Member Panel

leon

hello,my computer keeps switching itself off and restarting for no reason,i believe i may have a virus or alot of spyware running through my pc,i will leave a log,and maybe someone will have an idea of what may be causing me these problems

Logfile of HijackThis v1.99.1
Scan saved at 02:18:39, on 23/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe

and thx to anyone who replys to my post im at my wits end !!
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ntl\ntl Netguard\fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\INF\MSI\SlowDownCPU\SlowDownCPU.exe
C:\Program Files\ntl\ntl Netguard\RPS.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\wpabaln.exe
C:\Documents and Settings\leon\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.co.uk/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: PopKill Class - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\ntl\ntl Netguard\pkR.dll
O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_90-1.dll
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\ntl\ntl Netguard\FBHR.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [SlowDownCPU] C:\WINDOWS\INF\MSI\SlowDownCPU\SlowDownCPU.exe
O4 - HKLM\..\Run: [ntl Netguard] "C:\Program Files\ntl\ntl Netguard\RPS.exe"
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [FvXdb] C:\WINDOWS\jiuexuy.exe
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [3QPYA5] "C:\DOCUME~1\leon\LOCALS~1\Temp\cxtpls_loader. exe" /PC=CP.IST2 /SHUN /UNAR="/CTUN"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: ProRat V1.8 - {89999700-cba3-4071-b251-47cb894244cd} - C:\Documents and Settings\killa\Desktop\ProRat.exe (file missing)
O9 - Extra 'Tools' menuitem: ProRat V1.8 - {89999700-cba3-4071-b251-47cb894244cd} - C:\Documents and Settings\killa\Desktop\ProRat.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/pa.../GSManager.cab
O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} - http://www.tbcode.com/ist/softwares/...06_regular.cab
O16 - DPF: {A243F6C2-34D2-4549-BCCD-A7BEF759B236} (Seekford Solutions, Inc.'s ssiPictureUploader Control) - http://img.funtigo.com/images/upload...reUploader.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Radialpoint Service (FWS) - Radialpoint Inc. - C:\Program Files\ntl\ntl Netguard\fws.exe

joe5 · 12:55 PM

Hi there Leon , welcome to PCHF.

Before using HijackThis Please Do the Following:

Show hidden files and folders:

For XP:

On the Tools menu in Windows Explorer, click Folder Options.
Click the View tab.
Under Hidden files and folders, click Show hidden files and folders.
If you see a warning message, click Yes.
Click Apply.
Click OK.

For 98/2000/ME:

Double-click the My Computer icon
Click on the View menu, click Folder Options
Advanced Settings box, under the "Hidden files" folder, click Show all files.
If you see a warning message, click Yes.
Click Apply.
Click OK.

Disable System Restore to prevent re-infection.
(If you have/use it. You can turn it back on when youre PC is clean).

How to disable system restore:

WinXP.

Click the Start button.
Right-click My Computer, and then click Properties.
On the System Restore tab, check Turn off System Restore or Turn off System Restore on all drives.

WinME.

Click Start > Settings > Control Panel.
Double-click the System icon.
If the System icon is not visible, click View all Control Panel options to display it.
On the Performance tab, click File System.
On the Troubleshooting tab check Disable System Restore.
Click OK. Click Yes, when you are prompted to restart Windows.

Please download CCleaner

Then go to add/remove programs and uninstall NewdotNet. If you don't have that option or if you have difficulties then please follow the instructions on this site

Also uninstall "SurfAccuracy" and "CtxPls" in add/remove programs. (if present)

Download and run Ewido:

Download Ewido Security Suite
Install Ewido Security Suite.

When installing, under Additional Options uncheck Install background guard and Install scan via context menu

Launch Ewido, there should be a big "E" icon on your desktop, double-click it.

The program will prompt you to update click the "OK" button

The program will now go to the main screen

You will need to update Ewido to the latest definition files.

On the left hand side of the main screen click update

Click on Start

The update will start and a progress bar will show the updates being installed.*

After the updates are installed, exit ewido.

Once the updates are installed do the following:
If you have an "always on" connection to the internet, physically disconnect that connection until you are finished with Safe Mode and have rebooted back into normal mode.

Reboot into Safe Mode, restart your computer, tap the F8* key. Use your up arrow key to highlight Safe Mode, then hit enter.

