Unable to remove Spyware

Joined
Aug 28, 2007
Messages
7
Reaction score
0
Hi I am new to this forum and am asking for help to remove some spyware that continues to be present whatever I try to remove it. I have used Hijackthis and the output is below. Any help would be very much appriciated.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:47:27, on 28/08/2007
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\system32\crypserv.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\Tablet.exe
C:\WINNT\system32\usrbridg.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\CpuIdle\cpuidle.exe
C:\WINNT\System32\CTHELPER.EXE
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Motherboard Monitor 5\MBM5.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
F:\program files\powerstrip\pstrip.exe
G:\PROGRA~1\PHASEO~1\CAPTUR~1\DCIMImp.exe
F:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINNT\System32\ctfmon.exe
F:\Program Files\NoAdware5.0\NoAdware5.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yorkshire-divers.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.portalsearching.com/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;dynhost.inetcam.com;register.inetcam.com;<local>
O2 - BHO: (no name) - {4526C456-D5FA-49D2-A927-213BEE23295C} - C:\WINNT\System32\jkhfe.dll (file missing)
O2 - BHO: (no name) - {60D13203-2DC3-4E31-8909-E70BEC38D9F8} - C:\WINNT\System32\rqrqron.dll
O2 - BHO: (no name) - {7354A1D8-4269-4851-9E03-0C9A35373CE0} - C:\WINNT\System32\awtqp.dll (file missing)
O2 - BHO: (no name) - {A54848A8-CF1B-4B86-B008-8AE3CB240A32} - C:\WINNT\System32\geebc.dll (file missing)
O2 - BHO: (no name) - {C55B8297-6FA8-4C34-8BF4-6FFD1260FFC3} - C:\WINNT\System32\jkkjj.dll (file missing)
O2 - BHO: (no name) - {D1D8AB88-CAF2-4BB7-AB24-9B2DB5AFDA1B} - C:\WINNT\System32\vtutq.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [CpuIdle] C:\Program Files\CpuIdle\cpuidle.exe
O4 - HKLM\..\Run: [MBM 4] C:\PROGRA~1\MOTHER~1\MBM4.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.EXE -off
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [RemoteControl] C:\WINNT\System32\rmctrl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"
O4 - HKLM\..\Run: [ElbyCheckAnyDVD] "C:\Program Files\SlySoft\AnyDVD\ElbyCheck.exe" /L AnyDVD
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [PowerStrip] f:\program files\powerstrip\pstrip.exe
O4 - HKLM\..\Run: [Phase One Media Reader] G:\PROGRA~1\PHASEO~1\CAPTUR~1\DCIMImp.exe /noscan /CheckAutoStart
O4 - HKLM\..\Run: [PCSuiteTrayApplication] F:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Hahh] "C:\DOCUME~1\ADMINI~1\APPLIC~1\YMANTE~1\ping.exe" -vt yazb
O4 - HKCU\..\Run: [NoAdware5] "f:\Program Files\NoAdware5.0\NoAdware5.exe" :Min:
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] F:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - .DEFAULT Startup: system.exe (User 'Default user')
O4 - .DEFAULT User Startup: system.exe (User 'Default user')
O4 - Global Startup: ColorVisionStartup.lnk = F:\program files\ColorVision\Utility\ColorVisionStartup.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {02466323-75ED-11CF-A267-0020AF2546EA} (VivoActive Control) - http://player.vivo.com/ie/vvweb.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei-2/MyFunCardsFWBInitialSetup1.0.0.8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1123873464421
O16 - DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C} (VaPgCtrl Class) - http://www.thebiginter.net/webcam/h263ctrl.cab
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://I:\SuperCD\IntraLaunch.CAB
O16 - DPF: {D6862A22-1DD6-11D3-BB7C-444553540000} - http://www.portalsearching.com/toolbar/bho.cab
O16 - DPF: {FB90BA05-66E6-4C56-BCD3-D65B0F7EBA39} (Foto.com SpeedUploader 1.0 Control) - http://fotobook.foto.com/activex/SpeedUploader.cab
O20 - AppInit_DLLs: C:\WINNT\system32\hadjajr.ini
O20 - Winlogon Notify: pmxmcro32 - C:\WINNT\SYSTEM32\pmxmcro32.dll
O20 - Winlogon Notify: rqrqron - C:\WINNT\SYSTEM32\rqrqron.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINNT\SYSTEM32\crypserv.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINNT\System32\Tablet.exe
O23 - Service: IrBridge User-Level Interface (USRBRIDG) - Extended Systems, Inc. - C:\WINNT\system32\usrbridg.exe
--
End of file - 8776 bytes
 
Yep, you is infected with nasties ... :(


Interesting to see Win2000 being used, you do know that you have not got the latest ServicePack 4 ... please install after, and if, we fix your PC


Please download this program :

http://www.techsupportforum.com/sect...s/ComboFix.exe
or
http://download.bleepingcomputer.com...a/ComboFix.exe

Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log along with the others below.

