Hello,
I'm new to this and don't know the proper way to post, but I have a trojan that's been in my pc for about 6 months called 'dropper.agent.2am' or something to that extent. I was recommended to download hijack this and post the log in here. If someone could advise me of what to do, i'd appreciate it.

Hi marwan, welcome to SAF

I've splitted your post to this new topic, as posting in others' threads may confuse our members.

Please run updated copies of AdAware SE and Spybot S&D, one at a time, and clean all you can. http://www.safer-networking.org/en/mirrors/index.html
http://www.download.com/3000-2144-10045910.html

Then, perform a housecall online virus check. http://housecall.trendmicro.com/

After that, please post a HijackThis log here, as someone may take a look on it. http://www.suggestafix.com/index.php?act=S...ST&f=15&t=16053

Chris

Here's the log, the damn trojan is in full mode right now, it's almost impossible to post anything without the vertical scroll bar jumping up and down. I'd appreciate any help in removing this P.O.S.

Logfile of HijackThis v1.99.1
Scan saved at 10:55:43 AM, on 10/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RioMSC.exe
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\The Cleaner\tcm.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Marwan Bokhari\My Documents\HJT\HijackThis.exe

O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Scheduler.lnk = C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecal...all/xscan60.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1127827911195
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1127827898056
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O18 - Protocol: bw+0 - {E09CC86F-7028-4F24-A4F1-D708A8C926C9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {E09CC86F-7028-4F24-A4F1-D708A8C926C9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {E09CC86F-7028-4F24-A4F1-D708A8C926C9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {E09CC86F-7028-4F24-A4F1-D708A8C926C9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {E09CC86F-7028-4F24-A4F1-D708A8C926C9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {E09CC86F-7028-4F24-A4F1-D708A8C926C9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {E09CC86F-7028-4F24-A4F1-D708A8C926C9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {E09CC86F-7028-4F24-A4F1-D708A8C926C9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {E09CC86F-7028-4F24-A4F1-D708A8C926C9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {E09CC86F-7028-4F24-A4F1-D708A8C926C9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {E09CC86F-7028-4F24-A4F1-D708A8C926C9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {E09CC86F-7028-4F24-A4F1-D708A8C926C9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {E09CC86F-7028-4F24-A4F1-D708A8C926C9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {E09CC86F-7028-4F24-A4F1-D708A8C926C9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {E09CC86F-7028-4F24-A4F1-D708A8C926C9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {E09CC86F-7028-4F24-A4F1-D708A8C926C9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {E09CC86F-7028-4F24-A4F1-D708A8C926C9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {E09CC86F-7028-4F24-A4F1-D708A8C926C9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {E09CC86F-7028-4F24-A4F1-D708A8C926C9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {E09CC86F-7028-4F24-A4F1-D708A8C926C9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {E09CC86F-7028-4F24-A4F1-D708A8C926C9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {E09CC86F-7028-4F24-A4F1-D708A8C926C9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {E09CC86F-7028-4F24-A4F1-D708A8C926C9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {E09CC86F-7028-4F24-A4F1-D708A8C926C9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {E09CC86F-7028-4F24-A4F1-D708A8C926C9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {E09CC86F-7028-4F24-A4F1-D708A8C926C9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {E09CC86F-7028-4F24-A4F1-D708A8C926C9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {E09CC86F-7028-4F24-A4F1-D708A8C926C9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {E09CC86F-7028-4F24-A4F1-D708A8C926C9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {E09CC86F-7028-4F24-A4F1-D708A8C926C9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {E09CC86F-7028-4F24-A4F1-D708A8C926C9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {E09CC86F-7028-4F24-A4F1-D708A8C926C9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {E09CC86F-7028-4F24-A4F1-D708A8C926C9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {E09CC86F-7028-4F24-A4F1-D708A8C926C9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {E09CC86F-7028-4F24-A4F1-D708A8C926C9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {E09CC86F-7028-4F24-A4F1-D708A8C926C9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {E09CC86F-7028-4F24-A4F1-D708A8C926C9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {E09CC86F-7028-4F24-A4F1-D708A8C926C9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {E09CC86F-7028-4F24-A4F1-D708A8C926C9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {E09CC86F-7028-4F24-A4F1-D708A8C926C9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {E09CC86F-7028-4F24-A4F1-D708A8C926C9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {E09CC86F-7028-4F24-A4F1-D708A8C926C9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {E09CC86F-7028-4F24-A4F1-D708A8C926C9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {E09CC86F-7028-4F24-A4F1-D708A8C926C9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {E09CC86F-7028-4F24-A4F1-D708A8C926C9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {E09CC86F-7028-4F24-A4F1-D708A8C926C9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {E09CC86F-7028-4F24-A4F1-D708A8C926C9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {E09CC86F-7028-4F24-A4F1-D708A8C926C9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {E09CC86F-7028-4F24-A4F1-D708A8C926C9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {E09CC86F-7028-4F24-A4F1-D708A8C926C9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {E09CC86F-7028-4F24-A4F1-D708A8C926C9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {E09CC86F-7028-4F24-A4F1-D708A8C926C9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {E09CC86F-7028-4F24-A4F1-D708A8C926C9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {E09CC86F-7028-4F24-A4F1-D708A8C926C9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {E09CC86F-7028-4F24-A4F1-D708A8C926C9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {E09CC86F-7028-4F24-A4F1-D708A8C926C9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {E09CC86F-7028-4F24-A4F1-D708A8C926C9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {E09CC86F-7028-4F24-A4F1-D708A8C926C9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {E09CC86F-7028-4F24-A4F1-D708A8C926C9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {E09CC86F-7028-4F24-A4F1-D708A8C926C9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {E09CC86F-7028-4F24-A4F1-D708A8C926C9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {E09CC86F-7028-4F24-A4F1-D708A8C926C9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {E09CC86F-7028-4F24-A4F1-D708A8C926C9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {E09CC86F-7028-4F24-A4F1-D708A8C926C9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {E09CC86F-7028-4F24-A4F1-D708A8C926C9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {E09CC86F-7028-4F24-A4F1-D708A8C926C9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {E09CC86F-7028-4F24-A4F1-D708A8C926C9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {E09CC86F-7028-4F24-A4F1-D708A8C926C9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {E09CC86F-7028-4F24-A4F1-D708A8C926C9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {E09CC86F-7028-4F24-A4F1-D708A8C926C9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {E09CC86F-7028-4F24-A4F1-D708A8C926C9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {E09CC86F-7028-4F24-A4F1-D708A8C926C9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {E09CC86F-7028-4F24-A4F1-D708A8C926C9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {E09CC86F-7028-4F24-A4F1-D708A8C926C9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {E09CC86F-7028-4F24-A4F1-D708A8C926C9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {E09CC86F-7028-4F24-A4F1-D708A8C926C9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: offline-8876480 - {E09CC86F-7028-4F24-A4F1-D708A8C926C9} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe

I am sure HKEd will be along shortly, but your log is not showing a trojan, at least that I can see.