Close all open windows/programs/folders and then run Ewido.* Have nothing else open while ewido performs its scan!
Click on Scanner , Settings

Under "How to scan" all boxes should be selected

Under "Possibly unwanted software" all boxes should be selected

Under "What to scan" select scan every file

Click OK, Complete system scan

Let the program scan the machine

If ewido finds anything, it will pop up a notification.*

NOTE:* We have been finding some cases of false positives with the new version of Ewido, so you need to step through the fixes one-by-one.* If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, AOL, pcAnywhere and the game "Risk" have been flagged.* In particular, watch for alerts that have the word "Heuristic" in them - if you recognize the file name as "friendly," these may actually be false positives) select "none" as the action.*

DO NOT check "Perform action with all infections."* If you are unsure of an entry, select "none" for the time being.* We will see that in the log when you post it later and let you know if ewido needs to be run again.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report.

Click Save report. Save the report to your desktop, exit ewido

Note:

If during your scan Ewido "crashes" or "hangs", please try scanning again. Before running the scan, click on 'Scanner' (the 3rd bar from the top on the left) and Choose 'Settings'. Uncheck 'Scan in NTFS Alternate Data Streams' as this can cause problems in overly infected systems. Click 'OK' and run a new scan.

and then fix these entry's with hjtin safemode (hit f8 when booting up):
(if still present)

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O4 - HKLM\..\Run: [FvXdb] C:\WINDOWS\jiuexuy.exe
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [3QPYA5] "C:\DOCUME~1\leon\LOCALS~1\Temp\cxtpls_loader.exe" /PC=CP.IST2 /SHUN /UNAR="/CTUN"
O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} - http://www.tbcode.com/ist/softwares/...06_regular.cab
O16 - DPF: {A243F6C2-34D2-4549-BCCD-A7BEF759B236} (Seekford Solutions, Inc.'s ssiPictureUploader Control) - http://img.funtigo.com/images/upload...reUploader.cab

Then delete the files in bold and run Ccleaner.

Do you have an MSI motherboard? and can you upload this file to the site below and report back the results?

O4 - HKLM\..\Run: [SlowDownCPU] C:\WINDOWS\INF\MSI\SlowDownCPU\SlowDownCPU.exe

http://virusscan.jotti.org/

Now please post a new Hjt log plus the Ewido log.

leon

i have done the following that you have said to do here are my reports thanks for your time

hijack log:
Logfile of HijackThis v1.99.1
Scan saved at 16:49:49, on 23/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\SecuritySuite.exe
C:\Documents and Settings\leon\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.co.uk/
O2 - BHO: PopKill Class - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\ntl\ntl Netguard\pkR.dll
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\ntl\ntl Netguard\FBHR.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [SlowDownCPU] C:\WINDOWS\INF\MSI\SlowDownCPU\SlowDownCPU.exe
O4 - HKLM\..\Run: [ntl Netguard] "C:\Program Files\ntl\ntl Netguard\RPS.exe"
O4 - HKLM\..\Run: [FvXdb] C:\WINDOWS\jiuexuy.exe
O4 - HKLM\..\Run: [3QPYA5] "C:\DOCUME~1\leon\LOCALS~1\Temp\cxtpls_loader. exe" /PC=CP.IST2 /SHUN /UNAR="/CTUN"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/pa.../GSManager.cab
O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} - http://www.tbcode.com/ist/softwares/...06_regular.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Radialpoint Service (FWS) - Radialpoint Inc. - C:\Program Files\ntl\ntl Netguard\fws.exe

