Help Removing an Unbeatable Virus

Computing.Net > Forums > Security and Virus > Help Removing an Unbeatable Virus

Computing.Net: Over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to sign up now, it's free!

Help Removing an Unbeatable Virus

Original Message

Name: nethelpers
Date: July 16, 2006 at 09:04:00 Pacific
Subject: Help Removing an Unbeatable Virus
OS: Windows XP Professional 2
CPU/Ram: PIII 999/512 megs
Model/Manufacturer: Packard Bell

Comment:

Hello!
Description: Two files keep re-appearing on my desktop and in "my music" folder. the files are setup.exe and autorun.inf and although I delete them, they keep returning every few hours (regardless on what I'm doing on the computer).
More information: the files sizes on disk are 56.0 KB (57,344 bytes) for the setup.exe and 4.00 KB (4,096 bytes) for the autorun.inf. The autorun.inf files has this line in it: [autorun]
open=setup.exe
icon=setup.exe,0
What I tried: I've installed several anti-virus and ad-aware programs, like Norton, Panda and AVG, Ad-Aware, Spyware Terminator and Windows Defender. They all found something (mostly cookies), but didn't stop the problem. I've also checked all the processes running and didn't found anything suspicious, I've uninstalled every questionable programs, stopped services and cleaned the startup using msconfig.
I'm a fairly experienced user and I don't remember ever opening anything that could be a threat. The last thing I remember installing is something called "IM" (from im.com) to watch online TV, but I've uninstalled anything related to it a long time ago.
Please, if anyone can think of something to do, help! I've been struggling with this for almost two weeks, trying anything imaginable.
Thanks!

Report Offensive Message For Removal

Response Number 1

Name: jabuck
Date: July 16, 2006 at 09:54:47 Pacific

Reply: (edit)

Please post a Hijack This log so that the files associated with the virus/spyware/hijacker can be identified.
Please download HJTsetup.exe from this link http://www.thespykiller.co.uk/files/HJTsetup.exe to your desktop.
Doubleclick on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This.
Continue to click "next" in the setup dialogue boxes until you get to the "Select Addition Tasks" dialogue.
Put a check by "Create a desktop icon" then click "Next" again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click "Finish" and it will launch Hijack This.
Click on the "Do a system scan and save a logfile" button. It will scan and the log should open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log and post it in this thread.
Do not fix anything yet unless you know what you are doing. This is a powerful tool that can crash the computer if used improperly.

Report Offensive Follow Up For Removal

Response Number 2

Name: nethelpers
Date: July 16, 2006 at 13:07:59 Pacific

Reply: (edit)

Hey,
Thanks for taking the time. Here is the log:
Logfile of HijackThis v1.99.1
Scan saved at 23:10:19, on 16/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Windows Defender\MsMpEng.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
F:\Program Files\Symantec AntiVirus\DefWatch.exe
F:\Program Files\Security\Norton Ghost\Agent\PQV2iSvc.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Symantec AntiVirus\Rtvscan.exe
F:\Program Files\MSN Messenger\Plus\MsgPlus.exe
F:\WINDOWS\system32\rundll32.exe
F:\Program Files\ATI Technologies\ATI.ACE\cli.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Internet\cg4ie\cg4ie.exe
F:\Program Files\Powertoys\MultiRes.exe
F:\WINDOWS\system32\devldr32.exe
F:\Program Files\Internet\eMule\emule.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\Internet Explorer\IEXPLORE.EXE
F:\Program Files\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://now.walla.co.il/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.vmule.com/homepage.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Acrobat Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - F:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - F:\PROGRA~1\Internet\FlashGet\jccatch.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar2.dll
O2 - BHO: &Google Notebook - {CCCCCCD3-666F-4F81-8B69-745DE9F6D897} - F:\Program Files\Google\Google Notebook\gnotes1.0.2.6-45683967.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - F:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: NetHelper Toolbar - {aeb0b6b0-0cbd-4176-b0f0-fceadf802e2e} - F:\Program Files\NetHelper\tbNetH.dll
O3 - Toolbar: MyCommunities toolbar - {24f0a2c9-feb5-4015-ba4d-555543575b22} - F:\Program Files\MyCommunities\tbMyC0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google Notebook - {CCCCCCDB-4DDB-4703-95D4-DD2C526397BF} - F:\Program Files\Google\Google Notebook\gnotes1.0.2.6-45683967.dll
O4 - HKLM\..\Run: [SysTray] "f:\Windows\System32\Systray.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "F:\Program Files\MSN Messenger\Plus\MsgPlus.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ATICCC] "F:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CG4IE] F:\Program Files\Internet\cg4ie\cg4ie.exe
O4 - Startup: MultiRes.lnk = F:\Program Files\Powertoys\MultiRes.exe
O8 - Extra context menu item: Note this (Google Note&book) - res://F:\Program Files\Google\Google Notebook\gnotes1.0.2.6-45683967.dll/gn_menu1.html
O8 - Extra context menu item: Note this (Google Notebook) - res://F:\Program Files\Google\Google Notebook\gnotes1.0.2.6-45683967.dll/gn_menu2.html
O8 - Extra context menu item: Subscribe in default RSS reader - F:\Documents and Settings\Administrator\Application Data\RssBandit\iecontext_subscribefeed.htm
O8 - Extra context menu item: הורד באמצעות פלאש-גט - F:\Program Files\Internet\FlashGet\jc_link.htm
O8 - Extra context menu item: הורד הכל באמצעות פלאש-גט - F:\Program Files\Internet\FlashGet\jc_all.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - F:\PROGRA~1\Internet\FlashGet\JetCar.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - F:\PROGRA~1\Internet\FlashGet\JetCar.exe
O15 - Trusted Zone: *.stumbleupon.com
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {20C2C286-BDE8-441B-B73D-AFA22D914DA5} (PowerList Control) - http://download.ppstream.com/bin/powerplayer.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{855636E4-BC1F-4FAF-AED3-8E5CC7507501}: NameServer = 192.116.202.222 213.8.172.83
O20 - Winlogon Notify: NavLogon - F:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - F:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - F:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton Ghost - Symantec Corporation - F:\Program Files\Security\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - F:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Windows Log - Unknown owner - F:\WINDOWS\system32\nvsvcd.exe

Report Offensive Follow Up For Removal

Response Number 3

Name: jabuck
Date: July 16, 2006 at 13:54:52 Pacific

Reply: (edit)

Do you know what this is:
O3 - Toolbar: MyCommunities toolbar - {24f0a2c9-feb5-4015-ba4d-555543575b22} - F:\Program Files\MyCommunities\tbMyC0.dll
Please download “Avenger” by swandog46 to your desktop from this link http://swandog46.geekstogo.com/avenger.zip
1. Click on Avenger.zip to open the file
Extract avenger.exe to your desktop

