Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

svehost.exe computer shutdown problem

  • 03-05-2007 3:30pm
    #1
    slickmcvic
    Registered Users, Registered Users 2 Posts: 500 ✭✭✭


    my computer keeps shutting down saying "svehost.exe" has a serious error. What does this program do?and can anyone help or give experiences on this problem


Comments

  • #2
    Ruu_Old
    Closed Accounts Posts: 36,634 ✭✭✭✭Ruu_Old


    I assume you mean svchost.exe. It is a system process used by Windows and it loads all the services needed when Windows has started.
    Try right clicking on My Computer->Properties->Advanced tab->under Startup and Recovery click Settings and then untick beside Automatically Restart.
    If it happens again, you should get some information from the bluescreen.

    You could also try running a viruscan in Safe Mode as svchost.exe is also registered as a trojan.


  • #3
    jor el
    Closed Accounts Posts: 16,713 ✭✭✭✭jor el


    Are you sure it's svehost and not svchost? svchost.exe is an important part of Windows and if it's damaged or corrupt then your PC would probably stop working. svehost seems to be some sort of spyware. I wouldn't have thought that spyware crashing would shut down the PC on it's own unless it's causing other problems too. A good Spyware and Virus scan might help. Adaware is one good program but there are loads more such as Spybot Search and Destroy. Also have a look for stinger.exe to do a virus check.


  • #4
    snappieT
    Registered Users, Registered Users 2 Posts: 3,357 ✭✭✭snappieT


    Does it only happen when you're online, by any chance?


  • #5
    ActorSeeksJob
    Closed Accounts Posts: 1,970 ✭✭✭ActorSeeksJob


    Lets see if its a trojan/spyware issue

    Please download the self-extracting version of HijackThis from here:

    HijackThis_sfx download

    Save HijackThis_sfx to your desktop.

    Double-click the file then click the Unzip button. Then close the Self-Extractor window.

    Using My Computer/Windows Explorer, navigate to C:\Program Files\HijackThis and double click on HijackThis.exe to run it. If you would like to make a shortcut for your Desktop so it's more easily accessable, right click HijackThis.exe and choose Send To > Desktop (create shortcut).

    Please run the extracted HijackThis.exe from now on. Delete any copies of HijackThis.zip that you have saved.

    Open HijackThis and click Do a system scan and save a log file. Copy the entire contents of that log and post it here


  • #6
    slickmcvic
    Registered Users, Registered Users 2 Posts: 500 ✭✭✭slickmcvic


    Cheers for the help lads!
    snappieT wrote:
    Are you sure it's svehost and not svchost
    Yep thats what the error report tells me after its restarted!!
    Ruu wrote:
    Does it only happen when you're online, by any chance?

    Yeah Recently it has started just as ive logged online
    jor el wrote:
    Try right clicking on My Computer->Properties->Advanced tab->under Startup and Recovery click Settings and then untick beside Automatically Restart
    Yeah the blue scrreeen only appears for 1 second before restart


    I installed norton 2007 there the lst day but it still occurs!!


  • Advertisement
  • #7
    ActorSeeksJob
    Closed Accounts Posts: 1,970 ✭✭✭ActorSeeksJob


    I thought you meant svchost.exe also(thought you made a typo), svehost.exe is a trojan. Follow my above post if you want to fix it.


  • #8
    snappieT
    Registered Users, Registered Users 2 Posts: 3,357 ✭✭✭snappieT


    slickmcvic wrote:
    snappieT wrote:
    Does it only happen when you're online, by any chance?
    Yeah Recently it has started just as ive logged online
    I know you said it wasn't svChost, but if it is, this would suggest the good old Blaster virus.