ewido log:
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 17:29:27, 23/10/2005
+ Report-Checksum: 4B6110F5
+ Scan result:
HKLM\SOFTWARE\Classes\YSBactivex.Installer -> Spyware.YourSiteBar : Cleaned with backup
HKLM\SOFTWARE\Classes\YSBactivex.Installer\CLSID -> Spyware.YourSiteBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{7C559105-9ECF-42B8-B3F7-832E75EDD959} -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Mod uleUsage\C:/WINDOWS/Downloaded Program Files/istactivex.dll -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Mod uleUsage\C:/WINDOWS/Downloaded Program Files/istactivex.dll\\.Owner -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Mod uleUsage\C:/WINDOWS/Downloaded Program Files/istactivex.dll\\{7C559105-9ECF-42B8-B3F7-832E75EDD959} -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\YourSiteBar -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\YourSiteBar\Historyfiles -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\YourSiteBar\Historygoogle -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\YourSiteBar\Historysearch -> Spyware.ISTBar : Cleaned with backup
HKU\S-1-5-21-682003330-152049171-2146912999-1008\Software\Avenue Media -> Spyware.InternetOptimizer : Cleaned with backup
HKU\S-1-5-21-682003330-152049171-2146912999-1008\Software\IST -> Spyware.ISTBar : Cleaned with backup
HKU\S-1-5-21-682003330-152049171-2146912999-1008\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{86227D9C-0EFE-4F8A-AA55-30386A3F5686} -> Spyware.YourSiteBar : Cleaned with backup
HKU\S-1-5-21-682003330-152049171-2146912999-1008\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E} -> Spyware.NewDotNet : Cleaned with backup
HKU\S-1-5-21-682003330-152049171-2146912999-1008\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{7C559105-9ECF-42B8-B3F7-832E75EDD959} -> Spyware.ISTBar : Cleaned with backup
HKU\S-1-5-21-682003330-152049171-2146912999-1008\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{86227D9C-0EFE-4F8A-AA55-30386A3F5686} -> Spyware.YourSiteBar : Cleaned with backup
HKU\S-1-5-21-682003330-152049171-2146912999-1008\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{C900B400-CDFE-11D3-976A-00E02913A9E0} -> Spyware.Webhancer : Cleaned with backup
HKU\S-1-5-21-682003330-152049171-2146912999-1008\Software\Microsoft\Windows\CurrentVersion\Pol icies\AMeOpt -> Spyware.InternetOptimizer : Cleaned with backup
HKU\S-1-5-21-682003330-152049171-2146912999-1008\Software\Policies\Avenue Media -> Spyware.InternetOptimizer : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqC.tmp -> Spyware.Cookie.247realmedia : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqD.tmp -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq10.tmp -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq11.tmp -> Spyware.Cookie.Adviva : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq12.tmp -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq13.tmp -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq15.tmp -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq16.tmp -> Spyware.Cookie.Com : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq17.tmp -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq18.tmp -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq19.tmp -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1A.tmp -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1B.tmp -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1C.tmp -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1D.tmp -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1F.tmp -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq20.tmp -> Spyware.Cookie.Qksrv : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq21.tmp -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq23.tmp -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq24.tmp -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq25.tmp -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq26.tmp -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq27.tmp -> Spyware.Cookie.Spylog : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq28.tmp -> Spyware.Cookie.Onestat : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq29.tmp -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2A.tmp -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2B.tmp -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2C.tmp -> Spyware.Cookie.Webtrendslive : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2D.tmp -> Spyware.Cookie.Xxxcounter : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2E.tmp -> Spyware.Cookie.Adserver : Cleaned with backup
C:\FOUND.004\FILE0639.CHK -> Spyware.NewDotNet : Cleaned with backup
C:\FOUND.004\FILE0642.CHK/whAgent.exe -> Spyware.WebHancer : Cleaned with backup
C:\FOUND.004\FILE0650.CHK -> Spyware.WebHancer : Cleaned with backup
C:\FOUND.004\FILE0651.CHK -> Spyware.WebHancer : Cleaned with backup
C:\FOUND.004\FILE0665.CHK -> Spyware.WebHancer : Cleaned with backup
C:\Documents and Settings\julie\Cookies\julie@hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\julie\Cookies\julie@ehg-littlewoods.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\julie\Cookies\julie@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\leon\Local Settings\Temp\SHNT288.exe -> Spyware.NewDotNet : Cleaned with backup
C:\Documents and Settings\leon\Local Settings\Temp\wh.exe/whAgent.exe -> Spyware.WebHancer : Cleaned with backup
C:\System Volume Information\_restore{1AEDB6B4-5C4B-48A7-A57C-E7FB87350BAD}\RP8\A0001458.dll -> Spyware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{1AEDB6B4-5C4B-48A7-A57C-E7FB87350BAD}\RP8\A0001459.exe -> Spyware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{1AEDB6B4-5C4B-48A7-A57C-E7FB87350BAD}\RP8\A0001460.exe -> Spyware.WebHancer : Cleaned with backup
C:\System Volume Information\_restore{1AEDB6B4-5C4B-48A7-A57C-E7FB87350BAD}\RP8\A0001461.dll -> Spyware.WebHancer : Cleaned with backup
C:\System Volume Information\_restore{1AEDB6B4-5C4B-48A7-A57C-E7FB87350BAD}\RP8\A0001521.exe -> Spyware.WebHancer : Cleaned with backup
C:\System Volume Information\_restore{1AEDB6B4-5C4B-48A7-A57C-E7FB87350BAD}\RP8\A0001527.exe -> Spyware.WebHancer : Cleaned with backup
C:\System Volume Information\_restore{1AEDB6B4-5C4B-48A7-A57C-E7FB87350BAD}\RP8\A0001532.dll -> Spyware.WebHancer : Cleaned with backup
C:\System Volume Information\_restore{1AEDB6B4-5C4B-48A7-A57C-E7FB87350BAD}\RP22\A0014133.dll -> Spyware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{1AEDB6B4-5C4B-48A7-A57C-E7FB87350BAD}\RP22\A0014134.exe -> Spyware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{1AEDB6B4-5C4B-48A7-A57C-E7FB87350BAD}\RP22\A0014135.exe -> Spyware.WebHancer : Cleaned with backup
C:\System Volume Information\_restore{1AEDB6B4-5C4B-48A7-A57C-E7FB87350BAD}\RP22\A0014136.dll -> Spyware.WebHancer : Cleaned with backup
C:\System Volume Information\_restore{1AEDB6B4-5C4B-48A7-A57C-E7FB87350BAD}\RP23\A0014289.exe -> Spyware.WebHancer : Cleaned with backup
C:\System Volume Information\_restore{1AEDB6B4-5C4B-48A7-A57C-E7FB87350BAD}\RP23\A0014302.exe -> Spyware.WebHancer : Cleaned with backup
C:\System Volume Information\_restore{1AEDB6B4-5C4B-48A7-A57C-E7FB87350BAD}\RP23\A0014303.dll -> Spyware.WebHancer : Cleaned with backup
C:\System Volume Information\_restore{1AEDB6B4-5C4B-48A7-A57C-E7FB87350BAD}\RP23\A0014314.exe/whAgent.exe -> Spyware.WebHancer : Cleaned with backup
C:\System Volume Information\_restore{1AEDB6B4-5C4B-48A7-A57C-E7FB87350BAD}\RP23\A0014315.exe -> Spyware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{1AEDB6B4-5C4B-48A7-A57C-E7FB87350BAD}\RP27\A0015938.dll -> Spyware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{1AEDB6B4-5C4B-48A7-A57C-E7FB87350BAD}\RP27\A0015939.exe -> Spyware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{1AEDB6B4-5C4B-48A7-A57C-E7FB87350BAD}\RP27\A0015940.exe -> Spyware.WebHancer : Cleaned with backup
C:\System Volume Information\_restore{1AEDB6B4-5C4B-48A7-A57C-E7FB87350BAD}\RP27\A0015941.dll -> Spyware.WebHancer : Cleaned with backup
C:\System Volume Information\_restore{1AEDB6B4-5C4B-48A7-A57C-E7FB87350BAD}\RP27\A0015944.dll -> Spyware.WebHancer : Cleaned with backup

