.bmp"
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Dawn\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"
Enabled Screen Saver:
---------------------
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\logon.scr" [MS]
Startup items in "Dawn" & "All Users" startup folders:
------------------------------------------------------
C:\Documents and Settings\Dawn\Start Menu\Programs\Startup
"SpywareGuard" -> shortcut to: "C:\Program Files\SpywareGuard\sgmain.exe" [null data]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Explorer Bars
HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
HKLM\Software\Classes\CLSID\{85E0B171-04FA-11D1-B7DA-00A0C90348D6}\(Default) = "Web Anti-Virus"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll" ["Kaspersky Lab"]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E}\
"ButtonText" = "Web Anti-Virus"
{85D1F590-48F4-11D9-9669-0800200C9A66}\
"MenuText" = "Uninstall BitDefender Online Scanner v8"
"Exec" = "%windir%\bdoscandel.exe" [null data]
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\System32\Ati2evxx.exe" ["ATI Technologies Inc."]
DiamondCS ProcessGuard Service v3.410, DCSPGSRV, ""C:\Program Files\ProcessGuard\dcsuserprot.exe"" ["DiamondCS"]
InCD Helper, InCDsrv, "C:\Program Files\Ahead\InCD\InCDsrv.exe" ["Ahead Software AG"]
Kaspersky Anti-Virus 6.0, AVP, ""C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r" ["Kaspersky Lab"]
lxce_device, lxce_device, "C:\WINDOWS\system32\lxcecoms.exe -service" ["Lexmark International, Inc."]
SoundMAX Agent Service, SoundMAX Agent Service (default), "C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe" ["Analog Devices, Inc."]
Print Monitors:
---------------
HKLM\System\CurrentControlSet\Control\Print\Monito rs\
4300 Series Port\Driver = "lxcelmpm.DLL" ["Lexmark International, Inc."]
Lexmark Print-2-Fax Port\Driver = "LXPRMON.DLL" [null data]
----------
<<!>>: Suspicious data at a malware launch point.
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 272 seconds, including 22 seconds for message boxes)
-
Go here to learn how to show hidden files/folders:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html#5
Re-hide after we are done
Now reboot into safe mode by tapping your F8 key upon restart and safe mode screen appears, select safe mode and press enter.
Delete this folder below
C:\Program Files\SpywareBot
reboot normal mode and go back to page 3, post # 24 and post me another combofix log please.
-
found spybot but still cannot do scans computer switches it self off as if it knows there is something wrong so i cant get it hope this helps thanks
-
Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
Go to next site:
http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:Do one at a time
C:\WINDOWS\system32\rokvsfjo.exe
C:\WINDOWS\system32\inwasjmi.exe
C:\WINDOWS\system32\afubhnsl.dll
C:\WINDOWS\system32\isoqasah.dll
C:\WINDOWS\system32\qhskgeuo.dll
C:\WINDOWS\system32\iekldyov.dll
Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results as well in your next reply.
Dedicated Member