    Tonnes of removal tools out there now, just do a search. This is assuming it is svchost.exe


  • #9
    slickmcvic
    Registered Users, Registered Users 2 Posts: 500 ✭✭✭slickmcvic


    Here is the list of what came up when i ran hijack this....
    Any ideas what to do now??
    Thanks
    Logfile of HijackThis v1.99.1
    Scan saved at 20:25:46, on 03/05/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\WINDOWS\System32\CTsvcCDA.EXE
    C:\WINDOWS\system32\HPConfig.exe
    C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\carpserv.exe
    C:\Cpqs\Scom\srmclean.exe
    C:\WINDOWS\system32\clcl7.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
    C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\Hpqdirec.exe
    C:\Documents and Settings\Owner\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jon44w.co.uk/forum/today.php
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINDOWS\system32\tmp27.tmp.dll
    O2 - BHO: (no name) - {36DBC179-A19F-48F2-B16A-6A3E19B42A87} - C:\WINDOWS\system32\ipv6monk.dll
    O2 - BHO: (no name) - {cddaebff-783f-4ff5-8e51-d77dbd7baa1e} - C:\WINDOWS\system32\btpsrc.dll
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
    O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
    O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
    O4 - HKLM\..\Run: [TV Now] C:\Program Files\HPQ\Notebook Utilities\TvNow.exe /RK
    O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
    O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINDOWS\system32\UMonit2K.exe
    O4 - HKLM\..\Run: [UMonit] C:\WINDOWS\System32\umonit.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\system32\lsasss.exe
    O4 - HKLM\..\Run: [Intel system tool] C:\WINDOWS\system32\svehost.exe
    O4 - HKLM\..\Run: [InfoData] rundll32.exe "C:\WINDOWS\efcyxv.dll",realset
    O4 - HKLM\..\Run: [clcl7] C:\WINDOWS\system32\clcl7.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [gStart] C:\Garmin\gStart.exe
    O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: officejet 6100.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cbiqvwtdetn.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cbiqvwtdetn.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cbiqvwtdetn.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cbiqvwtdetn.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cbiqvwtdetn.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cbiqvwtdetn.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cbiqvwtdetn.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cbiqvwtdetn.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cbiqvwtdetn.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cbiqvwtdetn.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cbiqvwtdetn.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cbiqvwtdetn.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cbiqvwtdetn.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cbiqvwtdetn.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cbiqvwtdetn.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cbiqvwtdetn.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cbiqvwtdetn.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {38D63471-E630-4492-A986-B8C48B79F2F8} (CVideoEgg_ActiveXCtl Object) - http://update.videoegg.com/wintel/VideoEggPublisher.exe
    O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
    O20 - AppInit_DLLs:
    O20 - Winlogon Notify: btpsrc - C:\WINDOWS\SYSTEM32\btpsrc.dll
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
    O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
    O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Norton Unerase Protection (NProtectService) - Unknown owner - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE (file missing)
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
    O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe


  • #10
    ActorSeeksJob
    Closed Accounts Posts: 1,970 ✭✭✭ActorSeeksJob


    You have quite a few bad infections, so please do all these steps in the one go to prevent them coming back.

    A malicious .DLL file is disrupting the LSP chain on your computer. We need to get rid of it.
    1. Please download LSPFix from here.
    2. Run the LSPFix.exe that you have just finished downloading.
    3. Check the I know what I'm doing box.
    4. In the Keep box you should see one or more instances of cbiqvwtdetn.dll.
    5. Select every instance of cbiqvwtdetn.dll and move each one to the Remove box by clicking the >> button.
    6. When you are done click Finish>>.

    Please download VundoFix.exe to your desktop
    • Double-click VundoFix.exe to run it.
    • Click the Scan for Vundo button.
    • Once it's done scanning, click the Remove Vundo button.
    • You will receive a prompt asking if you want to remove the files, click YES
    • Once you click yes, your desktop will go blank as it starts removing Vundo.
    • When completed, it will prompt that it will reboot your computer, click OK.
    • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
    Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

    1. Download this file - combofix.exe
    2. Double click combofix.exe & follow the prompts.
    3. When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall

    Please download ATF Cleaner by Atribune.
    This program is for XP and Windows 2000 only
      Double-click
    ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.
    If you use Firefox browser
      Click
    Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser
      Click
    Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main menu to close the program.
    For Technical Support, double-click the e-mail address located at the bottom of each menu.