::Report End

joe5

Its not gone yet ,first disable system restore to prevent reinfection , and did you look at/upload this file?

O4 - HKLM\..\Run: [SlowDownCPU] C:\WINDOWS\INF\MSI\SlowDownCPU\SlowDownCPU.exe

Open the registry (Start->Run->regedit) and find the key
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run.
Delete the ‘AutoUpdater’ entry.
There is also one other entry that must be deleted. Its name will be a nonsensical string of eight random alphanumeric characters, and its value will be a single EXE filename, which is semi-random.

If you are not sure you have the right entry, open the System folder (inside the Windows folder, called ‘System32’ under Windows NT/2000/XP/2003) and load the EXE file it refers to into a text editor. The guilty file will have the string ‘WinGenerics’ inside it somewhere.

Now open the key

HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run and there should be a similar eight-character random entry pointing to another semi-random EXE in the System folder. Delete this too.
You can also delete the registry keys

HKEY_LOCAL_MACHINE\SOFTWARE\Envolo, HKEY_LOCAL_MACHINE\SOFTWARE\AutoUpdate and HKEY_CURRENT_USER\Software\Apropos to clean up.

Open a Command Prompt window (from Start->Programs->Accessories) and enter the following commands:

cd %WinDir%\System <enter
regsvr32 /u "C:\Program Files\CxtPls\CxtPls.dll" <enter

Restart the computer and you should be able to delete the ‘AutoUpdate’ folder in ‘Program Files’ (on the C: drive, even if your Program Files are normally elsewhere), along with the folder ‘CxtPls’

In the System folder you can also delete the two semi-randomly-named EXE files referred to by the registry entries of the SysAI and CxtPls variants, and, if you have them, auto_update_uninstall.exe and auto_update_uninstall.log.

Then fix these with hjt:

O4 - HKLM\..\Run: [FvXdb] C:\WINDOWS\jiuexuy.exe O4 - HKLM\..\Run: [3QPYA5] "C:\DOCUME~1\leon\LOCALS~1\Temp\cxtpls_loader.exe" /PC=CP.IST2 /SHUN /UNAR="/CTUN"
O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} - http://www.tbcode.com/ist/softwares/...06_regular.cab

Delete the files in bold , run Ccleaner and post a new hjt log please.