What program is telling you that you have a trojan and does it give a location of it ? My guess it is the system restore files.

IMHO it you be safe to remove all the 018 entires on the Logitech items. But these are not causing your problems, they just aren't really needed.

BG

Hi marwan...I agree with BG. There's nothing malicious showing.

What you describe sounds more like a virus. I see you ran a Housecall scan. Did it report anything?

You could also try a Bitdefender online scan.

You don't appear to have a virus scanner installed.

I had a virus scanner installed, NAV as well as AVG or something similiar and AVG picked up on the trojan, but it could offer no help in removing it, I believe it was called 'dropper.agent.2AM', and the syptoms I was observing were the following:

- Total hijack of the vertical scroll bar, the page would move up and down very quick and to the point where a page would be unreadable. Even if I clicked on my mouse, the bar would escape the control and over ride my click. Speaking of which, the page just jumped on me.

- Whenever I have more than 2 windows open and decide to close one, the pc would work excessively to close a window, however after the window 'supposedly closed' it would reappear again as if in a 'ghostly' fashion with nothing but a white screen and eventually retreat once more.

- Worst part about all this is, if I attempt to compose any type of email message or fill out something on a particular website and the screen start moving vertically, I try to keep typing, hoping the page would stay at it's exact location, only to found out, the page went 'Back' and comletely erased all pertinent information related to the original screen I was using.

- I've attempted several times to completely format my hard drive, each time I was prompted there was something active blocking the format's operation from starting.

So, I don't know what to do, I've tried almost all scanners, housecall scans... Norton, webroot, spybot, ad-aware, copied my log and posted it and still nothing.

Hi marwan,

Download SilentRunners to the desktop and run it. It will take a minute or two, so wait for the prompt that the scan is complete. Post the log it generates.
http://www.silentrunners.org/Silent%20Runners.vbs

Chris

Here's the log... btw.. i'm bitdefender is still scanning and has found at least 7 virus/trojans and indicates it's deleted them.

"Silent Runners.vbs", revision 41, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"msnmsgr" = ""C:\Program Files\MSN Messenger\msnmsgr.exe" /background" [MS]
"AIM" = "C:\Program Files\AIM\aim.exe -cnetwait.odl" ["America Online, Inc."]
"LogitechSoftwareUpdate" = ""C:\Program Files\Logitech\Video\ManifestEngine.exe" boot" ["Logitech Inc."]
"LDM" = "C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"iTunesHelper" = ""C:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Computer, Inc."]
"tcactive" = "C:\Program Files\The Cleaner\tca.exe" ["MooSoft Development"]
"tcmonitor" = "C:\Program Files\The Cleaner\tcm.exe" ["MooSoft Development"]
"LVCOMSX" = "C:\WINDOWS\system32\LVCOMSX.EXE" ["Logitech Inc."]
"LogitechVideoRepair" = "C:\Program Files\Logitech\Video\ISStart.exe " ["Logitech Inc."]
"LogitechVideoTray" = "C:\Program Files\Logitech\Video\LogiTray.exe" ["Logitech Inc."]
"LVCOMS" = "C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE" ["Logitech Inc."]
"LogitechGalleryRepair" = "C:\Program Files\Logitech\ImageStudio\ISStart.exe" ["Logitech Inc."]
"LogitechImageStudioTray" = "C:\Program Files\Logitech\ImageStudio\LogiTray.exe" ["Logitech Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\(Default) = "UberButton Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\yiesrvc.dll" ["Yahoo!"]
{65D886A2-7CA7-479B-BB95-14D1EFB7946A}\(Default) = "YahooTaggedBM Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\YIeTagBm.dll" ["Yahoo! Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{52B87208-9CCF-42C9-B88E-069281105805}" = "Trojan Remover Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1\Trshlex.dll" [file not found]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."]
"{400CFEE2-39D0-46DC-96DF-E0BB5A4324B3}" = "My Logitech Pictures"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Logitech\Video\Namespc2.dll" ["Logitech Inc."]
"{B446400D-0030-457b-8F64-422A19605186}" = "Logitech Gallery"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Logitech\ImageStudio\NameSpc.dll" ["Logitech Inc."]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
TheCleaner\(Default) = "{2DE506B9-4320-11d3-8E42-002035221EDA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\The Cleaner\tcshellex.dll" ["MooSoft Development"]
Trojan Remover\(Default) = "{52B87208-9CCF-42C9-B88E-069281105805}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1\Trshlex.dll" [file not found]
Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
TheCleaner\(Default) = "{2DE506B9-4320-11D3-8E42-002035221EDA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\The Cleaner\tcshellex.dll" ["MooSoft Development"]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
TheCleaner\(Default) = "{2DE506B9-4320-11D3-8E42-002035221EDA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\The Cleaner\tcshellex.dll" ["MooSoft Development"]
Trojan Remover\(Default) = "{52B87208-9CCF-42C9-B88E-069281105805}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1\Trshlex.dll" [file not found]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\web\wallpaper\Bliss.bmp"


Startup items in "PrinceSlick" & "All Users" startup folders:
-------------------------------------------------------------

C:\Documents and Settings\PrinceSlick\Start Menu\Programs\Startup
"Scheduler" -> shortcut to: "C:\Program Files\GhostSurf 2005\Scheduler daemon.exe" [file not found]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"Logitech Desktop Messenger" -> shortcut to: "C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe /start" ["Logitech"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "Yahoo! Toolbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll" ["Yahoo! Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "Yahoo! Toolbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll" ["Yahoo! Inc."]

Explorer Bars

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll" ["Yahoo! Inc."]

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll" ["Yahoo! Inc."]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\
"ButtonText" = "Yahoo! Services"
"CLSIDExtension" = "{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\yiesrvc.dll" ["Yahoo!"]