Note: Do not mouse click combofix's window while its running. That may cause it to stall.

Also NOTE: If you have downloaded ComboFix previously please delete that version and download it again!


Next: Download SuperAntiSpyware free home version.

Install SAS, it will ask to be updated, do so.

Under Configuration and Preferences, click the Preferences button.
Click the Scanning Control tab.

Under Scanner Options make sure the following are checked:
Close browsers before scanning
Scan for tracking cookies
Terminate memory threats before quarantining.
Please leave the others as they are.

Click the Close button to leave the control center screen.

On the main screen, under Scan for Harmful Software click Scan your computer.
On the left check C:\Fixed Drive.
On the right, under Complete Scan, choose Perform Complete Scan.
Click Next to start the scan.

Please be patient while it scans your computer.

After the scan is complete a summary box will appear. Click OK.

Make sure everything in the white box has a check next to it, then click Next.
It will quarantine what it found and if it asks if you want to reboot, click Yes.

To retrieve the removal information for me please do the following:
After reboot, double-click the SUPERAntispyware icon on your desktop
Click Preferences.
Click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
It will open in your default text editor (such as Notepad/Wordpad).
Please highlight everything in the notepad, then right-click and choose copy.
Click close and close again to exit the program.

Please paste that information here for me regardless of what it finds along with a new HijackThis log & ComboFix Log.

There will be leftover remnants we can fix using HJT


:user:
 
Hi

Thanks for the prompt reply. Yes Windows 2000, the machine is an ABIT BP6 running dual 500 Celerons, and has been running rock steady 24hrs a day, since I built it. I inadvertanty turned off the AVG and my wife downloaded some files !!!!

Have followed your advice and here are the log files you requested.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 08/29/2007 at 11:08 PM
Application Version : 3.9.1008
Core Rules Database Version : 3295
Trace Rules Database Version: 1305
Scan type : Complete Scan
Total Scan Time : 01:28:16
Memory items scanned : 501
Memory threats detected : 0
Registry items scanned : 5577
Registry threats detected : 3
File items scanned : 22616
File threats detected : 4
Trojan.Zufyxe
HKLM\System\ControlSet001\Services\IrmACPI
C:\WINNT\SYSTEM32\DRIVERS\NERRTMGR.SYS
HKLM\System\ControlSet002\Services\IrmACPI
HKLM\System\CurrentControlSet\Services\IrmACPI
Adware.HotBar/SpamBlockerUtility (Low Risk)
C:\WINNT\Downloaded Program Files\SpamBlockerUtility.inf
Trojan.Downloader-Gen/NoMultiTask
C:\WINNT\SYSTEM32\VTR.DLL
Trojan.Net-AVP/AVT
C:\QOOBOX\QUARANTINE\C\DOCUME~1\DEFAUL~1\STARTM~1\PROGRAMS\STARTUP\SYSTEM.EXE.VIR

ComboFix 07-08-30.2 - "Administrator" 29/08/2007 23:37:55.8 - FAT32x86
Microsoft Windows 2000 Professional 5.0.2195.3.1252.1.1033.18.367 [GMT 1:00]

((((((((((((((((((((((((( Files Created from 2007-07-28 to 2007-08-30 )))))))))))))))))))))))))))))))

