I've got a friend that complains maybe every 6 months cuz hes always using Limwire or WinMX and freaks out about losing songs. Hates reformatting and if you give him a detailed list of what to do, he'll do something else and think that he did what he was told.

He can tie me up on the phone and aim at the same time lol


No matter what I have him run, it doesnt help. He has adaware, spybot, spyware blaster, nod32, NAT firewall.

He's the only contender to be as difficult to help as meggie LOL

You just have to let them learn that using P2P is suicide for their machine. A P2P user..you can only slow down the time it takes to kill their machines...no matter what you use, how many layers of protection..it's going down..no matter what. It's a whole breeding ground of ad/spy/malware/trojans/worms.

It gets tiring spending all that time helping someone that won't realize that, as you're noticing. Volunteering your time to clean out malware infesting machines...it's a lot of time.

I agree with YeOlde here... I'm struggling with a relative that insists that they have to get rid of NOD32 because they've "never had so many viruses and trojans" - and - "I had far less problems with NAV"... quite honestly, I'm at the point that I'd rather they continue on in ignorance, only they have inadequate backup and this one PC is a MAJOR part of their business.... but I really do despair that they have no concept of the fact that they had problems which simply were not detected before NOD32's installation and worse still - these infestations are a result of THEIR use of the machine, no-one else is causing them!

Start charging for your services.

Start charging for your services.


Yeah, he was showing off a SIG Sauer P229, should take that :D


Got most of it cleaned up with the UBCD and some searching the HDD. but its still hit pretty good. Keeps creating some file on the desktop and I cant get into task manager at all.

Some variant of spyaxe/spysheriff/smitfraud?

Some variant of spyaxe/spysheriff/smitfraud?


Dunno, the file created is called freeprodtb

Hijackthis log:

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Network\ipnetwork.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\SMBOLS~1\notepad.exe
C:\Program Files\Common Files\W?nSxS\spool32.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NTS\ENTERN~1\app\pppoeservice.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\CAPTAI~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\djyho.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,oeflapv.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\Run: [IpNetwork] C:\Program Files\Network\ipnetwork.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Aida] "C:\WINDOWS\SMBOLS~1\notepad.exe" -vt yazr
O4 - HKCU\..\Run: [Vabzflos] C:\Program Files\Common Files\W?nSxS\spool32.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O17 - HKLM\System\CCS\Services\Tcpip\..\{04CC8D7D-86C9-42AF-A130-75B76BEC56FC}: NameServer = 68.94.156.1 68.94.157.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{04CC8D7D-86C9-42AF-A130-75B76BEC56FC}: NameServer = 68.94.156.1 68.94.157.1
O20 - Winlogon Notify: Run - C:\WINDOWS\system32\sglsrv32.dll (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\NTS\ENTERN~1\app\pppoeservice.exe


Deleted a few:

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\djyho.exe
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
and the missing file ones

the last one:

O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\NTS\ENTERN~1\app\pppoeservice.exe

could that be what keeps loading a profile window on start every boot?

and do you guys see others I should remove?

Gotta get the rest of mcrapfee off there.

Only have a second to look at this..but first two things that jump out at me...

1) I see Enternet 300...which is a PPPoE service...which means this computer is directly plugged into the DSL modem...no router...no firewall. Yuck. Consider this computer infested and compromised.

2) McCrapee on there. 2x antivirus program :nope:

This one is interesting...
O4 - HKCU\..\Run: [Vabzflos] C:\Program Files\Common Files\W?nSxS\spool32.exe

Internet Explorer needs repairing....

Quite a few bad things, I would remove the following:

C:\Program Files\Network\ipnetwork.exe
C:\WINDOWS\SMBOLS~1\notepad.exe
C:\Program Files\Common Files\W?nSxS\spool32.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\djyho.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,oeflapv.exe
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\Run: [IpNetwork] C:\Program Files\Network\ipnetwork.exe
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKCU\..\Run: [Aida] "C:\WINDOWS\SMBOLS~1\notepad.exe" -vt yazr
O4 - HKCU\..\Run: [Vabzflos] C:\Program Files\Common Files\W?nSxS\spool32.exe
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O20 - Winlogon Notify: Run - C:\WINDOWS\system32\sglsrv32.dll (file missing)

The winlog.exe is supposed to be a child filter? I'm not too sure about that, unless you know what it is I would suggest removing it. As YOSC said, remove McAfee, it sucks and you have NOD32.

I would use CWShredder, ewido, Ad-Aware, SpyBot, SpySweeper and Kaspersky's online scan as well.

:)