{85D1F590-48F4-11D9-9669-0800200C9A66}\
"MenuText" = "Uninstall BitDefender Online Scanner v8"
"Exec" = "%windir%\bdoscandel.exe" [null data]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
"ButtonText" = "AIM"
"Exec" = "C:\Program Files\AIM\aim.exe" ["America Online, Inc."]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 137 seconds, including 11 seconds for message boxes)

QUOTE

bitdefender is still scanning and has found at least 7 virus/trojans and indicates it's deleted them.

This Silent Runners log was genereated while bitdefender was still scanning ?
If it's the case, you must wait it to complete and post a new Silent Runners log afterward.

My bad!!!

Well, it's officially done and a report was sent back to bitdefender to use for comparison.

Here it is:

"Silent Runners.vbs", revision 41, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"msnmsgr" = ""C:\Program Files\MSN Messenger\msnmsgr.exe" /background" [MS]
"AIM" = "C:\Program Files\AIM\aim.exe -cnetwait.odl" ["America Online, Inc."]
"LogitechSoftwareUpdate" = ""C:\Program Files\Logitech\Video\ManifestEngine.exe" boot" ["Logitech Inc."]
"LDM" = "C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"iTunesHelper" = ""C:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Computer, Inc."]
"tcactive" = "C:\Program Files\The Cleaner\tca.exe" ["MooSoft Development"]
"tcmonitor" = "C:\Program Files\The Cleaner\tcm.exe" ["MooSoft Development"]
"LVCOMSX" = "C:\WINDOWS\system32\LVCOMSX.EXE" ["Logitech Inc."]
"LogitechVideoRepair" = "C:\Program Files\Logitech\Video\ISStart.exe " ["Logitech Inc."]
"LogitechVideoTray" = "C:\Program Files\Logitech\Video\LogiTray.exe" ["Logitech Inc."]
"LVCOMS" = "C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE" ["Logitech Inc."]
"LogitechGalleryRepair" = "C:\Program Files\Logitech\ImageStudio\ISStart.exe" ["Logitech Inc."]
"LogitechImageStudioTray" = "C:\Program Files\Logitech\ImageStudio\LogiTray.exe" ["Logitech Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\(Default) = "UberButton Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\yiesrvc.dll" ["Yahoo!"]
{65D886A2-7CA7-479B-BB95-14D1EFB7946A}\(Default) = "YahooTaggedBM Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\YIeTagBm.dll" ["Yahoo! Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{52B87208-9CCF-42C9-B88E-069281105805}" = "Trojan Remover Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1\Trshlex.dll" [file not found]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."]
"{400CFEE2-39D0-46DC-96DF-E0BB5A4324B3}" = "My Logitech Pictures"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Logitech\Video\Namespc2.dll" ["Logitech Inc."]
"{B446400D-0030-457b-8F64-422A19605186}" = "Logitech Gallery"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Logitech\ImageStudio\NameSpc.dll" ["Logitech Inc."]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
TheCleaner\(Default) = "{2DE506B9-4320-11d3-8E42-002035221EDA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\The Cleaner\tcshellex.dll" ["MooSoft Development"]
Trojan Remover\(Default) = "{52B87208-9CCF-42C9-B88E-069281105805}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1\Trshlex.dll" [file not found]
Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
TheCleaner\(Default) = "{2DE506B9-4320-11D3-8E42-002035221EDA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\The Cleaner\tcshellex.dll" ["MooSoft Development"]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
TheCleaner\(Default) = "{2DE506B9-4320-11D3-8E42-002035221EDA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\The Cleaner\tcshellex.dll" ["MooSoft Development"]
Trojan Remover\(Default) = "{52B87208-9CCF-42C9-B88E-069281105805}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1\Trshlex.dll" [file not found]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\web\wallpaper\Bliss.bmp"


Startup items in "PrinceSlick" & "All Users" startup folders:
-------------------------------------------------------------

C:\Documents and Settings\PrinceSlick\Start Menu\Programs\Startup
"Scheduler" -> shortcut to: "C:\Program Files\GhostSurf 2005\Scheduler daemon.exe" [file not found]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"Logitech Desktop Messenger" -> shortcut to: "C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe /start" ["Logitech"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "Yahoo! Toolbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll" ["Yahoo! Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "Yahoo! Toolbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll" ["Yahoo! Inc."]

Explorer Bars

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll" ["Yahoo! Inc."]

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll" ["Yahoo! Inc."]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\
"ButtonText" = "Yahoo! Services"
"CLSIDExtension" = "{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\yiesrvc.dll" ["Yahoo!"]

{85D1F590-48F4-11D9-9669-0800200C9A66}\
"MenuText" = "Uninstall BitDefender Online Scanner v8"
"Exec" = "%windir%\bdoscandel.exe" [null data]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
"ButtonText" = "AIM"
"Exec" = "C:\Program Files\AIM\aim.exe" ["America Online, Inc."]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 90 seconds, including 5 seconds for message boxes)

Hi marwan...did you keep a copy of the BitDefender report? It would be helpful to see it.

There's nothing malicious showing in your log.

Ofcourse!!

The scanner did remove some viruses and i've noticed a difference in the performance of pc, however the 'ghost' is still managing to 'jump' my vertical scroll bar.. hopefully this'll reveal something......


BitDefender Online Scanner



Scan report generated at: Tue, Oct 25, 2005 - 14:57:17





Scan path: C:\Documents and Settings\PrinceSlick\My Documents;C:\Documents and Settings\All Users.WINDOWS\Documents;C:\;







Statistics

Time
03:00:07

Files
356211

Folders
5968

Boot Sectors
2

Archives
2193

Packed Files
55906




Results

Identified Viruses
12

Infected Files
26

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
40




Engines Info

Virus Definitions
227513

Engine build
AVCORE v1.0 (build 2292) (i386) (Mar 3 2005 11:57:29)

Scan plugins
13

Archive plugins
39

Unpack plugins
4

E-mail plugins
6

System plugins
1




Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
exe;com;dll;ocx;scr;bin;dat;386;vxd;sys;wdm;cla;class;ovl;ole;hlp;doc;dot;xls;pp
t;wbk;wiz;pot;ppa;xla;xlt;vbs;vbe;mdb;rtf;htm;hta;html;xml;xtp;php;asp;js;shs;ch
m;lnk;pif;prc;url;smm;pfd;msi;ini;csc;cmd;bas;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes




Scanned File
Status

C:\Documents and Settings\Marwan Bokhari\Local Settings\Temp\addit.exe
Infected with: Dropped:Trojan.Spy.Middadle.A

C:\Documents and Settings\Marwan Bokhari\Local Settings\Temp\addit.exe
Disinfection failed

C:\Documents and Settings\Marwan Bokhari\Local Settings\Temp\addit.exe
Deleted

C:\Documents and Settings\Marwan Bokhari\Local Settings\Temp\all_files9.exe=>(NSIS o)=>zlib_nsis0002
Infected with: Trojan.Downloader.Agent.EC

C:\Documents and Settings\Marwan Bokhari\Local Settings\Temp\all_files9.exe=>(NSIS o)=>zlib_nsis0002
Disinfection failed

C:\Documents and Settings\Marwan Bokhari\Local Settings\Temp\all_files9.exe=>(NSIS o)=>zlib_nsis0002
Deleted

C:\Documents and Settings\Marwan Bokhari\Local Settings\Temp\all_files9.exe=>(NSIS o)
Update failed

C:\Documents and Settings\Marwan Bokhari\Local Settings\Temp\all_files9.exe=>(NSIS o)=>zlib_nsis0003
Infected with: Trojan.Downloader.Agent.AC

C:\Documents and Settings\Marwan Bokhari\Local Settings\Temp\all_files9.exe=>(NSIS o)=>zlib_nsis0003
Disinfection failed

C:\Documents and Settings\Marwan Bokhari\Local Settings\Temp\all_files9.exe=>(NSIS o)=>zlib_nsis0003
Deleted

C:\Documents and Settings\Marwan Bokhari\Local Settings\Temp\all_files9.exe=>(NSIS o)
Update failed

C:\Documents and Settings\Marwan Bokhari\Local Settings\Temp\all_files9.exe=>(NSIS o)=>zlib_nsis0004
Infected with: Trojan.Downloader.Apropo.E

C:\Documents and Settings\Marwan Bokhari\Local Settings\Temp\all_files9.exe=>(NSIS o)=>zlib_nsis0004
Disinfection failed

C:\Documents and Settings\Marwan Bokhari\Local Settings\Temp\all_files9.exe=>(NSIS o)=>zlib_nsis0004
Deleted

C:\Documents and Settings\Marwan Bokhari\Local Settings\Temp\all_files9.exe=>(NSIS o)
Update failed

C:\Documents and Settings\Marwan Bokhari\Local Settings\Temp\all_files9.exe=>(NSIS o)=>zlib_nsis0006
Infected with: Backdoor.Ruledor.C

C:\Documents and Settings\Marwan Bokhari\Local Settings\Temp\all_files9.exe=>(NSIS o)=>zlib_nsis0006
Disinfection failed

C:\Documents and Settings\Marwan Bokhari\Local Settings\Temp\all_files9.exe=>(NSIS o)=>zlib_nsis0006
Deleted

C:\Documents and Settings\Marwan Bokhari\Local Settings\Temp\all_files9.exe=>(NSIS o)
Update failed

C:\Documents and Settings\Marwan Bokhari\My Documents\cracksearcher2\CrackSearcher(2)\CrackSearcher\CrackSearcher.exe
Infected with: Virtool.Cracksearch.A

C:\Documents and Settings\Marwan Bokhari\My Documents\cracksearcher2\CrackSearcher(2)\CrackSearcher\CrackSearcher.exe
Disinfection failed

C:\Documents and Settings\Marwan Bokhari\My Documents\cracksearcher2\CrackSearcher(2)\CrackSearcher\CrackSearcher.exe
Deleted

C:\Documents and Settings\PrinceSlick\Recent\CrackSearcher(2).lnk=>C:\Documents and Settings\Marwan Bokhari\My Documents\cracksearcher2\CrackSearcher(2).rar
Infected with: Virtool.Cracksearch.A

C:\Documents and Settings\PrinceSlick\Recent\CrackSearcher(2).lnk=>C:\Documents and Settings\Marwan Bokhari\My Documents\cracksearcher2\CrackSearcher(2).rar
Disinfection failed

C:\Documents and Settings\PrinceSlick\Recent\CrackSearcher(2).lnk=>C:\Documents and Settings\Marwan Bokhari\My Documents\cracksearcher2\CrackSearcher(2).rar
Deleted

C:\Documents and Settings\PrinceSlick\Recent\CrackSearcher(2).lnk
Update failed

C:\Program Files\AIM95\Sysfiles\WxBug.EXE=>wise0008
Detected with: Adware.Wheaterbug.A

C:\Program Files\AIM95\Sysfiles\WxBug.EXE=>wise0008
Disinfection failed

C:\Program Files\AIM95\Sysfiles\WxBug.EXE=>wise0008
Deleted

C:\Program Files\AIM95\Sysfiles\WxBug.EXE
Update failed

C:\Program Files\Norton AntiVirus\Quarantine\12DF0966.exe=>(Quarantine-2)
Infected with: Trojan.Vb.SR

C:\Program Files\Norton AntiVirus\Quarantine\12DF0966.exe=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton AntiVirus\Quarantine\12DF0966.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\4CC67648.exe=>(Quarantine-2)
Infected with: Backdoor.SDBot.YD

C:\Program Files\Norton AntiVirus\Quarantine\4CC67648.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\4D4C2FB5.exe=>(Quarantine-2)
Infected with: Backdoor.SDBot.YD

C:\Program Files\Norton AntiVirus\Quarantine\4D4C2FB5.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\4E0608E8.exe=>(Quarantine-2)
Infected with: Backdoor.SDBot.YD

C:\Program Files\Norton AntiVirus\Quarantine\4E0608E8.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\692D7196.exe=>(Quarantine-2)
Infected with: Backdoor.SDBot.YD

C:\Program Files\Norton AntiVirus\Quarantine\692D7196.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\70A1576A.exe=>(Quarantine-2)
Infected with: Trojan.Vb.KQ

C:\Program Files\Norton AntiVirus\Quarantine\70A1576A.exe=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton AntiVirus\Quarantine\70A1576A.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\70B12958.exe=>(Quarantine-2)
Infected with: Trojan.Septic.A.dr