2007-08-29 23:33 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_7c0.dat
2007-08-29 23:21 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_574.dat
2007-08-29 23:21 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_34c.dat
2007-08-29 23:20 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_60c.dat
2007-08-29 23:20 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_3a8.dat
2007-08-29 21:27 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-08-29 21:27 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\SUPERAntiSpyware.com
2007-08-29 18:40 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-28 23:59 <DIR> d-------- C:\New Folder
2007-08-24 15:19 0 --a------ C:\WINNT\system32\qhjkldxy.dll
2007-08-24 15:16 0 --a------ C:\WINNT\system32\incsektb.dll
2007-08-23 10:34 51,200 --a------ C:\WINNT\nircmd.exe
2007-08-23 09:18 15,360 --a------ C:\WINNT\system32\drvxamr.dll
2007-08-23 01:28 15,360 --a------ C:\WINNT\system32\drvsehr.dll
2007-08-22 23:55 8 --a------ C:\WINNT\system32\61517470.dat
2007-08-22 23:38 15,360 --a------ C:\WINNT\system32\drvcewr.dll
2007-08-09 17:09 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\dvdcss
2007-08-09 16:55 45,056 --a------ C:\WINNT\system32\WNASPI32.DLL

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
30/01/04 20:07 234 --a------ C:\Program Files\INSTALL.LOG
28/08/01 01:25 5029136 --a------ C:\WINNT\inf\mp8.exe
07/12/99 12:00 32528 --a------ C:\WINNT\inf\wbfirdma.sys
05/03/01 22:16 271 ---h----- C:\Program Files\desktop.ini
05/03/01 22:16 21952 ---h----- C:\Program Files\folder.htt
2003-06-13 18:24:00 56 --sh--r C:\WINNT\system32\2914592171.sys