2. Copy all the text contained in the area between the X"s below to your Clipboard by highlighting it and pressing (Ctrl+C):
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Files to delete:
F:\WINDOWS\system32\nvsvcd.exe
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Note: the above code was created specifically for this user. If you are not this user, do not follow these directions as they could damage your system.
3. Now, start The Avenger program by clicking on its icon on your desktop.
Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to clipboard into this window by pressing (Ctrl+V).
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger's actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your next post.
Run Hijack This, close all windows and browsers except Hijack This, place a check to the left of the following items and press "fix checked":
R3 - Default URLSearchHook is missing
O23 - Service: Windows Log - Unknown owner - F:\WINDOWS\system32\nvsvcd.exe
Go to start> run> copy/paste the following bolded command into the space provided:
sc delete "Windows Log" then press enter.
Post a new Hijack This log please.

Report Offensive Follow Up For Removal

Response Number 4

Name: nethelpers
Date: July 16, 2006 at 14:43:09 Pacific

Reply: (edit)

Hi!
I've done everything and here are the results. And yes, I know what the toolbar is, it's not malicious.
Avenger:
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ndybliav
*******************
Script file located at: \??\F:\iaxfedhn.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at F:\Avenger
*******************
Beginning to process script file:
File F:\WINDOWS\system32\nvsvcd.exe deleted successfully.
Completed script processing.
*******************
Finished! Terminate.
Hijackthis:
Logfile of HijackThis v1.99.1
Scan saved at 00:46:06, on 17/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Windows Defender\MsMpEng.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
F:\Program Files\Symantec AntiVirus\DefWatch.exe
F:\Program Files\Security\Norton Ghost\Agent\PQV2iSvc.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Symantec AntiVirus\Rtvscan.exe
F:\Program Files\MSN Messenger\Plus\MsgPlus.exe
F:\WINDOWS\system32\rundll32.exe
F:\Program Files\ATI Technologies\ATI.ACE\cli.exe
F:\WINDOWS\system32\devldr32.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Internet\cg4ie\cg4ie.exe
F:\Program Files\Powertoys\MultiRes.exe
F:\Program Files\Internet Explorer\IEXPLORE.EXE
F:\Program Files\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://now.walla.co.il/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.vmule.com/homepage.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Acrobat Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - F:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - F:\PROGRA~1\Internet\FlashGet\jccatch.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar2.dll
O2 - BHO: &Google Notebook - {CCCCCCD3-666F-4F81-8B69-745DE9F6D897} - F:\Program Files\Google\Google Notebook\gnotes1.0.2.6-45683967.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - F:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: NetHelper Toolbar - {aeb0b6b0-0cbd-4176-b0f0-fceadf802e2e} - F:\Program Files\NetHelper\tbNetH.dll
O3 - Toolbar: MyCommunities toolbar - {24f0a2c9-feb5-4015-ba4d-555543575b22} - F:\Program Files\MyCommunities\tbMyC0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google Notebook - {CCCCCCDB-4DDB-4703-95D4-DD2C526397BF} - F:\Program Files\Google\Google Notebook\gnotes1.0.2.6-45683967.dll
O4 - HKLM\..\Run: [SysTray] "f:\Windows\System32\Systray.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "F:\Program Files\MSN Messenger\Plus\MsgPlus.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ATICCC] "F:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CG4IE] F:\Program Files\Internet\cg4ie\cg4ie.exe
O4 - Startup: MultiRes.lnk = F:\Program Files\Powertoys\MultiRes.exe
O8 - Extra context menu item: Note this (Google Note&book) - res://F:\Program Files\Google\Google Notebook\gnotes1.0.2.6-45683967.dll/gn_menu1.html
O8 - Extra context menu item: Note this (Google Notebook) - res://F:\Program Files\Google\Google Notebook\gnotes1.0.2.6-45683967.dll/gn_menu2.html
O8 - Extra context menu item: Subscribe in default RSS reader - F:\Documents and Settings\Administrator\Application Data\RssBandit\iecontext_subscribefeed.htm
O8 - Extra context menu item: הורד באמצעות פלאש-גט - F:\Program Files\Internet\FlashGet\jc_link.htm
O8 - Extra context menu item: הורד הכל באמצעות פלאש-גט - F:\Program Files\Internet\FlashGet\jc_all.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - F:\PROGRA~1\Internet\FlashGet\JetCar.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - F:\PROGRA~1\Internet\FlashGet\JetCar.exe
O15 - Trusted Zone: *.stumbleupon.com
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {20C2C286-BDE8-441B-B73D-AFA22D914DA5} (PowerList Control) - http://download.ppstream.com/bin/powerplayer.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{855636E4-BC1F-4FAF-AED3-8E5CC7507501}: NameServer = 192.116.202.222 213.8.172.83
O20 - Winlogon Notify: NavLogon - F:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - F:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - F:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton Ghost - Symantec Corporation - F:\Program Files\Security\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - F:\Program Files\Symantec AntiVirus\Rtvscan.exe

Thanks a lot for your help!

Report Offensive Follow Up For Removal

Response Number 5

Name: jabuck
Date: July 16, 2006 at 14:50:52 Pacific

Reply: (edit)

Much better, do you know what this toolbar is:
O3 - Toolbar: MyCommunities toolbar - {24f0a2c9-feb5-4015-ba4d-555543575b22} - F:\Program Files\MyCommunities\tbMyC0.dll

Report Offensive Follow Up For Removal


Remove 852kb spoof download virus Help removing some Win32 viruses HELP! I have a virus (smmain.exe) h91746 removal help plz Help with Dropper.Inor	help remove whataboutadog virus PLEASE HELP Major Computer Problems Help! Dupator worm or virus... help removing viurs/spyware how to remove boot sector virus

Response Number 6

Name: nethelpers
Date: July 16, 2006 at 15:04:45 Pacific

Reply: (edit)

Yes. It's a addon to IE, not a spyware or malicious in any way. EffectiveBrand company. I've been using it for almost a year.

Report Offensive Follow Up For Removal

Response Number 7

Name: jabuck
Date: July 16, 2006 at 15:14:29 Pacific

Reply: (edit)

Ok, are you still finding the weird setup files and are you running better.

Report Offensive Follow Up For Removal

Response Number 8

Name: nethelpers
Date: July 16, 2006 at 15:35:01 Pacific

Reply: (edit)

I'll let you know in a few hours. I've deleted them know and it appears OK. But as I said, it shows up every few hours, so I'll let you know.
Thanks jabuck, you're great.