    Run HijackThis, click "Do a system scan only" and check these entries if present

    O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINDOWS\system32\tmp27.tmp.dll
    O2 - BHO: (no name) - {36DBC179-A19F-48F2-B16A-6A3E19B42A87} - C:\WINDOWS\system32\ipv6monk.dll
    O2 - BHO: (no name) - {cddaebff-783f-4ff5-8e51-d77dbd7baa1e} - C:\WINDOWS\system32\btpsrc.dll
    O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\system32\lsasss.exe
    O4 - HKLM\..\Run: [Intel system tool] C:\WINDOWS\system32\svehost.exe
    O4 - HKLM\..\Run: [InfoData] rundll32.exe "C:\WINDOWS\efcyxv.dll",realset
    O4 - HKLM\..\Run: [clcl7] C:\WINDOWS\system32\clcl7.exe
    O16 - DPF: {38D63471-E630-4492-A986-B8C48B79F2F8} (CVideoEgg_ActiveXCtl Object) - http://update.videoegg.com/wintel/VideoEggPublisher.exe
    O20 - AppInit_DLLs:
    O20 - Winlogon Notify: btpsrc - C:\WINDOWS\SYSTEM32\btpsrc.dll

    Then please delete these files in bold if present :

    C:\WINDOWS\system32\lsasss.exe <-- DONT DELETE THE LEGIT FILE lsass.exe, this is very important
    C:\WINDOWS\system32\svehost.exe
    C:\WINDOWS\efcyxv.dll
    C:\WINDOWS\system32\clcl7.exe
    c:\windows\system32\cbiqvwtdetn.dll

    Please run the F-Secure Online Scanner

    Note: This Scanner is for Internet Explorer Only!
    • Follow the Instruction Here for installation.
    • Accept the License Agreement.
    • Once the ActiveX installs,Click Full System Scan
    • Once the download completes,the scan will begin automatically.
    • The scan will take some time to finish,so please be patient.
    • When the scan completes, click the Automatic cleaning (recommended) button.
    • Click the Show Report button and Copy&Paste the entire report in your next reply.

    You now need to update your Java and remove your older versions.
    Please follow these steps to remove older version Java components.

    * Click Start > Control Panel.
    * Click Add/Remove Programs.
    * Check any item with Java Runtime Environment (JRE) in the name.
    * Click the Remove or Change/Remove button.

    Download the latest version of Java Runtime Environment (JRE), and install it to your computer.
    http://java.sun.com/javase/downloads/index.jsp
    Go down to Java Runtime Environment (JRE) to get it

    Your using an old version of Adobe Acrobat Reader, this can leave your pc open to vulnerabilities, you can update it here :
    http://www.adobe.com/products/acrobat/readstep2.html

    Once you have done all these steps, post the Combofix log, the Vundofix log, a new HijackThis log, and the F-Secure Online scanner report


  • #11
    slickmcvic
    Registered Users, Registered Users 2 Posts: 500 ✭✭✭slickmcvic


    think its worked laptops goin fine now!!
    thanks a million
    Cheers bud!!

    Logfile of HijackThis v1.99.1
    Scan saved at 17:42:59, on 13/05/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\WINDOWS\System32\CTsvcCDA.EXE
    C:\WINDOWS\system32\HPConfig.exe
    C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\carpserv.exe
    C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
    C:\Documents and Settings\Owner\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jon44w.co.uk/forum/today.php
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {cddaebff-783f-4ff5-8e51-d77dbd7baa1e} - C:\WINDOWS\system32\btpsrc.dll (file missing)
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
    O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
    O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
    O4 - HKLM\..\Run: [TV Now] C:\Program Files\HPQ\Notebook Utilities\TvNow.exe /RK
    O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
    O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINDOWS\system32\UMonit2K.exe
    O4 - HKLM\..\Run: [UMonit] C:\WINDOWS\System32\umonit.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [gStart] C:\Garmin\gStart.exe
    O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: officejet 6100.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {38D63471-E630-4492-A986-B8C48B79F2F8} (CVideoEgg_ActiveXCtl Object) - http://update.videoegg.com/wintel/VideoEggPublisher.exe
    O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
    O20 - AppInit_DLLs:
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
    O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
    O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Norton Unerase Protection (NProtectService) - Unknown owner - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE (file missing)
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
    O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

    combo fix log
    "Owner" - 2007-05-13 17:15:29 Service Pack 2
    ComboFix 07-05.13.V - Running from: "G:\Antivirus\"