C:\Program Files\Norton AntiVirus\Quarantine\70B12958.exe=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton AntiVirus\Quarantine\70B12958.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{0C51FCC4-5B13-4CB6-8EA2-49820FD34783}\RP136\A0006909.dll
Detected with: Adware.Weboffer.A

C:\System Volume Information\_restore{0C51FCC4-5B13-4CB6-8EA2-49820FD34783}\RP136\A0006909.dll
Disinfection failed

C:\System Volume Information\_restore{0C51FCC4-5B13-4CB6-8EA2-49820FD34783}\RP136\A0006909.dll
Deleted

C:\System Volume Information\_restore{0C51FCC4-5B13-4CB6-8EA2-49820FD34783}\RP136\A0006910.dll
Detected with: Adware.Weboffer.A

C:\System Volume Information\_restore{0C51FCC4-5B13-4CB6-8EA2-49820FD34783}\RP136\A0006910.dll
Disinfection failed

C:\System Volume Information\_restore{0C51FCC4-5B13-4CB6-8EA2-49820FD34783}\RP136\A0006910.dll
Deleted

C:\System Volume Information\_restore{4606D981-2D04-4267-8B75-DDB8BB23FCF8}\RP22\A0006493.exe
Infected with: Dropped:Trojan.Spy.Middadle.A

C:\System Volume Information\_restore{4606D981-2D04-4267-8B75-DDB8BB23FCF8}\RP22\A0006493.exe
Disinfection failed

C:\System Volume Information\_restore{4606D981-2D04-4267-8B75-DDB8BB23FCF8}\RP22\A0006493.exe
Deleted

C:\System Volume Information\_restore{4606D981-2D04-4267-8B75-DDB8BB23FCF8}\RP22\A0006494.exe
Infected with: Virtool.Cracksearch.A

C:\System Volume Information\_restore{4606D981-2D04-4267-8B75-DDB8BB23FCF8}\RP22\A0006494.exe
Disinfection failed

C:\System Volume Information\_restore{4606D981-2D04-4267-8B75-DDB8BB23FCF8}\RP22\A0006494.exe
Deleted

C:\System Volume Information\_restore{4606D981-2D04-4267-8B75-DDB8BB23FCF8}\RP22\A0006495.exe=>(Quarantine-2)
Infected with: Trojan.Vb.SR

C:\System Volume Information\_restore{4606D981-2D04-4267-8B75-DDB8BB23FCF8}\RP22\A0006495.exe=>(Quarantine-2)
Disinfection failed

C:\System Volume Information\_restore{4606D981-2D04-4267-8B75-DDB8BB23FCF8}\RP22\A0006495.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{4606D981-2D04-4267-8B75-DDB8BB23FCF8}\RP22\A0006496.exe=>(Quarantine-2)
Infected with: Backdoor.SDBot.YD

C:\System Volume Information\_restore{4606D981-2D04-4267-8B75-DDB8BB23FCF8}\RP22\A0006496.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{4606D981-2D04-4267-8B75-DDB8BB23FCF8}\RP22\A0006497.exe=>(Quarantine-2)
Infected with: Backdoor.SDBot.YD

C:\System Volume Information\_restore{4606D981-2D04-4267-8B75-DDB8BB23FCF8}\RP22\A0006497.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{4606D981-2D04-4267-8B75-DDB8BB23FCF8}\RP22\A0006498.exe=>(Quarantine-2)
Infected with: Backdoor.SDBot.YD

C:\System Volume Information\_restore{4606D981-2D04-4267-8B75-DDB8BB23FCF8}\RP22\A0006498.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{4606D981-2D04-4267-8B75-DDB8BB23FCF8}\RP22\A0006499.exe=>(Quarantine-2)
Infected with: Backdoor.SDBot.YD

C:\System Volume Information\_restore{4606D981-2D04-4267-8B75-DDB8BB23FCF8}\RP22\A0006499.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{4606D981-2D04-4267-8B75-DDB8BB23FCF8}\RP22\A0006500.exe=>(Quarantine-2)
Infected with: Trojan.Vb.KQ

C:\System Volume Information\_restore{4606D981-2D04-4267-8B75-DDB8BB23FCF8}\RP22\A0006500.exe=>(Quarantine-2)
Disinfection failed

C:\System Volume Information\_restore{4606D981-2D04-4267-8B75-DDB8BB23FCF8}\RP22\A0006500.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{4606D981-2D04-4267-8B75-DDB8BB23FCF8}\RP22\A0006501.exe=>(Quarantine-2)
Infected with: Trojan.Septic.A.dr

C:\System Volume Information\_restore{4606D981-2D04-4267-8B75-DDB8BB23FCF8}\RP22\A0006501.exe=>(Quarantine-2)
Disinfection failed

C:\System Volume Information\_restore{4606D981-2D04-4267-8B75-DDB8BB23FCF8}\RP22\A0006501.exe=>(Quarantine-2)
Deleted

The BitDefender log doesn't give us many clues. Except for some adware, the infections were in temp folders (which you should clean out regularly), Norton's quarantine and the System Restore folder.

Use CCleaner to clean out all junk files.

Clean out your System Restore as per the instructions here. Don't forget to set a new restore point afterwards.

We may be dealing with some kind of hidden infection. Download RootkitRevealer and unzip it. Rename RootkitRevealer.exe to Marwan.exe (if this is a rootkit infection, it may be programmed to hide from the real file name).

When you run it, click on Options and make sure that "Hide Standard NTFS Metadata Files" and "Scan Registry" are both checked. Click on Scan and let it scan your drive (it may take a while, so be patient). When it has finished, go to File > Save, save the log and post it in this thread.