Report Offensive Follow Up For Removal

Response Number 9

Name: nethelpers
Date: July 17, 2006 at 08:42:24 Pacific

Reply: (edit)

Hi again Jabuck,
I'm afraid the setup.exe and autorun.inf still keeps reappearing.
Any other thoughts?
Thanks!

Report Offensive Follow Up For Removal

Response Number 10

Name: jabuck
Date: July 17, 2006 at 15:40:30 Pacific

Reply: (edit)

I'm guessing it's from a cd-rom. Wonder if there is a cd in one of the drives.

Report Offensive Follow Up For Removal

Response Number 11

Name: nethelpers
Date: July 18, 2006 at 09:19:40 Pacific

Reply: (edit)

There's actually a DVD and a CD in the drive.
I took them out now. If this will solve my problem, I will probably feel really stupid.
Thanks!

Report Offensive Follow Up For Removal

Response Number 12

Name: nethelpers
Date: July 19, 2006 at 10:52:36 Pacific

Reply: (edit)

Hi Jabuck,
For a few hours I actually thought it helped and how stupid I must be, but this morning it came back. Setup.exe and Autorun.inf.
Charming.
Do you think I need to stop using my computer until this is fixed? Should I format and start over? Or maybe you'd like another shoot at the problem?
I any case, thanks a lot for all your help. I really appreciate it.

Report Offensive Follow Up For Removal

Response Number 13

Name: jabuck
Date: July 19, 2006 at 15:12:35 Pacific

Reply: (edit)

I don't think you have a virus/spyware problem. It sounds as though a cd-rom is trying to read a disk, I have been wrong.
To double check run these scans and make sure the problem files are there when you run the scans .
Run this free online scan from Panda
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to the desktop, then copy/paste into the text editor and post it.Please download SilentRunners from this link Please download SilentRunners from here: http://www.silentrunners.org/Silent%20Runners.zip. Unzip it to the desktop and double-click on it. If you get any kind of warning message about scripts, please choose to allow the script to run. When the scan is finished, it will create a logfile on the desktop. Please post the entire contents of this logfile in a reply to this post.. Unzip it to the desktop and double-click on it. If you get any kind of warning message about scripts, please choose to allow the script to run. When the scan is finished, it will create a logfile on the desktop. Please post the entire contents of this logfile in a reply to this post.
Post a new HT log.

Report Offensive Follow Up For Removal

Response Number 14

Name: nethelpers
Date: July 21, 2006 at 04:17:34 Pacific

Reply: (edit)

Hi!
Here are the results:
Panda Activescan:

Incident Status Location
Adware:adware/dyfuca Not disinfected Windows Registry
Adware:adware/whenusearch Not disinfected Windows Registry
Spyware:Cookie/Atwola Not disinfected F:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4ttkro1z.default\cookies.txt[.atwola.com/]
Spyware:Cookie/Doubleclick Not disinfected F:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4ttkro1z.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Tribalfusion Not disinfected F:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4ttkro1z.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/888 Not disinfected F:\Documents and Settings\Administrator\Cookies\administrator@888[2].txt
Spyware:Cookie/888 Not disinfected F:\Documents and Settings\Administrator\Cookies\administrator@888[3].txt
Spyware:Cookie/YieldManager Not disinfected F:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[2].txt
Spyware:Cookie/Hbmediapro Not disinfected F:\Documents and Settings\Administrator\Cookies\administrator@adopt.hbmediapro[1].txt
Spyware:Cookie/PointRoll Not disinfected F:\Documents and Settings\Administrator\Cookies\administrator@ads.pointroll[1].txt
Spyware:Cookie/Advertising Not disinfected F:\Documents and Settings\Administrator\Cookies\administrator@advertising[1].txt
Spyware:Cookie/NewMedia Not disinfected F:\Documents and Settings\Administrator\Cookies\administrator@anm.co[2].txt
Spyware:Cookie/Falkag Not disinfected F:\Documents and Settings\Administrator\Cookies\administrator@as-us.falkag[1].txt
Spyware:Cookie/Atlas DMT Not disinfected F:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt
Spyware:Cookie/Atwola Not disinfected F:\Documents and Settings\Administrator\Cookies\administrator@atwola[1].txt
Spyware:Cookie/Azjmp Not disinfected F:\Documents and Settings\Administrator\Cookies\administrator@azjmp[1].txt
Spyware:Cookie/Banner Not disinfected F:\Documents and Settings\Administrator\Cookies\administrator@banner[2].txt
Spyware:Cookie/Belnk Not disinfected F:\Documents and Settings\Administrator\Cookies\administrator@belnk[1].txt
Spyware:Cookie/Bfast Not disinfected F:\Documents and Settings\Administrator\Cookies\administrator@bfast[1].txt
Spyware:Cookie/Bluestreak Not disinfected F:\Documents and Settings\Administrator\Cookies\administrator@bluestreak[1].txt
Spyware:Cookie/BurstNet Not disinfected F:\Documents and Settings\Administrator\Cookies\administrator@burstnet[2].txt
Spyware:Cookie/GoClick Not disinfected F:\Documents and Settings\Administrator\Cookies\administrator@c.goclick[2].txt
Spyware:Cookie/Casalemedia Not disinfected F:\Documents and Settings\Administrator\Cookies\administrator@casalemedia[1].txt
Spyware:Cookie/Cassava Not disinfected F:\Documents and Settings\Administrator\Cookies\administrator@cassava[1].txt
Spyware:Cookie/Cgi-bin Not disinfected F:\Documents and Settings\Administrator\Cookies\administrator@cgi-bin[1].txt
Spyware:Cookie/Clickbank Not disinfected F:\Documents and Settings\Administrator\Cookies\administrator@clickbank[1].txt
Spyware:Cookie/Com.com Not disinfected F:\Documents and Settings\Administrator\Cookies\administrator@com[1].txt
Spyware:Cookie/Hitslink Not disinfected F:\Documents and Settings\Administrator\Cookies\administrator@counter.hitslink[1].txt
Spyware:Cookie/360i Not disinfected F:\Documents and Settings\Administrator\Cookies\administrator@ct.360i[1].txt
Spyware:Cookie/did-it Not disinfected F:\Documents and Settings\Administrator\Cookies\administrator@did-it[1].txt
Spyware:Cookie/Belnk Not disinfected F:\Documents and Settings\Administrator\Cookies\administrator@dist.belnk[2].txt
Spyware:Cookie/Hitbox Not disinfected F:\Documents and Settings\Administrator\Cookies\administrator@ehg-dig.hitbox[2].txt
Spyware:Cookie/FastClick Not disinfected F:\Documents and Settings\Administrator\Cookies\administrator@fastclick[2].txt
Spyware:Cookie/Freestats Not disinfected F:\Documents and Settings\Administrator\Cookies\administrator@freestats[1].txt
Spyware:Cookie/Com.com Not disinfected F:\Documents and Settings\Administrator\Cookies\administrator@google.com[2].txt
Spyware:Cookie/GoStats Not disinfected F:\Documents and Settings\Administrator\Cookies\administrator@gostats[1].txt
Spyware:Cookie/Go Not disinfected F:\Documents and Settings\Administrator\Cookies\administrator@go[1].txt
Spyware:Cookie/Hitbox Not disinfected F:\Documents and Settings\Administrator\Cookies\administrator@hitbox[1].txt
Spyware:Cookie/Maxserving Not disinfected F:\Documents and Settings\Administrator\Cookies\administrator@maxserving[1].txt
Spyware:Cookie/2o7 Not disinfected F:\Documents and Settings\Administrator\Cookies\administrator@microsofteup.112.2o7[1].txt
Spyware:Cookie/Hitbox Not disinfected F:\Documents and Settings\Administrator\Cookies\administrator@phg.hitbox[1].txt
Spyware:Cookie/Qsrch Not disinfected F:\Documents and Settings\Administrator\Cookies\administrator@qsrch[2].txt
Spyware:Cookie/QuestionMarket Not disinfected F:\Documents and Settings\Administrator\Cookies\administrator@questionmarket[2].txt
Spyware:Cookie/Rn11 Not disinfected F:\Documents and Settings\Administrator\Cookies\administrator@rn11[2].txt
Spyware:Cookie/Searchportal Not disinfected F:\Documents and Settings\Administrator\Cookies\administrator@searchportal.information[2].txt
Spyware:Cookie/Seeq Not disinfected F:\Documents and Settings\Administrator\Cookies\administrator@seeq[1].txt
Spyware:Cookie/Advertising Not disinfected F:\Documents and Settings\Administrator\Cookies\administrator@servedby.advertising[1].txt
Spyware:Cookie/Serving-sys Not disinfected F:\Documents and Settings\Administrator\Cookies\administrator@serving-sys[2].txt
Spyware:Cookie/SpyLog Not disinfected F:\Documents and Settings\Administrator\Cookies\administrator@spylog[1].txt
Spyware:Cookie/Statcounter Not disinfected F:\Documents and Settings\Administrator\Cookies\administrator@statcounter[1].txt
Spyware:Cookie/Reliablestats Not disinfected F:\Documents and Settings\Administrator\Cookies\administrator@stats1.reliablestats[1].txt
Spyware:Cookie/Toplist Not disinfected F:\Documents and Settings\Administrator\Cookies\administrator@toplist[2].txt
Spyware:Cookie/Traffic Marketplace Not disinfected F:\Documents and Settings\Administrator\Cookies\administrator@trafficmp[1].txt
Spyware:Cookie/Tribalfusion Not disinfected F:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[1].txt
Spyware:Cookie/Tucows Not disinfected F:\Documents and Settings\Administrator\Cookies\administrator@tucows[1].txt
Spyware:Cookie/myaffiliateprogram Not disinfected F:\Documents and Settings\Administrator\Cookies\administrator@www.myaffiliateprogram[2].txt
Spyware:Cookie/seeqA Not disinfected F:\Documents and Settings\Administrator\Cookies\administrator@www.seeq[1].txt
Spyware:Cookie/Seeq Not disinfected F:\Documents and Settings\Administrator\Cookies\administrator@www48.seeq[1].txt
Spyware:Cookie/Xiti Not disinfected F:\Documents and Settings\Administrator\Cookies\administrator@xiti[1].txt
Spyware:Cookie/Xmts Not disinfected F:\Documents and Settings\Administrator\Cookies\administrator@xmts[1].txt
Spyware:Cookie/Yadro Not disinfected F:\Documents and Settings\Administrator\Cookies\administrator@yadro[2].txt
Spyware:Cookie/Zedo Not disinfected F:\Documents and Settings\Administrator\Cookies\administrator@zedo[1].txt
Spyware:Spyware/LZIO-Media Not disinfected F:\Documents and Settings\Administrator\Local Settings\Temp\nsb1CB.tmp\touchanswer.exe
Spyware:Spyware/LZIO-Media Not disinfected F:\Documents and Settings\Administrator\Local Settings\Temp\nss1D6.tmp\touchanswer.exe
Silent Runners:
"Silent Runners.vbs", revision 46, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
----
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "F:\WINDOWS\system32\ctfmon.exe" [MS]
"CG4IE" = "F:\Program Files\Internet\cg4ie\cg4ie.exe" [empty string]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SysTray" = ""f:\Windows\System32\Systray.exe"" [MS]
"MessengerPlus3" = ""F:\Program Files\MSN Messenger\Plus\MsgPlus.exe"" ["Patchou"]
"BluetoothAuthenticationAgent" = "rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent" [MS]
"ATICCC" = ""F:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime" [null data]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "F:\Program Files\Acrobat Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{69A87B7D-DE56-4136-9655-716BA50C19C7}\(Default) = "Google Web Accelerator Helper"
-> {HKLM...CLSID} = "&Google Web Accelerator Helper"
\InProcServer32\(Default) = "F:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll" [null data]
{A5366673-E8CA-11D3-9CD9-0090271D075B}\(Default) = (no title provided)
-> {HKLM...CLSID} = "IeCatch2 Class"
\InProcServer32\(Default) = "F:\PROGRA~1\Internet\FlashGet\jccatch.dll" ["Amaze Soft"]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Helper"
\InProcServer32\(Default) = "f:\program files\google\googletoolbar2.dll" ["Google Inc."]
{CCCCCCD3-666F-4F81-8B69-745DE9F6D897}\(Default) = "&Google Notebook"
-> {HKLM...CLSID} = "&Google Notebook"
\InProcServer32\(Default) = "F:\Program Files\Google\Google Notebook\gnotes1.0.2.6-45683967.dll" [null data]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "F:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{1530F7EE-5128-43BD-9977-84A4B0FAD7DF}" = "PhotoToys"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "F:\WINDOWS\system32\phototoys.dll" [MS]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "F:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "F:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "F:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "F:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "F:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{40950107-FEA6-4d53-A65F-B2DCBA57DD58}" = "Nokia Phone Browser"
-> {HKLM...CLSID} = "Nokia Phone Browser"
\InProcServer32\(Default) = "F:\Program Files\Nokia\Nokia PC Suite 6\Components\PhoneBrowserComponents\NokiaPhoneBrowser.dll" ["Nokia"]
"{FBFE7864-D495-41f0-B7DC-4BB601CC295E}" = "Contact View"
-> {HKLM...CLSID} = "Contact View"
\InProcServer32\(Default) = "F:\Program Files\Nokia\Nokia PC Suite 6\Components\PhoneBrowserComponents\ContactView.dll" ["Nokia"]
"{43886CD5-6529-41c4-A707-7B3C92C05E68}" = "IE Navigation Bar"
-> {HKLM...CLSID} = "IE Navigation Bar"
\InProcServer32\(Default) = "F:\WINDOWS\system32\ieframe.dll" [file not found]
"{3028902F-6374-48b2-8DC6-9725E775B926}" = "IE AutoComplete"
-> {HKLM...CLSID} = "IE AutoComplete"
\InProcServer32\(Default) = "F:\WINDOWS\system32\ieframe.dll" [file not found]
"{4B78D326-D922-44f9-AF2A-07805C2A3560}" = "IE Menu Band"
-> {HKLM...CLSID} = "IE Menu Band"
\InProcServer32\(Default) = "F:\WINDOWS\system32\ieframe.dll" [file not found]
"{6CF48EF8-44CD-45d2-8832-A16EA016311B}" = "IE IShellFolderBand"
-> {HKLM...CLSID} = "IE IShellFolderBand"
\InProcServer32\(Default) = "F:\WINDOWS\system32\ieframe.dll" [file not found]
"{F2CF5485-4E02-4f68-819C-B92DE9277049}" = "&Links"
-> {HKLM...CLSID} = "&Links"
\InProcServer32\(Default) = "F:\WINDOWS\system32\ieframe.dll" [file not found]
"{1C1EDB47-CE22-4bbb-B608-77B48F83C823}" = "IE Fade Task"
-> {HKLM...CLSID} = "IE Fade Task"
\InProcServer32\(Default) = "F:\WINDOWS\system32\ieframe.dll" [file not found]
"{6B4ECC4F-16D1-4474-94AB-5A763F2A54AE}" = "IE Tracking Shell Menu"
-> {HKLM...CLSID} = "IE Tracking Shell Menu"
\InProcServer32\(Default) = "F:\WINDOWS\system32\ieframe.dll" [file not found]
"{44C76ECD-F7FA-411c-9929-1B77BA77F524}" = "IE Menu Site"
-> {HKLM...CLSID} = "IE Menu Site"
\InProcServer32\(Default) = "F:\WINDOWS\system32\ieframe.dll" [file not found]
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
-> {HKLM...CLSID} = "Shell Search Band"
\InProcServer32\(Default) = "F:\WINDOWS\system32\browseui.dll" [MS]
"{5E2121EE-0300-11D4-8D3B-444553540000}" = "Catalyst Context Menu extension"
-> {HKLM...CLSID} = "SimpleShlExt Class"
\InProcServer32\(Default) = "F:\Program Files\ATI Technologies\ATI.ACE\atiacmxx.dll" [empty string]
"{68f32140-2ca3-11d0-acc1-444553540000}" = "PicaView32"
-> {HKLM...CLSID} = "PicaView32 Shell Extension"
\InProcServer32\(Default) = "F:\PROGRA~1\PICAVI~1\PicaView.dll" ["ACD Systems, Ltd."]
"{e82a2d71-5b2f-43a0-97b8-81be15854de8}" = "ShellLink for Application References"
-> {HKLM...CLSID} = "ShellLink for Application References"
\InProcServer32\(Default) = "F:\WINDOWS\system32\dfshim.dll" [MS]
"{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}" = "Shell Icon Handler for Application References"
-> {HKLM...CLSID} = "Shell Icon Handler for Application References"
\InProcServer32\(Default) = "F:\WINDOWS\system32\dfshim.dll" [MS]
"{CCCCCCD3-666F-4F81-8B69-745DE9F6D897}" = "&Google Notebook"
-> {HKLM...CLSID} = "&Google Notebook"
\InProcServer32\(Default) = "F:\Program Files\Google\Google Notebook\gnotes1.0.2.6-45683967.dll" [null data]
"{CCCCCCDB-4DDB-4703-95D4-DD2C526397BF}" = "&Google Notebook"
-> {HKLM...CLSID} = "&Google Notebook"
\InProcServer32\(Default) = "F:\Program Files\Google\Google Notebook\gnotes1.0.2.6-45683967.dll" [null data]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {HKLM...CLSID} = "Portable Media Devices"
\InProcServer32\(Default) = "F:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "F:\WINDOWS\system32\Audiodev.dll" [MS]
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}" = "LDVP Shell Extensions"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "F:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}" = "Microsoft AntiMalware ShellExecuteHook"
-> {HKLM...CLSID} = "Microsoft AntiMalware ShellExecuteHook"
\InProcServer32\(Default) = "F:\PROGRA~1\WINDOW~4\MpShHook.dll" [MS]
HKLM\System\CurrentControlSet\Control\Session Manager\
INFECTION WARNING! "BootExecute" = "autocheck autochk *" [file not found], [MS], [file not found]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
INFECTION WARNING! NavLogon\DLLName = "F:\WINDOWS\system32\NavLogon.dll" ["Symantec Corporation"]
INFECTION WARNING! WgaLogon\DLLName = "WgaLogon.dll" [MS]
HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "F:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]
HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "F:\Program Files\Acrobat Reader\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
CopyPath\(Default) = "{303FEFF0-6ABA-11D3-90E4-0090272D53E3}"
-> {HKLM...CLSID} = "CopyPathExt Class"
\InProcServer32\(Default) = "F:\KingSub\kingsub.dll" [empty string]
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "F:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
PicaView32\(Default) = "{68f32140-2ca3-11d0-acc1-444553540000}"
-> {HKLM...CLSID} = "PicaView32 Shell Extension"
\InProcServer32\(Default) = "F:\PROGRA~1\PICAVI~1\PicaView.dll" ["ACD Systems, Ltd."]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "F:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "F:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
CopyPath\(Default) = "{303FEFF0-6ABA-11D3-90E4-0090272D53E3}"
-> {HKLM...CLSID} = "CopyPathExt Class"
\InProcServer32\(Default) = "F:\KingSub\kingsub.dll" [empty string]
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "F:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "F:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