    (((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    C:\WINDOWS\system32\cent.exe.exe
    C:\WINDOWS\system32\pdp.exe.exe
    C:\WINDOWS\system32\clcl7.exe
    C:\WINDOWS\system32\ipv6monk.dll
    C:\WINDOWS\system32\ipv6monl.dll
    C:\WINDOWS\system32\tmp27.tmp.dll
    C:\WINDOWS\system32\svcp.csv
    C:\WINDOWS\system32\winsub.xml
    C:\WINDOWS\system32\lsasss.exe
    C:\WINDOWS\system32\sony.exe
    C:\WINDOWS\system32\svehost.exe
    C:\WINDOWS\system32\cbiqvwtdetn.dll
    C:\WINDOWS\system32\wincom32.sys
    C:\WINDOWS\system32\windev-4c04-75d6.sys
    C:\WINDOWS\system32\windev-peers.ini
    C:\WINDOWS\system32\kprof
    C:\WINDOWS\system32\koos.exe
    C:\WINDOWS\system32\poof
    C:\cp1041.nls

    Infected copy of C:\WINDOWS\system32\drivers\ndis.sys was found & disinfected
    Restored copy from - "c:\WINDOWS\ServicePackFiles\i386\ndis.sys"


    ((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

    \LEGACY_NTLDR.SYS
    \LEGACY_POOF
    \ntldr.sys
    \windev-4c04-75d6


    ((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-13 ))))))))))))))))))))))))))))))))))


    2007-05-13 16:55 <DIR> d
    C:\VundoFix Backups
    2007-05-01 00:33 48,824 --a
    C:\WINDOWS\system32\S32EVNT1.DLL
    2007-05-01 00:33 108,728 --a
    C:\WINDOWS\system32\drivers\SYMEVENT.SYS
    2007-04-26 21:00 91,717 --a
    C:\WINDOWS\system32\cent.exe
    2007-04-25 17:06 106,752 --a
    C:\WINDOWS\efcyxv.dll
    2007-04-15 21:27 17,536 --a
    C:\WINDOWS\system32\drivers\grmn0200.sys
    2007-04-15 21:27 16,512 --a
    C:\WINDOWS\system32\drivers\grmn0400.sys
    2007-04-15 21:27 11,776 --a
    C:\WINDOWS\system32\drivers\grmn1200.sys