Here's the log:


C:\Documents and Settings\PrinceSlick\Application Data\Macromedia\Flash Player\#SharedObjects 10/27/2005 1:55 PM 0 bytes Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\PrinceSlick\Application Data\Macromedia\Flash Player\#SharedObjects\MKNZV8UP 10/27/2005 1:55 PM 0 bytes Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\PrinceSlick\Application Data\Macromedia\Flash Player\macromedia.com 10/27/2005 1:55 PM 0 bytes Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\PrinceSlick\Application Data\Macromedia\Flash Player\macromedia.com\support 10/27/2005 1:55 PM 0 bytes Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\PrinceSlick\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer 10/27/2005 1:55 PM 0 bytes Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\PrinceSlick\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys 10/27/2005 1:55 PM 0 bytes Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\PrinceSlick\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol 10/27/2005 1:55 PM 348 bytes Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\PrinceSlick\Application Data\Microsoft\MSN Messenger\2707496269\MapFile\TFR132.dat 10/27/2005 1:54 PM 11.35 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\PrinceSlick\Application Data\Microsoft\MSN Messenger\2707496269\MapFile\TFRE4.dat 10/26/2005 10:47 AM 10.86 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\PrinceSlick\Application Data\Microsoft\MSN Messenger\2707496269\UserTile\map.dat 10/26/2005 10:47 AM 628 bytes Visible in Windows API, directory index, but not in MFT.
C:\Documents and Settings\PrinceSlick\Application Data\Microsoft\MSN Messenger\2707496269\UserTile\TFR131.dat 10/27/2005 1:54 PM 16.44 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\PrinceSlick\Cookies\princeslick@msn[1].txt 10/27/2005 1:52 PM 65 bytes Hidden from Windows API.
C:\Documents and Settings\PrinceSlick\Local Settings\Temp\TFR130.tmp 10/27/2005 1:53 PM 29.97 KB Hidden from Windows API.
C:\Documents and Settings\PrinceSlick\Local Settings\Temp\TFR133.tmp 10/27/2005 1:55 PM 12.92 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\PrinceSlick\Local Settings\Temp\TFR134.tmp 10/27/2005 1:55 PM 45.57 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\PrinceSlick\Local Settings\Temp\TFR139.tmp 10/27/2005 1:55 PM 72.33 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\PrinceSlick\Local Settings\Temp\TFR13F.tmp 10/27/2005 1:55 PM 43.09 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\PrinceSlick\Local Settings\Temp\TFR143.tmp 10/27/2005 1:55 PM 37.00 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\PrinceSlick\Local Settings\Temp\TFR147.tmp 10/27/2005 1:55 PM 66.40 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\PrinceSlick\Local Settings\Temp\TFR14B.tmp 10/27/2005 1:55 PM 34.74 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\PrinceSlick\Local Settings\Temp\TFR14F.tmp 10/27/2005 1:55 PM 9.99 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\PrinceSlick\Local Settings\Temp\TFR153.tmp 10/27/2005 1:55 PM 44.94 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\PrinceSlick\Local Settings\Temp\TFR157.tmp 10/27/2005 1:55 PM 15.80 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\PrinceSlick\Local Settings\Temp\TFR15B.tmp 10/27/2005 1:55 PM 23.05 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\PrinceSlick\Local Settings\Temp\TFR15F.tmp 10/27/2005 1:55 PM 20.08 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\PrinceSlick\Local Settings\Temp\TFR163.tmp 10/27/2005 1:55 PM 39.99 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\PrinceSlick\Local Settings\Temp\TFR167.tmp 10/27/2005 1:55 PM 57.83 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\PrinceSlick\Local Settings\Temp\TFR16B.tmp 10/27/2005 1:55 PM 22.72 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\PrinceSlick\Local Settings\Temp\TFR16F.tmp 10/27/2005 1:55 PM 20.63 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\PrinceSlick\Local Settings\Temp\TFR173.tmp 10/27/2005 1:55 PM 22.88 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\PrinceSlick\Local Settings\Temp\TFR175.tmp 10/27/2005 1:55 PM 61.28 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\PrinceSlick\Local Settings\Temp\TFR17B.tmp 10/27/2005 1:55 PM 30.65 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\PrinceSlick\Local Settings\Temp\TFR17D.tmp 10/27/2005 1:55 PM 12.93 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\PrinceSlick\Local Settings\Temp\TFR183.tmp 10/27/2005 1:55 PM 35.62 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\PrinceSlick\Local Settings\Temporary Internet Files\Content.IE5\CTS3454L 10/27/2005 1:55 PM 0 bytes Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\PrinceSlick\Local Settings\Temporary Internet Files\Content.IE5\CTS3454L\3082105m[1].png 10/27/2005 1:55 PM 2.88 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\PrinceSlick\Local Settings\Temporary Internet Files\Content.IE5\CTS3454L\3084886m[1].png 10/27/2005 1:55 PM 4.28 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\PrinceSlick\Local Settings\Temporary Internet Files\Content.IE5\CTS3454L\3084889m[1].png 10/27/2005 1:55 PM 5.12 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\PrinceSlick\Local Settings\Temporary Internet Files\Content.IE5\CTS3454L\3085342m[1].png 10/27/2005 1:55 PM 2.48 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\PrinceSlick\Local Settings\Temporary Internet Files\Content.IE5\CTS3454L\3088120m[1].png 10/27/2005 1:55 PM 3.34 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\PrinceSlick\Local Settings\Temporary Internet Files\Content.IE5\CTS3454L\3088123m[1].png 10/27/2005 1:55 PM 2.73 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\PrinceSlick\Local Settings\Temporary Internet Files\Content.IE5\CTS3454L\3088124m[1].png 10/27/2005 1:55 PM 2.03 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\PrinceSlick\Local Settings\Temporary Internet Files\Content.IE5\CTS3454L\3088260m[1].png 10/27/2005 1:55 PM 3.01 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\PrinceSlick\Local Settings\Temporary Internet Files\Content.IE5\CTS3454L\desktop.ini 10/27/2005 1:55 PM 67 bytes Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\PrinceSlick\Local Settings\Temporary Internet Files\Content.IE5\GPQRKHUV\CABI90PD.bin 10/27/2005 1:53 PM 19.38 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\PrinceSlick\Local Settings\Temporary Internet Files\Content.IE5\WV3JM451\3081303m[1].png 10/27/2005 1:54 PM 3.94 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\PrinceSlick\Local Settings\Temporary Internet Files\Content.IE5\WV3JM451\3082303m[1].png 10/27/2005 1:54 PM 4.47 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\PrinceSlick\Local Settings\Temporary Internet Files\Content.IE5\WV3JM451\3085205m[1].png 10/27/2005 1:54 PM 4.32 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\PrinceSlick\Local Settings\Temporary Internet Files\Content.IE5\WV3JM451\3085206m[1].png 10/27/2005 1:54 PM 4.37 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\PrinceSlick\Local Settings\Temporary Internet Files\Content.IE5\WV3JM451\3088199m[1].png 10/27/2005 1:54 PM 5.02 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\PrinceSlick\Recent\Picture 1.lnk 10/27/2005 1:54 PM 1.10 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\PrinceSlick\Recent\Pictures and Videos.lnk 10/27/2005 1:54 PM 809 bytes Visible in directory index, but not Windows API or MFT.