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4526C456-D5FA-49D2-A927-213BEE23295C}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7354A1D8-4269-4851-9E03-0C9A35373CE0}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A54848A8-CF1B-4B86-B008-8AE3CB240A32}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C55B8297-6FA8-4C34-8BF4-6FFD1260FFC3}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D1D8AB88-CAF2-4BB7-AB24-9B2DB5AFDA1B}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [07/12/99 12:00 C:\WINNT\system32\mobsync.exe]
"CpuIdle"="C:\Program Files\CpuIdle\cpuidle.exe" [30/12/03 13:18 ]
"Tweak UI"="TWEAKUI.CPL" [18/06/00 14:03 C:\WINNT\system32\TWEAKUI.CPL]
"TCASUTIEXE"="TCAUDIAG.exe" [12/01/00 19:15 C:\WINNT\system32\TCAUDIAG.EXE]
"WINDVDPatch"="CTHELPER.EXE" [07/02/02 18:01 C:\WINNT\system32\CTHELPER.EXE]
"UpdReg"="C:\WINNT\UpdReg.EXE" [11/05/00 01:00 ]
"Jet Detection"="C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" [04/10/01 01:00 ]
"LVCOMS"="C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE" [13/11/01 15:43 ]
"POINTER"="point32.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [19/05/03 23:57 ]
"MBM 5"="C:\Program Files\Motherboard Monitor 5\MBM5.EXE" [12/06/04 09:40 ]
"ElbyCheckAnyDVD"="C:\Program Files\SlySoft\AnyDVD\ElbyCheck.exe" [20/09/03 19:23 ]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [16/08/07 15:27 ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe" [03/06/05 03:52 ]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [12/01/06 16:40 ]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [12/08/05 14:43 ]
"PowerStrip"="f:\program files\powerstrip\pstrip.exe" [06/11/06 12:35 ]
"Phase One Media Reader"="G:\PROGRA~1\PHASEO~1\CAPTUR~1\DCIMImp.exe" [26/10/06 11:49 ]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [22/07/07 19:19 ]
"ctfmon.exe"="ctfmon.exe" [20/02/01 13:09 C:\WINNT\system32\CTFMON.EXE]
"NoAdware5"="f:\Program Files\NoAdware5.0\NoAdware5.exe" [12/01/07 11:17 ]
"SUPERAntiSpyware"="G:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [21/06/07 14:06 ]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= G:\Program Files\SUPERAntiSpyware\SASSEH.DLL [20/12/06 13:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
G:\Program Files\SUPERAntiSpyware\SASWINLO.dll 19/04/07 13:41 294912 G:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmxmcro32]
pmxmcro32.dll 24/01/04 12:37 8192 C:\WINNT\system32\pmxmcro32.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\WINNT\system32\hadjajr.ini
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"
R0 PenClass;Pen Class;C:\WINNT\System32\Drivers\PenClass.sys
R0 SONYPVM1;Sony Memory Stick Driver(SONYPVM1);C:\WINNT\System32\DRIVERS\SONYPVM1.SYS
R1 Avg7RsNT;AVG7 Rezident Driver;C:\WINNT\System32\Drivers\avg7rsnt.sys
R1 CINEMSUP;Software Cinemaster NT4.0 Driver;C:\WINNT\System32\DRIVERS\CINEMSUP.SYS
R1 cpuidlep;CpuIdle Pro System Driver;C:\WINNT\System32\drivers\cpuidlep.sys
R1 UdfReadr;UdfReadr;C:\WINNT\System32\drivers\UdfReadr.sys
R1 XPROTECTOR;XPROTECTOR;\??\C:\WINNT\system32\drivers\Oreans.sys
R2 PStrip;PStrip;C:\WINNT\System32\drivers\pstrip.sys
R2 TCAITDI;TCAITDI Protocol;C:\WINNT\System32\DRIVERS\TCAITDI.sys
R3 IRCOMM;IRCOMM;C:\WINNT\System32\drivers\Ircomm.sys
R3 KRNBRIDG;IrBridge Kernel-Level Interface;C:\WINNT\System32\DRIVERS\krnbridg.sys
R3 tcaicchg;tcaicchg;\??\C:\WINNT\System32\tcaicchg.sys
S1 Avg78u2;Avg78u2;\??\C:\WINNT\System32\drivers\rookperf9.sys
S1 Busllel;Busllel;\??\C:\WINNT\System32\drivers\updnkfwd9.sys
S1 Clads35;Clads35;\??\C:\WINNT\System32\drivers\ndptape9.sys
S1 msi8042;msi8042;C:\WINNT\System32\DRIVERS\msi8042.sys
S1 NABport;NABport;\??\C:\WINNT\System32\drivers\pfcbcamd9.sys
S1 PoliSrv;PoliSrv;\??\C:\WINNT\System32\drivers\ntfreams9.sys
S2 P1C1394;Phase One 1394 Camera Driver;C:\WINNT\System32\Drivers\p1c1394.sys
S3 cvmonspy;CVSpyder.sys ColorVision Monitor Spyder;C:\WINNT\System32\Drivers\CVSpyder.sys
S3 cvspydr;ColorVision Spyder;C:\WINNT\System32\DRIVERS\cvspydr.sys
S3 cvspydr2;ColorVision Spyder 2;C:\WINNT\System32\DRIVERS\cvspydr2.sys
S3 EL90BC;3Com EtherLink XL B/C Adapter Driver;C:\WINNT\System32\DRIVERS\el90xbc5.sys
S3 FBAccess;FBAccess;\??\C:\Documents and Settings\Administrator\Desktop\New Folder\FBAccess.sys
S3 lolevel4;lolevel4;\??\C:\WINNT\System32\Drivers\lolevel4.sys
S3 MSIRCOMM;Microsoft IR Communications Driver;C:\WINNT\System32\DRIVERS\MSIRCOMM.sys
S3 MXBULK;DualCam Still, MXBulk3.Sys;C:\WINNT\System32\Drivers\MXBulk3.sys
S3 MXCap;DSC-06 Video Camera;C:\WINNT\System32\DRIVERS\MXCap3.sys
S3 UtilNT;UtilNT;\??\C:\WINNT\system32\drivers\UtilNT.sys
S3 Winacpci;Winacpci;C:\WINNT\System32\DRIVERS\winacpci.sys

