please help i am infected

[balistic]

:banghead: Please read description below the log, thanks.

Logfile of HijackThis v1.99.1
Scan saved at 3:51:53 AM, on 7/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\NETCMD.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\NetLimiter 2 Pro\NLClient.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Security Task Manager\TaskMan.exe
C:\WINDOWS\system32\cmd.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Documents and Settings\balistic\Desktop\hijackthis_sfx\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\DOCUME~1\balistic\LOCALS~1\Temp\RarSFX3\jccatch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: MegaIEMn - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\DOCUME~1\balistic\LOCALS~1\Temp\RarSFX3\fgiebar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O8 - Extra context menu item: Download All by FlashGet - C:\Documents and Settings\balistic\Local Settings\Temp\RarSFX3\jc_all.htm
O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm
O8 - Extra context menu item: Download using FlashGet - C:\Documents and Settings\balistic\Local Settings\Temp\RarSFX3\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\DOCUME~1\balistic\LOCALS~1\Temp\RarSFX3\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\DOCUME~1\balistic\LOCALS~1\Temp\RarSFX3\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/win/djvuplugin/en_US/DjVuControl_en_US.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: OWC11.mso-offdap - {32505114-5902-49B2-880A-1F7738E5A384} - (no file)
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" -r (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe[/code]

----------------------------

The problem is C:\WINDOWS\SYSTEM32\NETCMD.EXE which is a keylogger that none of the antiviruses will remove, nor Trojan hunter etc i have no clue where i got it from ive had my suspisions for a while now, not because passwords or anything were changed, only because the file name was in caps and most other sys32 filenames arent. So i installed Security task manager which can grab text from within the program, this is what it grabed:

\AYO X Logger\AYO Spy 1.041\Server V1.041\AYO.vbp
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Auto Login
\AYO X Logger\AYO Spy 1.041\Server V1.041\AYO.vbp
netcmd .exe
netconfig .exe
Right Click
Left Click
Software\Microsoft\Active Setup\Installed Components
3qF\Program Files\Microsoft Visual Studio\VB98\VB6.OLB
Install Dir
Software\Zone Labs\ZoneAlarm\plugin\obj\001
font color
font color
font color
Sign In
font color
font color
font color
font color
Inside Yahoo
form9 action
hidden name
em Value
hidden name
The page cannot be found
TEXTAREA readonly
msg rows
INPUT style
submit value
script language
Save Password
Admin group
Limited Account
font face
Tahoma color
table style
td bgColor
f4f4f4 width
font color
0033CC size
font color
User Name 
There was No New Contact 
font color
font color
font color
font color
font color
font face
Tahoma size
table style
td bgColor
f4f4f4 width
font color
0033CC size
td bgColor
font color
0033CC size
td bgColor
f4f4f4 width
td bgColor
f4f4f4 width
td bgColor
f4f4f4 width
font face
Tahoma size
Up Passwords 
table style
No icon resources found in source file
Source icon directory is corrupt
td bgColor
f4f4f4 width
font color
0033CC size
Connection Name 
td bgColor
f4f4f4 width
font size
Failed to get handle to source file
td bgColor
f4f4f4 width
font size
td bgColor
f4f4f4 width
font size
font face
Tahoma size
Up Passwords 
table style
td bgColor
f4f4f4 width
font color
0033CC size
There was no new entry.
Current entries were sent before 
span lang
span lang
Source icon bitmap is corrupt
Invalid icon in source file
Destination file could not be opened
Destination file could not be loaded
Failed to locate resource in specified file
Failed to load resource in specified file
Internet Explorer
font face
Tahoma size
Cached Passwords 
td bgColor
f4f4f4 width
font color
0033CC size
Site Address 
td bgColor
f4f4f4 width
font size
Sign In
Internet Explorer
**** the one who is trying to Crack this Application D  _From B56mx 
YTuck th
dhHijkDDEPVr ethC8alEngi
----------------
****k
GetProcAddress
LoadLibraryA
fac8_vbExp_t
Frlas
zVNT_SIWKSAdRenLDBFunc
MUbe
K/ib
taThqn
/kDui.w
 Hto
qima
padk
CacApw
isry
tign9 I
ZTaai
0RNXLOPadqe8ik
Bsdgmavw
ZeTjg
IhiB
tYyyogXp
,iBk
\aEHaole/
VdUu
OdManLm
VDLokupAco4t
MulfBy
KL/Qoolicyt
,Kxepsky
 iik
apVHForTBMc
Svzdo\B986.OLTBJTR
 Enum
VGlobgHDDr4C
RtlMovekH4EF
Csurc
F\ds/LotibrM,9H
mpuRL4DBb,LC4X
CusA
ialFo4d
LysNmDirc
GtShorPa
J9Akernl3Q2,
advpck.
yqLAoEUT2NYDf
a,evhGmp4bsFHX82
 Laf
 cosHan
,yocf.2x
LP_M0RCnewb
ainFITsk
ulvqf
vY4VOB83.bFu
XLog
qooq
oooq
oooZooq
oooq
ookgq
niied
keeik
ZdeaPaadeiiedd
ZNNPPadeeiieeda
TOPPaadeeikkiieed
ProcCallEngine
__vbaExceptHandler
EVENT_SINK_QueryInterface
EVENT_SINK_Release
DllFunctionCall
EVENT_SINK_AddRef
MethCallEngine
strText
strTitle
Data2send
LogFilePath
Label1
FinalOut
Connect
Data2Log
tmrLog
tmrMatch
tmrSendMail
McKill
qooq
oooq
oooZooq
oooq
ookgq
niied
keeik
ZdeaPaadeiiedd
ZNNPPadeeiieeda
TOPPaadeeikkiieed
MainF
 Password 
2 color
/font
3 color
ndex
shimgvw.dll,ImageView_Fullscreen 
rundll32.exe 
/table
/font
/font
/span
.SwapIcon.bas
 border
 borderColor
left
float
 collapse
collapse
border
Dial
3 color
/font
/font
 Phone Number 
2 color
 Password 
2 color
/table
 User Name 
2 color
/font
 border
 borderColor
left
float
 collapse
collapse
border
Dial
3 color
/font
_RasDefaultCredentials
RasDialParams
Microsoft\Network\Connections\pbk\rasphone.pbk
About
 border
 borderColor
left
float
 collapse
collapse
border
 Chat Contacts 
Yahoo
3 color
/table
/font
/font
Settings
Windows
yahoo.com
\Archive\Messages\
/font
Contacts 
/font
yahoo.com
System
Start
Yahoo
/table
Screen
Messenger\Profiles\
/table
/font
/font
/font
/font
/font
 System Info 
 border
 borderColor
left
float
 collapse
collapse
border
MpfTray.exe
winver.exe
uckk
DisableRegistryTools
DisableTaskMgr
Quit
Title
Busy
Click
Item
document
navigate
InternetExplorer.application
/script
form9.submit
vbscript
. name
 type
 color
CoTaskMemFree
PStoreCreateInstance
pstorec.dll
 I have recorded these Info for ya 
1 cols
 name
 font
 color
border
1 style
From 
 Value
post
 method
/title
title
 saved from url
/font
/font
/font
/font
/font
 Messenger
Yahoo
/font
/font
Pasted
****
/font
Yahoo
.exe
\Taskmon
DialParamsUID
LocalFree
LocalAlloc
GlobalFree
GetVersionExA
SHGetSpecialFolderPathA
shell32.dll
GetPrivateProfileIntA
LookupAccountNameA
IsValidSid
ConvertSidToStringSidA
WideCharToMultiByte
MultiByteToWideChar
LsaFreeMemory
LsaClose
LsaRetrievePrivateData
LsaOpenPolicy
RasGetEntryPropertiesA
RasGetEntryDialParamsA
SystemCfg.dat
\Help
C\WINDOWS\system32\MSVBVM60.DLL\3
3qClass
SOFTWARE\KasperskyLab\AVP6
path
rasapi32.dll
Software\Microsoft\Windows\CurrentVersion\
Explorer.exe 
Shell
RasEnumEntriesAj
RegQueryValueExA
RegOpenKeyExA
RegCreateKeyExA
RegCloseKey
SwapIcon.bas
RegSetValueExA
RegDeleteKeyA
PcInfo
GetLog2Send
DisYat
DisYp
DisReg
DisTask
WriteLog
GetKeyState
GetAsyncKeyState
GetWindowTextLengthA
GetWindowTextA
GetForegroundWindow
tmrMatch
McKill
Form
tmrSendMail
Label1
Data2Log
FinalOut
tmrLog
asliAzAfta\
SystemTimeToFileTime
LocalFileTimeToFileTime
SetFileTime
FindClose
FindFirstFileA
FindResourceA
lstrlenA
EnumResourceNamesA
GlobalUnlock
GlobalLock
RtlMoveMemory
LockResource
LoadResource
FreeLibrary
LoadLibraryExA
SetFilePointer
ReadFile
CreateFileA
GetComputerNameA
GetUserNameA
advapi32.dll
KillTimer
SendMessageA
VirtualFreeEx
WriteProcessMemory
GetWindowThreadProcessId
VirtualAllocEx
FindWindowExA
FindWindowA
InternetGetConnectedStateEx
wininet.dll
Process32Next
Process32First
CreateToolhelp32Snapshot
TerminateProcess
OpenProcess
.com/
.exe
kernel32.dll
SHGetPathFromIDList
SHGetSpecialFolderLocation
GetTempPathA
GetSystemDirectoryA
GetShortPathNameA
advpack.dll
SYSTEM\CurrentControlSet\Services\TlntSvr
SYSTEM\ControlSet002\Services\TlntSvr
IsNTAdmin
Software\Yahoo\Pager\
Software\Microsoft\Windows\CurrentVersion\Policies\System\
MicrosoftApp32\
CloseHandle
netconfig.exe
netcmd.exe
netconfig.exe
netcmd.exe
syschost.exe
syslnfo.exe
sysinfo.exe
sysver.exe
newbn
MainF
PsibPsnDs
PsoCs

----- Windows Title -----
 


It looks nasty and i really would like to fix it without having to format my pc :(

please someone help me im going crazy


edit: i found the site [url]http://ayosoft.net/english/index.htm[/url] but still dont know how to get rid of it please help.