Hi marwan,

Were you browsing the Internet or using Internet Explorer while the RKR scan was running?

You've got a lot of results in your temporary files that are probably harmless, and if you were surfing at the time, then this would be the result.

Carry out an online scan with Kaspersky's online scanner; that sometimes picks things up the others miss. When it's done' reboot your system into Safe Mode and re-run RootkitRevealer.

Leave the computer well alone until the scan has finished. Boot back as normal and post the RootkitRevealer log.

I did Kaspersky, it revealed more viruses *surprise*... I tried to re-run RookitReveal in Safe Mode and it refused to run, so I ran it again, without browsing on-line and these are the results:

C:\Documents and Settings\PrinceSlick\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG:KAVICHS 10/30/2005 2:14 PM 36 bytes Hidden from Windows API.
C:\Documents and Settings\PrinceSlick\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat:KAVICHS 10/30/2005 4:31 AM 36 bytes Hidden from Windows API.
C:\Documents and Settings\PrinceSlick\Local Settings\Temporary Internet Files\Content.IE5\8NPGIY50\_nn[1].htm 10/30/2005 4:07 PM 2 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\PrinceSlick\Local Settings\Temporary Internet Files\Content.IE5\8NPGIY50\_nn[2].htm 10/30/2005 5:08 PM 2 bytes Hidden from Windows API.
C:\WINDOWS\Temp\tmp000049d1 10/30/2005 5:02 PM 0 bytes Hidden from Windows API.
C:\WINDOWS\Temp\tmp000049d1\tmp00000000 10/30/2005 4:27 PM 0 bytes Hidden from Windows API.
C:\WINDOWS\Temp\tmp00006c13 10/30/2005 2:24 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Temp\tmp00006c13\tmp00000000 10/30/2005 2:24 PM 0 bytes Visible in Windows API, but not in MFT or directory index.


Please advise... thank you.

Hi Marwan,

I must confess that I'm a little bit stumped here ..... having said that though, it's worth running a Kaspersky scan with your System restore turned off.

Try turning system restore off and running another Kaspersky scan, and then reboot.

Then run Crap Cleaner again. Reboot afterwards.

Turn System Restore back on.

Sometimes a virus/trojan can get "stuck" in the System Restore folder, a protected area of Windows, and if that happens then your virus scanner wil not be able to remove it.

Let us know how it goes!

Bad entry.. will repost again

Here are Kasersky's results after all the steps:

KASPERSKY ON-LINE SCANNER REPORT
Friday, October 28, 2005 15:06:42
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 28/10/2005
Kaspersky Anti-Virus database records: 156940


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target Critical Areas
C:\WINDOWS
C:\DOCUME~1\PRINCE~1\LOCALS~1\Temp\

Scan Statistics
Total number of scanned objects 11929
Number of viruses found 1
Number of infected objects 1
Number of suspicious objects 0
Duration of the scan process 2193 sec

Infected Object Name Virus Name
C:\WINDOWS\system32\svch\svchost.exe Infected: Trojan.Win32.VB.aek

Scan process completed.


The next scan:

KASPERSKY ON-LINE SCANNER REPORT
Tuesday, November 01, 2005 15:38:52
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 1/11/2005
Kaspersky Anti-Virus database records: 157701


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
E:\
F:\

Scan Statistics
Total number of scanned objects 26485
Number of viruses found 2
Number of infected objects 3
Number of suspicious objects 0
Duration of the scan process 8585 sec

Infected Object Name Virus Name
C:\Documents and Settings\Marwan Bokhari\Local Settings\Temp\is-EM2MD.tmp\Advtg.exe Infected: not-a-virus:AdWare.Win32.EZula.bi

C:\Documents and Settings\Marwan Bokhari\Local Settings\Temp\ss_cdt_setup.exe/data0002 Infected: not-a-virus:AdWare.Win32.Sidesearch.e

C:\Documents and Settings\Marwan Bokhari\Local Settings\Temp\ss_cdt_setup.exe Infected: not-a-virus:AdWare.Win32.Sidesearch.e

Scan was interrupted by user!

A fresh scan of HJT:

Logfile of HijackThis v1.99.1
Scan saved at 4:11:09 PM, on 11/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LVCOMSX.EXE
C:\progra~1\softwin\bitdef~1\bdmcon.exe
C:\progra~1\softwin\bitdef~1\bdnagent.exe
C:\progra~1\softwin\bitdef~1\bdswitch.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender9\vsserv.exe
C:\WINDOWS\system32\rsvp.exe
C:\Program Files\Logitech\ImageStudio\ImgStud.exe
C:\Program Files\Logitech\ImageStudio\ImgStud.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Marwan Bokhari\My Documents\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [svchost] C:\WINDOWS\system32\svch\svchost.exe
O4 - HKLM\..\Run: [BDMCon] C:\progra~1\softwin\bitdef~1\bdmcon.exe
O4 - HKLM\..\Run: [BDNewsAgent] "C:\progra~1\softwin\bitdef~1\bdnagent.exe"
O4 - HKLM\..\Run: [BDSwitchAgent] "C:\progra~1\softwin\bitdef~1\bdswitch.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecal...all/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1127827911195
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1127827898056
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: BWYOOBAUQ - Unknown owner - C:\DOCUME~1\PRINCE~1\LOCALS~1\Temp\BWYOOBAUQ.exe (file missing)
O23 - Service: EIZNYWQHSECZJ - Sysinternals - www.sysinternals.com - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\EIZNYWQHSECZJ.exe
O23 - Service: FAAKPIUAKQN - Sysinternals - www.sysinternals.com - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\FAAKPIUAKQN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: JXEC - Unknown owner - C:\DOCUME~1\PRINCE~1\LOCALS~1\Temp\JXEC.exe (file missing)
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe
O23 - Service: RJUBPR - Sysinternals - www.sysinternals.com - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RJUBPR.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender9\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

Hi Marwan,

Your HJT log is showing some more nasties. Let's hope that what we've done will flush this one out for good!!

Go to Start >> Run and type services.msc in the dialogue box. Press Enter.