    (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


    2007-05-01 22:19:28
    d
    w C:\Program Files\Common Files\Symantec Shared
    2007-04-30 23:47:26
    d
    w C:\Program Files\Norton AntiVirus
    2007-04-30 23:46:11
    d
    w C:\Program Files\SymNetDrv
    2007-04-30 23:41:08
    d
    w C:\Program Files\Symantec
    2007-04-30 23:09:52
    d
    w C:\Program Files\Common Files\InstallShield
    2007-04-20 22:14:07
    d
    w C:\DOCUME~1\Owner\APPLIC~1\uTorrent
    2007-04-12 14:48:13
    d
    w C:\Program Files\DivX
    2007-04-12 14:16:22
    d
    w C:\Program Files\uTorrent
    2007-03-27 07:55:57 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
    2007-03-27 07:55:48 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
    2007-03-27 07:55:32 2,560 ----a-w C:\WINDOWS\system32\drivers\cdralw2k.sys
    2007-03-27 07:55:32 2,432 ----a-w C:\WINDOWS\system32\drivers\cdr4_xp.sys
    2007-03-27 07:55:31 36,624 ----a-w C:\WINDOWS\system32\drivers\PxHelp20.sys
    2007-03-27 07:55:31 129,784 ----a-w C:\WINDOWS\system32\pxafs.dll
    2007-03-27 07:55:31 118,520 ----a-w C:\WINDOWS\system32\pxinsi64.exe
    2007-03-27 07:55:31 116,472 ----a-w C:\WINDOWS\system32\pxcpyi64.exe
    2007-03-27 07:55:23 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
    2007-03-27 07:55:23 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
    2007-03-27 07:49:07 73,728 ----a-w C:\WINDOWS\system32\dpl100.dll
    2007-03-27 07:49:07 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
    2007-03-27 07:49:05 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
    2007-03-27 07:49:03 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
    2007-03-27 07:49:02 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
    2007-03-27 07:49:02 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
    2007-03-27 07:49:02 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
    2007-03-27 07:49:02 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
    2007-03-27 07:48:59 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
    2007-03-27 07:48:58 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
    2007-03-27 07:48:58 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
    2007-03-27 07:48:58 639,066 ----a-w C:\WINDOWS\system32\DivX.dll
    2007-03-25 21:42:03
    d
    w C:\DOCUME~1\Owner\APPLIC~1\U3
    2007-03-05 16:59:01
    d
    w C:\Program Files\QuickTime
    2007-03-05 16:57:37 36,429 ----a-w C:\WINDOWS\system32\UMonit2K.exe
    2007-03-05 16:57:37 36,429 ----a-w C:\WINDOWS\system32\umonit.exe
    2007-02-16 01:40:35 124,472 ----a-w C:\WINDOWS\system32\DivXCodecUpdateChecker.exe


    (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
    {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [2001-04-16 17:39]
    {cddaebff-783f-4ff5-8e51-d77dbd7baa1e}=C:\WINDOWS\system32\btpsrc.dll []

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
    "ATIModeChange"="Ati2mdxx.exe"
    "CARPService"="carpserv.exe"
    "ATIPTA"="C:\\PROGRAM FILES\\ATI TECHNOLOGIES\\ATI CONTROL PANEL\\ATIPTAXX.EXE"
    "PreloadApp"="c:\\hp\\drivers\\printers\\photosmart\\hphprld.exe c:\\hp\\drivers\\printers\\photosmart\\setup.exe -d"
    "srmclean"="C:\\Cpqs\\Scom\\srmclean.exe"
    "TV Now"="C:\\Program Files\\HPQ\\Notebook Utilities\\TvNow.exe /RK"
    "Display Settings"="C:\\Program Files\\HPQ\\Notebook Utilities\\hptasks.exe /s"
    "QT4HPOT"="C:\\PROGRA~1\\HPQ\\ONE-TO~1\\OneTouch.EXE"
    "SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
    "SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
    "Cpqset"="C:\\Program Files\\HPQ\\Default Settings\\cpqset.exe"
    "hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
    "Share-to-Web Namespace Daemon"="C:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
    "Gene USB Monitor"="C:\\WINDOWS\\system32\\UMonit2K.exe"
    "UMonit"="C:\\WINDOWS\\System32\\umonit.exe"
    "AdaptecDirectCD"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
    "SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_03\\bin\\jusched.exe"
    "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
    "ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
    "osCheck"="\"C:\\Program Files\\Norton AntiVirus\\osCheck.exe\""