 

[Flrman1]

Hi balistic

Welcome to TSG!

I removed the code tags from your post. Please just copy and paste your logs. The code tags are unnecessary and make the post harder to read.

I'll look at your HJT log now.

 

[Flrman1]

* Go here and do the BitDefender online virus scan.

• Click "I Agree" to agree to the EULA.
• Allow the ActiveX control to install when prompted.
• Click "Click here to scan" to begin the scan.
• Please refrain from using the computer until the scan is finished.
• When the scan is finished, click on "Click here to export the scan results"
• Save the report to your desktop then come back here and attach it to your next reply along with a new Hijack This log..

 

[balistic]

Sorry about the code tags, also i had previously tried a few other online virus scans for the purpose of just seeing if they could detect it (the panda one and some other). Here is the results you requested.

---

BitDefender Online Scanner

Scan report generated at: Wed, Jul 04, 2007 - 08:23:23

Scan path: C:\;D:\;E:\;F:\;

Statistics

Time 01:30:35

Files 336363

Folders 5645

Boot Sectors 5

Archives 7609

Packed Files 7813

Results

Identified Viruses 0

Infected Files 0

Suspect Files 0

Warnings 0

Disinfected 0

Deleted Files 0


Engines Info

Virus Definitions 636723

Engine build AVCORE v1.0 (build 2410) (i386) (Jun 12 2007 21:08:27)

Scan plugins 14

Archive plugins 38

Unpack plugins 6

E-mail plugins 6

System plugins 1

Scan Settings

First Action Disinfect

Second Action Delete

Heuristics Yes

Enable Warnings Yes

Scanned Extensions *;

Exclude Extensions

Scan Emails Yes

Scan Archives Yes

Scan Packed Yes

Scan Files Yes

Scan Boot Yes

Scanned File

Status No virus found.
---

 

[balistic]

sorry i forgot to post this hjt log. (i had to rename hjt to me.exe to get it to show netcmd again)

Logfile of HijackThis v1.99.1
Scan saved at 1:11:40 PM, on 7/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.exe
C:\WINDOWS\SYSTEM32\NETCMD.EXE
C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NetLimiter 2 Pro\NLClient.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\balistic\Desktop\hijackthis_sfx\me.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\DOCUME~1\balistic\LOCALS~1\Temp\RarSFX3\jccatch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: MegaIEMn - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\DOCUME~1\balistic\LOCALS~1\Temp\RarSFX3\fgiebar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O8 - Extra context menu item: Download All by FlashGet - C:\Documents and Settings\balistic\Local Settings\Temp\RarSFX3\jc_all.htm
O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm
O8 - Extra context menu item: Download using FlashGet - C:\Documents and Settings\balistic\Local Settings\Temp\RarSFX3\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\DOCUME~1\balistic\LOCALS~1\Temp\RarSFX3\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\DOCUME~1\balistic\LOCALS~1\Temp\RarSFX3\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/win/djvuplugin/en_US/DjVuControl_en_US.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: OWC11.mso-offdap - {32505114-5902-49B2-880A-1F7738E5A384} - (no file)
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" -r (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

 

[balistic]

i still need help

 

[balistic]

bump

 

[Flrman1]

Patience please. This isn't live tech support. I'm not here 24/7 and this is a holiday in the US!

 

[balistic]

i know, i know, but my post was being carried off in the sea of posts i just didnt want it to fall out of helps eye sorry

 

[Flrman1]

* Click here to download ATF Cleaner by Atribune and save it to your desktop.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.
  • If you use Firefox:
    • Click Firefox at the top and choose: Select All
    • Click the Empty Selected button.
    • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera:
    • Click Opera at the top and choose: Select All
    • Click the Empty Selected button.
      [*]NOTE: If you would like to keep your saved passwords, please click No at the prompt.
• Click Exit on the Main menu to close the program.

* Click Here and download Killbox and save it to your desktop.

* Double-click on Killbox.exe to run it.

• Put a tick by Delete on Reboot.
• In the "Full Path of File to Delete" box, copy and paste the following line:
  
  C:\WINDOWS\SYSTEM32\NETCMD.EXE
  
  
• Click on the button that has the red circle with the X in the middle.
• It will ask for confimation to delete the file on next reboot and ask you if you want to reboot now.
• Click Yes and let the computer reboot.

* After it reboots, run ActiveScan online virus scan here

When the scan is finished, click on the "Save Report" button an save the results of the scan to your desktop.

Note: You have to use Internet Explorer to do the online scan. Also leave the pc alone during the scan. Don't surf the net or run any programs. Just let the scan run.

Post a new HiJackThis log along with the results from ActiveScan