Active Desktop and Wallpaper:

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKCU\Control Panel\Desktop\
"Wallpaper" = "F:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp"

Startup items in "Administrator" & "All Users" startup folders:
-----
F:\Documents and Settings\Administrator\Start Menu\Programs\Startup
"MultiRes" -> shortcut to: "F:\Program Files\Powertoys\MultiRes.exe" ["EnTech Taiwan"]

Enabled Scheduled Tasks:
------------------------
"MP Scheduled Scan" -> launches: "F:\Program Files\Windows Defender\MpCmdRun.exe Scan -RestrictPrivileges" [MS]

Winsock2 Service Provider DLLs:
--
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\system32\wshbth.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
F:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork1.dll [null data], 01 - 02, 08
%SystemRoot%\system32\mswsock.dll [MS], 03 - 05, 09 - 25
%SystemRoot%\system32\rsvpsp.dll [MS], 06 - 07

Toolbars, Explorer Bars, Extensions:
-------
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "f:\program files\google\googletoolbar2.dll" ["Google Inc."]
"{AEB0B6B0-0CBD-4176-B0F0-FCEADF802E2E}"
-> {HKLM...CLSID} = "NetHelper Toolbar"
\InProcServer32\(Default) = "F:\Program Files\NetHelper\tbNetH.dll" ["Platforma Online Ltd."]
"{24F0A2C9-FEB5-4015-BA4D-555543575B22}"
-> {HKLM...CLSID} = "MyCommunities toolbar"
\InProcServer32\(Default) = "F:\Program Files\MyCommunities\tbMyC0.dll" ["Platforma Online Ltd."]
"{CCCCCCDB-4DDB-4703-95D4-DD2C526397BF}"
-> {HKLM...CLSID} = "&Google Notebook"
\InProcServer32\(Default) = "F:\Program Files\Google\Google Notebook\gnotes1.0.2.6-45683967.dll" [null data]
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "f:\program files\google\googletoolbar2.dll" ["Google Inc."]
"{DB87BFA2-A2E3-451E-8E5A-C89982D87CBF}"
-> {HKLM...CLSID} = "Google Web Accelerator"
\InProcServer32\(Default) = "F:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll" [null data]
"{AEB0B6B0-0CBD-4176-B0F0-FCEADF802E2E}"
-> {HKLM...CLSID} = "NetHelper Toolbar"
\InProcServer32\(Default) = "F:\Program Files\NetHelper\tbNetH.dll" ["Platforma Online Ltd."]
"{24F0A2C9-FEB5-4015-BA4D-555543575B22}"
-> {HKLM...CLSID} = "MyCommunities toolbar"
\InProcServer32\(Default) = "F:\Program Files\MyCommunities\tbMyC0.dll" ["Platforma Online Ltd."]
"{22D003CE-6952-46C5-80B9-D19B479620AB}"
-> {HKLM...CLSID} = "Stumble&Upon"
\InProcServer32\(Default) = "F:\WINDOWS\system32\s1940.dll" [empty string]
"{CCCCCCDB-4DDB-4703-95D4-DD2C526397BF}"
-> {HKLM...CLSID} = "&Google Notebook"
\InProcServer32\(Default) = "F:\Program Files\Google\Google Notebook\gnotes1.0.2.6-45683967.dll" [null data]
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{DB87BFA2-A2E3-451E-8E5A-C89982D87CBF}" = (no title provided)
-> {HKLM...CLSID} = "Google Web Accelerator"
\InProcServer32\(Default) = "F:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll" [null data]
"{AEB0B6B0-0CBD-4176-B0F0-FCEADF802E2E}" = "NetHelper Toolbar"
-> {HKLM...CLSID} = "NetHelper Toolbar"
\InProcServer32\(Default) = "F:\Program Files\NetHelper\tbNetH.dll" ["Platforma Online Ltd."]
"{24F0A2C9-FEB5-4015-BA4D-555543575B22}" = "MyCommunities Toolbar"
-> {HKLM...CLSID} = "MyCommunities toolbar"
\InProcServer32\(Default) = "F:\Program Files\MyCommunities\tbMyC0.dll" ["Platforma Online Ltd."]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "f:\program files\google\googletoolbar2.dll" ["Google Inc."]
"{CCCCCCDB-4DDB-4703-95D4-DD2C526397BF}" = "&Google Notebook"
-> {HKLM...CLSID} = "&Google Notebook"
\InProcServer32\(Default) = "F:\Program Files\Google\Google Notebook\gnotes1.0.2.6-45683967.dll" [null data]
Explorer Bars
HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{21569614-B795-46B1-85F4-E737A8DC09AD}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Shell Search Band"
\InProcServer32\(Default) = "F:\WINDOWS\system32\browseui.dll" [MS]
Dormant Explorer Bars in "View, Explorer Bar" menu
HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in"
\InProcServer32\(Default) = "F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_06"
\InProcServer32\(Default) = "F:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]
{D6E814A0-E0C5-11D4-8D29-0050BA6940E3}\
"ButtonText" = "FlashGet"
"MenuText" = "&FlashGet"
"Exec" = "F:\PROGRA~1\Internet\FlashGet\JetCar.exe" ["Amaze Soft"]

Running Services (Display Name, Service Name, Path {Service DLL}):
--------
Ati HotKey Poller, Ati HotKey Poller, "F:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
Bluetooth Support Service, BthServ, "F:\WINDOWS\system32\svchost.exe -k bthsvcs" {"F:\WINDOWS\System32\bthserv.dll" [MS]}
Norton Ghost, Norton Ghost, "F:\Program Files\Security\Norton Ghost\Agent\PQV2iSvc.exe" ["Symantec Corporation"]
Symantec AntiVirus, Symantec AntiVirus, ""F:\Program Files\Symantec AntiVirus\Rtvscan.exe"" ["Symantec Corporation"]
Symantec AntiVirus Definition Watcher, DefWatch, ""F:\Program Files\Symantec AntiVirus\DefWatch.exe"" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
Windows Defender Service, WinDefend, ""F:\Program Files\Windows Defender\MsMpEng.exe"" [MS]
Windows User Mode Driver Framework, UMWdf, "F:\WINDOWS\system32\wdfmgr.exe" [MS]

Print Monitors:
---------------
HKLM\System\CurrentControlSet\Control\Print\Monitors\
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]

----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 209 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 49 seconds.
---------- (total run time: 350 seconds)

Thanks!