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ATIModeChange"="Ati2mdxx.exe" [2002-08-15 23:18 C:\WINDOWS\system32\Ati2mdxx.exe])
    "CARPService"="carpserv.exe" [2003-05-21 15:35 C:\WINDOWS\system32\carpserv.exe])
    "ATIPTA"="C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE" [2007-03-05 17:57]
    "PreloadApp"="c:\hp\drivers\printers\photosmart\hphprld.exe" [2001-12-12 08:05]
    "srmclean"="C:\Cpqs\Scom\srmclean.exe" [2007-03-05 17:57]
    "TV Now"="C:\Program Files\HPQ\Notebook Utilities\TvNow.exe" [2007-03-05 17:57]
    "Display Settings"="C:\Program Files\HPQ\Notebook Utilities\hptasks.exe" [2007-03-05 17:57]
    "QT4HPOT"="C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE" [2007-03-05 17:57]
    "SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2007-03-05 17:57]
    "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-03-05 17:57]
    "Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2007-03-05 17:57]
    "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [2007-03-05 17:57]
    "Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2007-03-05 17:57]
    "Gene USB Monitor"="C:\WINDOWS\system32\UMonit2K.exe" [2007-03-05 17:57]
    "UMonit"="C:\WINDOWS\System32\umonit.exe" [2007-03-05 17:57]
    "AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2007-03-05 17:57]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2007-03-05 17:57]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-03-05 17:57]
    "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-09-03 08:04]
    "osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2006-09-06 02:22]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56]
    "gStart"="C:\Garmin\gStart.exe" []

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
    "MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
    "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
    "gStart"="C:\\Garmin\\gStart.exe"


    HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
    Authentication Packages msv1_0\0\0
    Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
    Notification Packages scecli\0\0




    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
    LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
    NetworkService DnsCache\0\0
    rpcss RpcSs\0\0
    imgsvc StiSvc\0\0
    termsvcs TermService\0\0
    HTTPFilter HTTPFilter\0\0
    DcomLaunch DcomLaunch\0TermService\0\0

    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost


    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fc3e4400-96a1-11db-9bb9-000d9d86af66}]
    Shell\AutoRun\command E:\setupSNK.exe

    Contents of the 'Scheduled Tasks' folder
    C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#hp psc 2100 series#1102976451.job
    C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - Owner.job
    C:\WINDOWS\tasks\Symantec NetDetect.job

    ********************************************************************

    catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-05-13 17:30:27
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden services ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    C:\system.sav\CTO.TXT 4096 bytes
    C:\system.sav\CTOHW.TXT 16 bytes
    C:\system.sav\DAYLGSAV.reg 320 bytes
    C:\system.sav\INFO.BOM 8192 bytes
    C:\system.sav\INFO2.BOM 8192 bytes
    C:\system.sav\ISLOGCHK.LOG 472 bytes
    C:\system.sav\REBOOT.ME 48 bytes
    C:\system.sav\REGDEV.LOG 40 bytes
    C:\system.sav\REGFLUSH.LOG 4096 bytes
    C:\system.sav\RegionCF
    C:\system.sav\RegionCF\euro.reg 216 bytes
    C:\system.sav\RegionCF\SFr.reg 232 bytes
    C:\system.sav\RmDev.log 12288 bytes
    C:\system.sav\T55XGB.B22 4096 bytes
    C:\system.sav\TNXHLC.002 4096 bytes
    C:\system.sav\TNXXHP.032 4096 bytes
    C:\system.sav\TNXXHP.B22 4096 bytes
    C:\system.sav\TNXXIN.B22 4096 bytes
    C:\system.sav\util
    C:\system.sav\util\adobe.log 160 bytes
    C:\system.sav\util\AppEvBk1.old 65536 bytes
    C:\system.sav\util\ATIRES.EXE 69632 bytes
    C:\system.sav\util\bootldr.flg 0 bytes
    C:\system.sav\util\BOOTSEC.NT4 512 bytes
    C:\system.sav\util\CHECKLOG.EXE 98304 bytes
    C:\system.sav\util\CIA.INI 65536 bytes
    C:\system.sav\util\CMDOOBE.CMD 72 bytes
    C:\system.sav\util\COMPNAME.EXE 32768 bytes
    C:\system.sav\util\DEFUSER.REG 320 bytes
    C:\system.sav\util\delcia.flg 32 bytes
    C:\system.sav\util\deldir.log 4096 bytes
    C:\system.sav\util\DESKZOOM.log 168 bytes
    C:\system.sav\util\grnscrn.bto 552 bytes
    C:\system.sav\util\grnscrn.exe 49152 bytes
    C:\system.sav\util\infobomg.exe 102400 bytes
    C:\system.sav\util\INSTALL.LOG 204800 bytes
    C:\system.sav\util\make_rtr.flg 136 bytes
    C:\system.sav\util\NbUtil.log 184 bytes
    C:\system.sav\util\oca.reg 352 bytes
    C:\system.sav\util\oca_mrk.bat 120 bytes
    C:\system.sav\util\oobe.min 136 bytes
    C:\system.sav\util\oobe.wpe 184 bytes
    C:\system.sav\util\osexclude.txt 208 bytes
    C:\system.sav\util\PININST.INI 112 bytes
    C:\system.sav\util\PININST.LOG 176 bytes
    C:\system.sav\util\POSTOOBE.CMD 312 bytes
    C:\system.sav\util\POSTOOBE.LOG 24 bytes
    C:\system.sav\util\postproc.ini 600 bytes
    C:\system.sav\util\Powerset.log 96 bytes
    C:\system.sav\util\random.ini 32 bytes
    C:\system.sav\util\SecEvBk1.old 65536 bytes
    C:\system.sav\util\SETNAME.EXE 32768 bytes
    C:\system.sav\util\sleep.exe 36864 bytes
    C:\system.sav\util\srtool.exe 36864 bytes
    C:\system.sav\util\sr_on.vbs 4096 bytes
    C:\system.sav\util\SysEvBk1.old 65536 bytes
    C:\system.sav\util\touchpad.log 184 bytes
    C:\system.sav\util\WINDVD.LOG 176 bytes