**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-30 23:40:20
Windows 5.0.2195 Service Pack 3 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 30/08/2007 23:41:31
C:\ComboFix3.txt ... 28/08/07 22:08
C:\ComboFix-quarantined-files.txt ... 30/08/07 23:41
C:\ComboFix2.txt ... 29/08/07 18:35
--- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:45:02, on 30/08/2007
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\system32\crypserv.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\Tablet.exe
C:\WINNT\system32\usrbridg.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\Program Files\CpuIdle\cpuidle.exe
C:\WINNT\System32\CTHELPER.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Motherboard Monitor 5\MBM5.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
F:\program files\powerstrip\pstrip.exe
G:\PROGRA~1\PHASEO~1\CAPTUR~1\DCIMImp.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINNT\System32\ctfmon.exe
G:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINNT\System32\msiexec.exe
C:\WINNT\explorer.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yorkshire-divers.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.portalsearching.com/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;dynhost.inetcam.com;register.inetcam.com;<local>
O2 - BHO: (no name) - {4526C456-D5FA-49D2-A927-213BEE23295C} - (no file)
O2 - BHO: (no name) - {7354A1D8-4269-4851-9E03-0C9A35373CE0} - (no file)
O2 - BHO: (no name) - {A54848A8-CF1B-4B86-B008-8AE3CB240A32} - (no file)
O2 - BHO: (no name) - {C55B8297-6FA8-4C34-8BF4-6FFD1260FFC3} - (no file)
O2 - BHO: (no name) - {D1D8AB88-CAF2-4BB7-AB24-9B2DB5AFDA1B} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [CpuIdle] C:\Program Files\CpuIdle\cpuidle.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.EXE -off
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"
O4 - HKLM\..\Run: [ElbyCheckAnyDVD] "C:\Program Files\SlySoft\AnyDVD\ElbyCheck.exe" /L AnyDVD
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [PowerStrip] f:\program files\powerstrip\pstrip.exe
O4 - HKLM\..\Run: [Phase One Media Reader] G:\PROGRA~1\PHASEO~1\CAPTUR~1\DCIMImp.exe /noscan /CheckAutoStart
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [NoAdware5] "f:\Program Files\NoAdware5.0\NoAdware5.exe" :Min:
O4 - HKCU\..\Run: [SUPERAntiSpyware] G:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: ColorVisionStartup.lnk = F:\program files\ColorVision\Utility\ColorVisionStartup.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {02466323-75ED-11CF-A267-0020AF2546EA} (VivoActive Control) - http://player.vivo.com/ie/vvweb.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1123873464421
O16 - DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C} (VaPgCtrl Class) - http://www.thebiginter.net/webcam/h263ctrl.cab
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://I:\SuperCD\IntraLaunch.CAB
O16 - DPF: {D6862A22-1DD6-11D3-BB7C-444553540000} - http://www.portalsearching.com/toolbar/bho.cab
O16 - DPF: {FB90BA05-66E6-4C56-BCD3-D65B0F7EBA39} (Foto.com SpeedUploader 1.0 Control) - http://fotobook.foto.com/activex/SpeedUploader.cab
O20 - AppInit_DLLs: C:\WINNT\system32\hadjajr.ini
O20 - Winlogon Notify: !SASWinLogon - G:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: pmxmcro32 - C:\WINNT\SYSTEM32\pmxmcro32.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINNT\SYSTEM32\crypserv.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINNT\System32\Tablet.exe
O23 - Service: IrBridge User-Level Interface (USRBRIDG) - Extended Systems, Inc. - C:\WINNT\system32\usrbridg.exe
--
End of file - 7645 bytes
 
Remember that Hijackthis must be run in an own folder. Only if Hijackthis is run in its own folder will it create backups!

Thanks, now we need to get HJT to fix a few things ...

C:\WINNT\system32\usrbridg.exe
It's a driver, needed for using the Ir interface as a com-port (infrared) port ... if you do not use, or have, a phone that uses Ir, then use the BIOS to disable Ir Do NOT fix using HJT

C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
Outdated, you need to update Java
Do NOT fix using HJT

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
This entry should be fixed by HijackThis!

O2 - BHO: (no name) - {4526C456-D5FA-49D2-A927-213BEE23295C} - (no file)
Unnecessary (deactivated) entry that can be fixed.

O2 - BHO: (no name) - {7354A1D8-4269-4851-9E03-0C9A35373CE0} - (no file)
Unnecessary (deactivated) entry that can be fixed.

O2 - BHO: (no name) - {A54848A8-CF1B-4B86-B008-8AE3CB240A32} - (no file)
Unnecessary (deactivated) entry that can be fixed.

O2 - BHO: (no name) - {C55B8297-6FA8-4C34-8BF4-6FFD1260FFC3} - (no file)
Unnecessary (deactivated) entry that can be fixed.

O2 - BHO: (no name) - {D1D8AB88-CAF2-4BB7-AB24-9B2DB5AFDA1B} - (no file)
Unnecessary (deactivated) entry that can be fixed.

O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
Microsoft Mobile Synchronization Manager. Not dangerous, but unnecessary.
One annoying programme you will find running in W2K/XP

To stop this, run the programme "Synchronise" from your "Start/Programmes/Accessories Menu. Select setup, and uncheck the synchronisation options, then deselect the option to synchronise your home page. From explorer select Tools/Folder Options/Offline Files: deselect the "Enable Offline Files" option. When you reboot you will find the programme is no longer running by default. You can also remove optional components from your Windows 2000 installation that are not shown in the Add/Remove Programmes applet.