Report Offensive Follow Up For Removal

Response Number 15

Name: jabuck
Date: July 21, 2006 at 19:58:30 Pacific

Reply: (edit)

There is some spyware left.
Please download “Avenger” again by swandog46 to your desktop from this link http://swandog46.geekstogo.com/avenger.zip
1. Click on Avenger.zip to open the file
Extract avenger.exe to your desktop

2. Copy all the text contained in the area between the X"s below to your Clipboard by highlighting it and pressing (Ctrl+C):
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Files to delete:
F:\Documents and Settings\Administrator\Local Settings\Temp\nss1D6.tmp\touchanswer.exe
F:\Documents and Settings\Administrator\Local Settings\Temp\nsb1CB.tmp\touchanswer.exe
F:\Documents and Settings\Administrator\Local Settings\Temp\nss1D6.tmp
F:\Documents and Settings\Administrator\Local Settings\Temp\nsb1CB.tmp
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Now, start The Avenger program by clicking on its icon on your desktop.
Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to clipboard into this window by pressing (Ctrl+V).
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger's actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply and post a new Hijack This log.
Please download ATF-Cleaner to your desktop from this link
http://www.atribune.org/content/view/19/2/ We will need it later in safe mode
Download Ewido Security Suite We will need this later in safe mode
Be sure to update Ewido
Next, please reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
Run Ewido from safe mode and let it delete all that it finds.
Run ATF-Cleaner from safe mode.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.
Run this free online scan from Panda
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to the desktop, then copy/paste into the text editor and post it.

Report Offensive Follow Up For Removal

Response Number 16

Name: nethelpers
Date: July 22, 2006 at 05:54:17 Pacific

Reply: (edit)

OK. I've ran Ewido, AFT-Cleaner, Panda, cleaned my restore folder and all acording to your instruction. Ewido found a few spywares, but mostly cookies. Panda didn't found anything.
But... The setup.exe and autorun.inf keeps showing up in my desktop and in my music folder. Amazing.
This is the Avenger file (I've deleted the unsucceded manually.
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\xievgcqu
*******************
Script file located at: \??\F:\WINDOWS\qhnjhmla.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at F:\Avenger
*******************
Beginning to process script file:
File F:\Documents and Settings\Administrator\Local Settings\Temp\nss1D6.tmp\touchanswer.exe deleted successfully.
File F:\Documents and Settings\Administrator\Local Settings\Temp\nsb1CB.tmp\touchanswer.exe deleted successfully.

Error: F:\Documents and Settings\Administrator\Local Settings\Temp\nss1D6.tmp is a folder, not a file!
Deletion of file F:\Documents and Settings\Administrator\Local Settings\Temp\nss1D6.tmp failed!
Could not process line:
F:\Documents and Settings\Administrator\Local Settings\Temp\nss1D6.tmp
Status: 0xc00000ba
Error: F:\Documents and Settings\Administrator\Local Settings\Temp\nsb1CB.tmp is a folder, not a file!
Deletion of file F:\Documents and Settings\Administrator\Local Settings\Temp\nsb1CB.tmp failed!
Could not process line:
F:\Documents and Settings\Administrator\Local Settings\Temp\nsb1CB.tmp
Status: 0xc00000ba

Completed script processing.
*******************
Finished! Terminate.
Here is another HT:
Logfile of HijackThis v1.99.1
Scan saved at 15:56:41, on 22/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Windows Defender\MsMpEng.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\MSN Messenger\Plus\MsgPlus.exe
F:\Program Files\Symantec AntiVirus\DefWatch.exe
F:\WINDOWS\system32\rundll32.exe
F:\Program Files\ATI Technologies\ATI.ACE\cli.exe
F:\Program Files\ewido anti-spyware\guard.exe
F:\WINDOWS\system32\ctfmon.exe
F:\WINDOWS\system32\devldr32.exe
F:\Program Files\Internet\cg4ie\cg4ie.exe
F:\Program Files\Security\Norton Ghost\Agent\PQV2iSvc.exe
F:\Program Files\Powertoys\MultiRes.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Symantec AntiVirus\Rtvscan.exe
F:\Program Files\Internet Explorer\IEXPLORE.EXE
F:\Program Files\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://now.walla.co.il/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.vmule.com/homepage.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Acrobat Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - F:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - F:\PROGRA~1\Internet\FlashGet\jccatch.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar2.dll
O2 - BHO: &Google Notebook - {CCCCCCD3-666F-4F81-8B69-745DE9F6D897} - F:\Program Files\Google\Google Notebook\gnotes1.0.2.6-45683967.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - F:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: NetHelper Toolbar - {aeb0b6b0-0cbd-4176-b0f0-fceadf802e2e} - F:\Program Files\NetHelper\tbNetH.dll
O3 - Toolbar: MyCommunities toolbar - {24f0a2c9-feb5-4015-ba4d-555543575b22} - F:\Program Files\MyCommunities\tbMyC0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google Notebook - {CCCCCCDB-4DDB-4703-95D4-DD2C526397BF} - F:\Program Files\Google\Google Notebook\gnotes1.0.2.6-45683967.dll
O3 - Toolbar: 6initiative Toolbar - {4a55d583-8c43-4547-a7c0-8f0a97ea1d99} - F:\Program Files\6initiative\tb6ini.dll
O4 - HKLM\..\Run: [SysTray] "f:\Windows\System32\Systray.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "F:\Program Files\MSN Messenger\Plus\MsgPlus.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ATICCC] "F:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CG4IE] F:\Program Files\Internet\cg4ie\cg4ie.exe
O4 - Startup: MultiRes.lnk = F:\Program Files\Powertoys\MultiRes.exe
O8 - Extra context menu item: Note this (Google Note&book) - res://F:\Program Files\Google\Google Notebook\gnotes1.0.2.6-45683967.dll/gn_menu1.html
O8 - Extra context menu item: Note this (Google Notebook) - res://F:\Program Files\Google\Google Notebook\gnotes1.0.2.6-45683967.dll/gn_menu2.html
O8 - Extra context menu item: Subscribe in default RSS reader - F:\Documents and Settings\Administrator\Application Data\RssBandit\iecontext_subscribefeed.htm
O8 - Extra context menu item: הורד באמצעות פלאש-גט - F:\Program Files\Internet\FlashGet\jc_link.htm
O8 - Extra context menu item: הורד הכל באמצעות פלאש-גט - F:\Program Files\Internet\FlashGet\jc_all.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - F:\PROGRA~1\Internet\FlashGet\JetCar.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - F:\PROGRA~1\Internet\FlashGet\JetCar.exe
O15 - Trusted Zone: *.stumbleupon.com
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {20C2C286-BDE8-441B-B73D-AFA22D914DA5} (PowerList Control) - http://download.ppstream.com/bin/powerplayer.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{855636E4-BC1F-4FAF-AED3-8E5CC7507501}: NameServer = 192.116.202.222 213.8.172.83
O20 - Winlogon Notify: NavLogon - F:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - F:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - F:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - F:\Program Files\ewido anti-spyware\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton Ghost - Symantec Corporation - F:\Program Files\Security\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - F:\Program Files\Symantec AntiVirus\Rtvscan.exe

What do you think, should I just give up?