    scan completed successfully
    hidden processes: 0
    hidden services: 0
    hidden files: 58


    ********************************************************************

    Completion time: 2007-05-13 17:32:16 - machine was rebooted
    C:\ComboFix-quarantined-files.txt ... 2007-05-13 17:32


  • Advertisement
  • #12
    ActorSeeksJob
    Closed Accounts Posts: 1,970 ✭✭✭ActorSeeksJob


    Please make sure you do all the steps or else your pc will get re-infected and you will be posting back here soon enough :(

    Make sure you run the F-Secure Online Scanner, and the Kaspersky Webscanner. Once you do those post their results back here.

    After that do the following.

    Run HijackThis, click "Do a system scan only" and check these entries :

    O2 - BHO: (no name) - {cddaebff-783f-4ff5-8e51-d77dbd7baa1e} - C:\WINDOWS\system32\btpsrc.dll (file missing)
    O16 - DPF: {38D63471-E630-4492-A986-B8C48B79F2F8} (CVideoEgg_ActiveXCtl Object) - http://update.videoegg.com/wintel/VideoEggPublisher.exe
    O20 - AppInit_DLLs:

    Close all windows except for HijackThis, and click "Fix checked".

    Download and Save Blacklight to your desktop (choose "I ACCEPT" then click "DOWNLOAD" on the website).

    Double-click fsbl.exe then accept the agreement, click > "Scan" then > "Next".

    You'll see a list of all items found. There will also be a log on your desktop with the name "fsbl.xxxxxxxxxxxxxx.log" (the xxxxxxxxxxxxxx stand for numbers).

    Copy and paste this log in your next reply. Don't choose the rename option yet! I want to see the log first, because legitimate items can also be present there, such as "wbemtest.exe"

    Your using an old version of Adobe Acrobat Reader, this can leave your pc open to vulnerabilities, you can update it here :
    http://www.adobe.com/products/acrobat/readstep2.html


  • #13
    Anti
    Closed Accounts Posts: 12,401 ✭✭✭✭Anti


    Wow, that a pretty infected pc you have there :(


  • #14
    ActorSeeksJob
    Closed Accounts Posts: 1,970 ✭✭✭ActorSeeksJob


    Yes it is, i've handled worse though.

    You have to wonder about Norton Internet Security not doing anything to fix the OP problems. It's really earning its annual subscription fee...

    The entries
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cbiqvwtdetn.dll
    are the worst probably. Some programs deal with this infection in the wrong way and can result in loss of Internet access.

    Once the OP does all the scans and his pc is clean, will hook him up with the best free software out there to ensure his pc will be safe in the future.


Advertisement