O4 - HKLM\..\Run: [CpuIdle] C:\Program Files\CpuIdle\cpuidle.exe
Not dangerous, but unnecessary.
CPU cooling program that works in tandem with Motherboard Monitor 5 ... uninstall MM5 ... use Core Temp if you need to monitor your temps

O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
Not dangerous, but unnecessary.
CTHELPER is a background task that is a plug-in manager for Creative drivers. The theory is that 3rd party manufacturers can use the CTHELPER plug-in interface to produce drivers, add-on features, and fixes that will integrate with a tighter fit with Creative’s sound drivers and utilities. Given its purpose CTHELPER would normally be classified as a "leave alone" background task. It also allows Creative speaker setup to be synchronized with Windows Control Panel speaker setting. Without it running that check box in Creative speaker setting is not functional (settings are not in sync). Unfortunately there are often problems with CTHELPER, most notably that it can use 100% of CPU time so it's best left disabled unless you need it

O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
Not dangerous, but unnecessary. Reminder to register Creative Labs SoundBlaster Live! cards

O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
Not dangerous, but unnecessary. Added with SoundBlaster Live! or Audigy soundcards for headphone autodetection

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
Not dangerous, but unnecessary. QuickTime ain't allowed on MY PCs

O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"
Not dangerous, but unnecessary. see above note ... I recommend uninstalling

O4 - HKLM\..\Run: [PowerStrip] f:\program files\powerstrip\pstrip.exe
This program is not required to start automatically as you can run it when you need to.

O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
See info above

O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
Not dangerous, but unnecessary. Appears to be the "Internet Connection Wizard" from Internet Explorer being set-up as a desktop shortcut. Appears under the RunOnce registry key but is available under Start / Programs / Accessories / Communication (or similar) anyway

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
just another reminder to get Java updated ;)

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
Unnecessary (deactivated) entry that can be fixed.

O16 - DPF: {02466323-75ED-11CF-A267-0020AF2546EA} (VivoActive Control) - http://player.vivo.com/ie/vvweb.cab
Needs fixing

O16 - DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C} (VaPgCtrl Class) - http://www.thebiginter.net/webcam/h263ctrl.cab
Check if you know this site and fix it if you do not. Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed.

O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://I:\SuperCD\IntraLaunch.CAB
Check if you know this site and fix it if you do not. Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed.

O16 - DPF: {D6862A22-1DD6-11D3-BB7C-444553540000} - http://www.portalsearching.com/toolbar/bho.cab
Should be fixed. This entry is possibly nasty.

O16 - DPF: {FB90BA05-66E6-4C56-BCD3-D65B0F7EBA39} (Foto.com SpeedUploader 1.0 Control) - http://fotobook.foto.com/activex/SpeedUploader.cab
Check if you know this site and fix it if you do not. Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed.

O20 - AppInit_DLLs: C:\WINNT\system32\hadjajr.ini
Big bad nastie, must be fixed

O20 - Winlogon Notify: pmxmcro32 - C:\WINNT\SYSTEM32\pmxmcro32.dll
This has me completely foxed ??

O23 - Service: IrBridge User-Level Interface (USRBRIDG) - Extended Systems, Inc. - C:\WINNT\system32\usrbridg.exe
See very first comment.


Disclaimer: Modifying the registry can cause serious problems that may require you to reinstall your operating system. I cannot guarantee that problems resulting from modifications to the registry can be solved. Use the information provided at your own risk.



Windows 2000 with SP4 does not need the restore option as much as Windows XP does ... please update to SP4 ... also check Windows Update Site for any other critical/non-critical updates



Please post a new HJT log when done. :thumb:
 
Hi.


Thanks once again for your time and effort. Have followed your instructions. All went ok, but unable to start Java update option.