Search for the following services, and for each of them make sure the service is Stopped and the Startup Type set to Disabled:

BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)

BWYOOBAUQ - Unknown owner - C:\DOCUME~1\PRINCE~1\LOCALS~1\Temp\BWYOOBAUQ.exe (file missing)

JXEC - Unknown owner - C:\DOCUME~1\PRINCE~1\LOCALS~1\Temp\JXEC.exe (file missing)

BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)

BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender9\vsserv.exe" /service (file missing)

BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

Just the names of the services will show along with the command (path to the file)

The reason for getting rid of the Bit Defender ones is that the file is missing; it can be reinstalled afterwards.

Exit Services.msc and run HijackThis, with no other programs running. Place a check against the following items:

C:\WINDOWS\system32\rsvp.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O4 - HKLM\..\Run: [svchost] C:\WINDOWS\system32\svch\svchost.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: BWYOOBAUQ - Unknown owner - C:\DOCUME~1\PRINCE~1\LOCALS~1\Temp\BWYOOBAUQ.exe (file missing)
O23 - Service: JXEC - Unknown owner - C:\DOCUME~1\PRINCE~1\LOCALS~1\Temp\JXEC.exe (file missing)
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender9\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)[b]

Click on Fix Checked and exit HijackThis. Reboot into Safe Mode.
Make sure your system is set to show al files, and then find/delete the following files:

[b]C:\WINDOWS\system32\rsvp.exe
C:\WINDOWS\system32\svch\ <= Entire Folder!!!

Reboot back as normal and post back a fresh log. Any idea why the Kaspersky scan is reporting "interrupted by user?" Was it you, or was it stopped automatically somehow?

Here's the latest copy:

Logfile of HijackThis v1.99.1
Scan saved at 5:15:10 PM, on 11/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RioMSC.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\progra~1\softwin\bitdef~1\bdnagent.exe
C:\progra~1\softwin\bitdef~1\bdswitch.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender9\vsserv.exe
c:\progra~1\softwin\bitdef~1\bdmcon.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Documents and Settings\Marwan Bokhari\My Documents\HJT\HijackThis.exe

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [BDMCon] c:\progra~1\softwin\bitdef~1\bdmcon.exe
O4 - HKLM\..\Run: [BDNewsAgent] "c:\progra~1\softwin\bitdef~1\bdnagent.exe"
O4 - HKLM\..\Run: [BDSwitchAgent] "c:\progra~1\softwin\bitdef~1\bdswitch.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [warez] "C:\Program Files\Warez P2P Client\warez.exe" -h
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecal...all/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1127827911195
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1127827898056
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: EIZNYWQHSECZJ - Sysinternals - www.sysinternals.com - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\EIZNYWQHSECZJ.exe
O23 - Service: FAAKPIUAKQN - Sysinternals - www.sysinternals.com - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\FAAKPIUAKQN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe
O23 - Service: RJUBPR - Sysinternals - www.sysinternals.com - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RJUBPR.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender9\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)



The Kaspersky was interrupted by my dog, so I posted what was available.

Hi marwan...

QUOTE

The Kaspersky was interrupted by my dog

I suppose the dog ate your homework as well.

Did you install anything from Sysinternals? These look very odd:

O23 - Service: EIZNYWQHSECZJ - Sysinternals - www.sysinternals.com - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\EIZNYWQHSECZJ.exe

O23 - Service: FAAKPIUAKQN - Sysinternals - www.sysinternals.com - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\FAAKPIUAKQN.exe

Fix them and run CCleaner in safe mode. Boot back to normal mode and post a fresh log.

BTW, using Warez as your P2P client probably means that you'll be a regular visitor to this forum. There are safer alternatives.

I did use Warez recently, however I'm not a consistent visitor.

Logfile of HijackThis v1.99.1
Scan saved at 10:11:33 PM, on 11/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RioMSC.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender9\vsserv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LVCOMSX.EXE
C:\progra~1\softwin\bitdef~1\bdmcon.exe
C:\progra~1\softwin\bitdef~1\bdnagent.exe
C:\progra~1\softwin\bitdef~1\bdswitch.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Documents and Settings\Marwan Bokhari\My Documents\HJT\HijackThis.exe

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [BDMCon] C:\progra~1\softwin\bitdef~1\bdmcon.exe
O4 - HKLM\..\Run: [BDNewsAgent] "C:\progra~1\softwin\bitdef~1\bdnagent.exe"
O4 - HKLM\..\Run: [BDSwitchAgent] "C:\progra~1\softwin\bitdef~1\bdswitch.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [warez] "C:\Program Files\Warez P2P Client\warez.exe" -h
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecal...all/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1127827911195
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1127827898056
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe
O23 - Service: RJUBPR - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RJUBPR.exe (file missing)
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender9\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

If you only use Warez occasionally, disable its startup in Msconfig. There's no reason for it to be running all the time. Fire it up as needed.

Fix this one and run CCleaner again:

O23 - Service: RJUBPR - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RJUBPR.exe (file missing)

You should install SpyBlaster and SpywareGuard, both free and available from Javacool Software.

In IE, click on Tools > Internet Options > Advanced tab, scroll down to the Security header and put a check in the box to empty temp internet files when the browser is closed.

I have bitdefender, is that sufficeint or should I add more protection?

Thanks for the on-going support, I have added an additional 256mb of ram to my pc and have noticed a significant jump in the performance, I plan on adding one more stick of ram to max it out.

QUOTE (marwan @ Nov 16 2005, 11:54 PM)

I have bitdefender, is that sufficeint or should I add more protection?

BitDefender is a good product. I often recommend its online scan over Housecall's as it can detect hidden malware in alternate data streams (don't ask ).

As regards added protection, I quote from my previous post:

QUOTE

You should install SpyBlaster and SpywareGuard, both free and available from Javacool Software.

On a completely different matter, I purchased a 256mb sdram and installed the chip in the second memory slot in my pc, along with another 256mb... to try and max my ram out @ 512 and my pc kept rebooting over and over again, along with an accompanying screen that displayed the pc was having a problem with it's configuration. I'm currently running a P3 533mhz processor @ 384mb sdram (128mb original and 256mb added) and it's working fine (naturally). Is it even possible to max my pc @ .5 gig or am I overloading it with memory that the motherboard can't accept the extra power?

Can't answer that without knowing the motherboard specs, marwan. However, most motherboards have the capacity to handle much more than you are attemping to install.

Does it work with just the new 256MB stick in Bank 0? Is it the same brand of RAM? Some systems don't tolerate mixed RAM.