Report Offensive Follow Up For Removal

Response Number 17

Name: jabuck
Date: July 22, 2006 at 06:14:56 Pacific

Reply: (edit)

Never give up.
Upload this file:
F:\Program Files\Internet\cg4ie\cg4ie.exe
To http://virusscan.jotti.org/ copy it to the "upload and scan box", click submit then post the results.

Report Offensive Follow Up For Removal

Response Number 18

Name: nethelpers
Date: July 22, 2006 at 06:51:43 Pacific

Reply: (edit)

When I told my problem to my brother, a tech-support guy, he said there are two ways: The easy way or the hard way. He said the easy thing will be formatting. When I asked what is my other option he said I can try every anti-virus program out there and than format...
Anyway, cg4ie cleared:
Service load: 0% 100%

File: cg4ie.exe
Status: OK
MD5 147ab758cbef882a843ecb0780c564eb
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VirusBuster Found nothing
VBA32 Found nothing
I've also submitted the setup.exe file that is being created and here are the results:
0% 100%

File: setup.exe
Status: MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.)
MD5 d7b055972a299061830d8fc8172f3f9a
Packers detected: UPX
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VirusBuster Found nothing
VBA32 Found nothing
Could be something new?

Report Offensive Follow Up For Removal

Response Number 19

Name: jabuck
Date: July 22, 2006 at 08:01:39 Pacific

Reply: (edit)

Run Hijack This in normal mode and remove these items.
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - F:\PROGRA~1\Internet\FlashGet\jccatch.dll
O8 - Extra context menu item: הורד באמצעות פלאש-גט - F:\Program Files\Internet\FlashGet\jc_link.htm
O8 - Extra context menu item: הורד הכל באמצעות פלאש-גט - F:\Program Files\Internet\FlashGet\jc_all.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - F:\PROGRA~1\Internet\FlashGet\JetCar.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - F:\PROGRA~1\Internet\FlashGet\JetCar.exe
And to search for rootkits please navigate using Internet Explorer, as other browsers will not work, to the following site: http://support.f-secure.com/enu/home/ols3.shtml
Click the F-Secure Online Scanner Next Generation Beta link.
When prompted, choose to install the software.
After the software has installed, click Accept.
Click Custom Scan and check the option for Scan inside archives, then click Start.
The necessary databases will then be downloaded, and the scan will then start automatically. Please be patient as this scan will take a while to complete.
If any infections are found then once the scan has finished the "cleaning" screen will be displayed. Choose Automatic cleaning (recommended).
After cleaning has finished, then the Finish screen will be displayed. Choose Show Report.
In order to post the report, press CTRL+A on your keyboard to highlight all the text. Then copy and paste that info into this thread, along with a new HijackThis log.

Report Offensive Follow Up For Removal

Response Number 20

Name: nethelpers
Date: July 23, 2006 at 12:21:42 Pacific

Reply: (edit)

Cool. I'll do it and let you know!
Thanks.

Report Offensive Follow Up For Removal

Response Number 21

Name: nethelpers
Date: July 24, 2006 at 01:23:42 Pacific

Reply: (edit)

OK, I've did it all. Nothing changed...
HT: Logfile of HijackThis v1.99.1
Scan saved at 11:23:12, on 24/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Windows Defender\MsMpEng.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\MSN Messenger\Plus\MsgPlus.exe
F:\Program Files\Symantec AntiVirus\DefWatch.exe
F:\WINDOWS\system32\rundll32.exe
F:\Program Files\ATI Technologies\ATI.ACE\cli.exe
F:\Program Files\ewido anti-spyware\guard.exe
F:\WINDOWS\system32\ctfmon.exe
F:\WINDOWS\system32\devldr32.exe
F:\Program Files\Internet\cg4ie\cg4ie.exe
F:\Program Files\Security\Norton Ghost\Agent\PQV2iSvc.exe
F:\Program Files\Powertoys\MultiRes.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Symantec AntiVirus\Rtvscan.exe
F:\Program Files\Internet\eMule\emule.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\program Files\hijackthis\hijackThis.exe
F:\Program Files\Internet Explorer\IEXPLORE.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://now.walla.co.il/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.vmule.com/homepage.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Acrobat Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - F:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar2.dll
O2 - BHO: &Google Notebook - {CCCCCCD3-666F-4F81-8B69-745DE9F6D897} - F:\Program Files\Google\Google Notebook\gnotes1.0.2.6-45683967.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - F:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: NetHelper Toolbar - {aeb0b6b0-0cbd-4176-b0f0-fceadf802e2e} - F:\Program Files\NetHelper\tbNetH.dll
O3 - Toolbar: MyCommunities toolbar - {24f0a2c9-feb5-4015-ba4d-555543575b22} - F:\Program Files\MyCommunities\tbMyC0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google Notebook - {CCCCCCDB-4DDB-4703-95D4-DD2C526397BF} - F:\Program Files\Google\Google Notebook\gnotes1.0.2.6-45683967.dll
O3 - Toolbar: 6initiative Toolbar - {4a55d583-8c43-4547-a7c0-8f0a97ea1d99} - F:\Program Files\6initiative\tb6ini.dll
O4 - HKLM\..\Run: [SysTray] "f:\Windows\System32\Systray.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "F:\Program Files\MSN Messenger\Plus\MsgPlus.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ATICCC] "F:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CG4IE] F:\Program Files\Internet\cg4ie\cg4ie.exe
O4 - Startup: MultiRes.lnk = F:\Program Files\Powertoys\MultiRes.exe
O8 - Extra context menu item: Note this (Google Note&book) - res://F:\Program Files\Google\Google Notebook\gnotes1.0.2.6-45683967.dll/gn_menu1.html
O8 - Extra context menu item: Note this (Google Notebook) - res://F:\Program Files\Google\Google Notebook\gnotes1.0.2.6-45683967.dll/gn_menu2.html
O8 - Extra context menu item: Subscribe in default RSS reader - F:\Documents and Settings\Administrator\Application Data\RssBandit\iecontext_subscribefeed.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O15 - Trusted Zone: *.stumbleupon.com
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {20C2C286-BDE8-441B-B73D-AFA22D914DA5} (PowerList Control) - http://download.ppstream.com/bin/powerplayer.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{855636E4-BC1F-4FAF-AED3-8E5CC7507501}: NameServer = 192.116.202.222 213.8.172.83
O20 - Winlogon Notify: NavLogon - F:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - F:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - F:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - F:\Program Files\ewido anti-spyware\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton Ghost - Symantec Corporation - F:\Program Files\Security\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Symantec Network Drivers Servi