Latest Hijackthis log.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:34:17, on 31/08/2007
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\system32\crypserv.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\Tablet.exe
C:\WINNT\system32\usrbridg.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
G:\PROGRA~1\PHASEO~1\CAPTUR~1\DCIMImp.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
G:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Java\jre1.5.0_04\bin\jucheck.exe
C:\WINNT\System32\svchost.exe
G:\New Folder (2)\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yorkshire-divers.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.portalsearching.com/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;dynhost.inetcam.com;register.inetcam.com;<local>
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.EXE -off
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [ElbyCheckAnyDVD] "C:\Program Files\SlySoft\AnyDVD\ElbyCheck.exe" /L AnyDVD
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Phase One Media Reader] G:\PROGRA~1\PHASEO~1\CAPTUR~1\DCIMImp.exe /noscan /CheckAutoStart
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] G:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: ColorVisionStartup.lnk = F:\program files\ColorVision\Utility\ColorVisionStartup.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1123873464421
O20 - AppInit_DLLs: C:\WINNT\system32\hadjajr.ini
O20 - Winlogon Notify: !SASWinLogon - G:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINNT\SYSTEM32\crypserv.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINNT\System32\Tablet.exe
O23 - Service: IrBridge User-Level Interface (USRBRIDG) - Extended Systems, Inc. - C:\WINNT\system32\usrbridg.exe

--
End of file - 5234 bytes
 
We still have one nastie hanging on ... I want you to download;


http://siri.urz.free.fr/Fix/SmitfraudFix.exe

... and then follow the instructions from;

http://siri.geekstogo.com/SmitfraudFix.php

and once again, post a new HJT log when done. :thumb:

Java Download and Install
  1. Go to java.com
  2. Click Downloads on the upper right corner of the home page.
  3. Click see all Java downloads
  4. Click Windows XP/Vista/2000/2003 Offline. The File Download dialog box appears.
  5. Choose the folder location. (Save the file to a known location on your computer, for example, to your desktop).
  6. Click Save.
    The Save As dialog box appears.
    If you have previously downloaded this version of JRE, you may be prompted:
    File jre-6u2-rc-windows-i586.exe already exists. Do you want to replace it?
  7. Click Yes to replace.
  8. Verify that the:
    • Name of the file is jre-6u2-rc-windows-i586.exe
    • Size is approximately 13.8 MB
  9. Close all applications including the browser.
  10. Double-click on the saved file icon to start the installation process.
The installer unpacks the files needed for the installation, which takes less than a minute. After unpacking the installation files, a welcome screen is displayed, the installer presents an option to view the license agreement. You may choose to Accept the license agreement and continue the installation process.

http://www.java.com/en/download/help/6000010300.xml

Note: you do not need the Google Toolbar, so use the custom setup to untick, if you don't want it.

:user:
 
Hi.


Thanks again. Ran Smitfraudfix in safe mode but did not run as example, did not complete the first Killer pass. Said file already in use. Programme terminated early without giving option to clean registry.

Herewith HJToutput.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:58:57, on 01/09/2007
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\system32\crypserv.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\Tablet.exe
C:\WINNT\system32\usrbridg.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
G:\PROGRA~1\PHASEO~1\CAPTUR~1\DCIMImp.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
G:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
G:\New Folder (2)\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yorkshire-divers.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.portalsearching.com/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;dynhost.inetcam.com;register.inetcam.com;<local>
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.EXE -off
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [ElbyCheckAnyDVD] "C:\Program Files\SlySoft\AnyDVD\ElbyCheck.exe" /L AnyDVD
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Phase One Media Reader] G:\PROGRA~1\PHASEO~1\CAPTUR~1\DCIMImp.exe /noscan /CheckAutoStart
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] G:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: ColorVisionStartup.lnk = F:\program files\ColorVision\Utility\ColorVisionStartup.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1123873464421
O20 - AppInit_DLLs: C:\WINNT\system32\hadjajr.ini
O20 - Winlogon Notify: !SASWinLogon - G:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINNT\SYSTEM32\crypserv.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINNT\System32\Tablet.exe
O23 - Service: IrBridge User-Level Interface (USRBRIDG) - Extended Systems, Inc. - C:\WINNT\system32\usrbridg.exe
--
End of file - 4795 bytes
 
Hmmm, bugger ... we need SFF to run, it is Win2000 compatible.


OK, try this for me ...

Not in Safe Mode;

Double click SmitfraudFix.exe ... this will open a Command Window and also create the SmitfraudFix folder on your Desktop.
"press any key to continue..."
Press 1 and then ENTER to start the search process.

When the search has completed, a text file, rapport.txt, will open with the results in it ... Copy and paste this report into your next reply.

The report can be found at the root of the system drive, usually at C:\rapport.txt

The process may be detected as a risk by your AV, tell it it is ok


:thumb:
 
Seems to be a tough one. Must say coputer is running much quicker so far.


Herewith latest output as requested.

SmitFraudFix v2.218
Scan done at 21:49:54.37, Sat 01/09/2007
Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
The filesystem type is FAT32
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\system32\crypserv.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\Tablet.exe
C:\WINNT\system32\usrbridg.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
G:\PROGRA~1\PHASEO~1\CAPTUR~1\DCIMImp.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
G:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINNT\system32\cmd.exe
»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system32
C:\WINNT\system32\hadjajr.ini FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ADMINI~1\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\WINNT\\system32\\hadjajr.ini"

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: 3Com EtherLink PCI (Microsoft's Packet Scheduler)
DNS Server Search Order: 194.168.4.100
DNS Server Search Order: 194.168.8.100
HKLM\SYSTEM\CCS\Services\Tcpip\..\{43C19786-B409-4C77-B9DC-13EE01BED076}: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CS1\Services\Tcpip\..\{43C19786-B409-4C77-B9DC-13EE01BED076}: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CS2\Services\Tcpip\..\{43C19786-B409-4C77-B9DC-13EE01BED076}: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=194.168.4.100 194.168.8.100

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End
 
ouch!!

OK, we will try a simple way then ...

Go and find C:\WINNT\system32\hadjajr.ini on your hard drive and simply delete it.

How are you at editing the registry, confident enough to try ?

If so, I need you to also, and at the same time, find

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\WINNT\\system32\\hadjajr.ini"


and delete it

This is not without some danger, so I would also advise backing-up the registry first. You do that by exporting it ... long time since I used W2K, so I'm afraid your on your own here ... up to you if you want to continue.


:user:
 
OK. Edited registry and removed offending file.


Heres latest HJK file. And SmitFraud.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:13:03, on 02/09/2007
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\system32\crypserv.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\Tablet.exe
C:\WINNT\system32\usrbridg.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
G:\PROGRA~1\PHASEO~1\CAPTUR~1\DCIMImp.exe
D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
G:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
G:\New Folder (2)\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yorkshire-divers.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.portalsearching.com/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;dynhost.inetcam.com;register.inetcam.com;<local>
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.EXE -off
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [ElbyCheckAnyDVD] "C:\Program Files\SlySoft\AnyDVD\ElbyCheck.exe" /L AnyDVD
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Phase One Media Reader] G:\PROGRA~1\PHASEO~1\CAPTUR~1\DCIMImp.exe /noscan /CheckAutoStart
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] G:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: ColorVisionStartup.lnk = F:\program files\ColorVision\Utility\ColorVisionStartup.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1123873464421
O20 - Winlogon Notify: !SASWinLogon - G:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINNT\SYSTEM32\crypserv.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINNT\System32\Tablet.exe
O23 - Service: IrBridge User-Level Interface (USRBRIDG) - Extended Systems, Inc. - C:\WINNT\system32\usrbridg.exe
--
End of file - 5081 bytes

SmitFraudFix v2.218
Scan done at 0:17:53.48, Sun 02/09/2007
Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
The filesystem type is FAT32
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\system32\crypserv.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\Tablet.exe
C:\WINNT\system32\usrbridg.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
G:\PROGRA~1\PHASEO~1\CAPTUR~1\DCIMImp.exe
D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
G:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINNT\system32\cmd.exe
»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ADMINI~1\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: 3Com EtherLink PCI (Microsoft's Packet Scheduler)
DNS Server Search Order: 194.168.4.100
DNS Server Search Order: 194.168.8.100
HKLM\SYSTEM\CCS\Services\Tcpip\..\{43C19786-B409-4C77-B9DC-13EE01BED076}: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CS1\Services\Tcpip\..\{43C19786-B409-4C77-B9DC-13EE01BED076}: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CS2\Services\Tcpip\..\{43C19786-B409-4C77-B9DC-13EE01BED076}: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=194.168.4.100 194.168.8.100

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End
 
At last ... your log is clean of any nasties it, and I, can see. :thumb:


Only one chore left to do ... update Windows. ;)

Go get the latest service pack, and, any other updates you see on Windows Update Site.

:D
 
Hi

Thanks for all your efforts. You are a star.

There should be some way to reward you for your time and skills.

Thanks again.

Chris
 
Sure, stick my address on a £50 note and send it off to me ... :D


I like to beat the little nasties, not always successful, and, they are getting extremely effective at infecting unsuspecting browsers.

Good luck, enjoy!


:user:
 
Back
Top