Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Bad image: SensAPI.DLL not a valid Windows image

  • This topic is locked This topic is locked
5 replies to this topic

#1 Bleeeeeeeeeeeeeep


  • Members
  • 3 posts
  • Local time:12:31 AM

Posted 10 January 2009 - 06:31 PM

Hi :thumbsup:
I foolishly took on a friend's infested PC as a favour. I've got most of the problems sorted but there remains an intemitent windows pop-up saying "Bad image: SensAPI.DLL not a valid Windows image". This appears repeatedly, especially at startup, when installing something or particularly (so it seems to me) when using antimalware programs like Spybot or Hijack this. When installing Zonealarm is popped up hundreds of times and nearly prevented me from doing it. The title bar of the pop-up will have the name of an executable such as zlclient.exe for Zonealarm.

Maybe this is actually a corrupted DLL but other pages I've read suggest it could be malware. Any advice or suggestions appreciated. You ask to specify the type of infection. I'm sorry but I don't know exactly. Please feel free to ask for more details.


Here's the DDS.TXT output

DDS (Ver_09-01-07.01) - NTFSx86
Run by admin at 23:15:30.76 on 10/01/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.137 [GMT 0:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
FW: ZoneAlarm Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\LUV1105P\dds[1].scr

============== Pseudo HJT Report ===============

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
EB: {AA5BE393-8D1B-B991-B308-2A3124EAEAB4} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: avgrsstx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\bay3jfbw.default\

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-9-4 97928]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-9-4 26824]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-1-10 353680]
R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R4 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-9-9 875288]
R4 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-9-9 231704]
R4 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-9-4 76040]
R4 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S3 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2008-12-2 33752]

=============== Created Last 30 ================

2009-01-10 18:23 <DIR> --d----- c:\program files\CCleaner
2009-01-10 14:56 1,221,008 a------- c:\windows\system32\zpeng25.dll
2009-01-10 14:56 <DIR> --d----- c:\windows\system32\ZoneLabs
2009-01-10 14:56 <DIR> --d----- c:\program files\Zone Labs
2009-01-10 14:56 348,371 a------- c:\windows\system32\vsconfig.xml
2009-01-10 14:28 153 a------- c:\windows\wininit.ini
2009-01-10 00:27 <DIR> --d----- c:\windows\pss
2009-01-09 22:36 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-01-09 22:34 <DIR> --d----- c:\windows\Internet Logs
2009-01-09 20:00 27,936 ac------ c:\windows\system32\dllcache\SET5FF.tmp
2009-01-09 20:00 27,936 ac------ c:\windows\system32\dllcache\SET5FE.tmp
2009-01-09 20:00 33,088 ac------ c:\windows\system32\dllcache\n9i128v2.sys
2009-01-09 20:00 59,104 ac------ c:\windows\system32\dllcache\n9i128v2.dll
2009-01-09 20:00 13,664 ac------ c:\windows\system32\dllcache\n9i128.sys
2009-01-09 20:00 35,392 ac------ c:\windows\system32\dllcache\n9i128.dll
2009-01-09 20:00 128,000 ac------ c:\windows\system32\dllcache\n100325.sys
2009-01-09 19:59 52,255 ac------ c:\windows\system32\dllcache\n1000nt5.sys
2009-01-09 19:59 75,520 ac------ c:\windows\system32\dllcache\mxport.sys
2009-01-09 19:59 7,168 ac------ c:\windows\system32\dllcache\mxport.dll
2009-01-09 19:59 19,968 ac------ c:\windows\system32\dllcache\mxnic.sys
2009-01-09 19:59 19,968 ac------ c:\windows\system32\dllcache\mxicfg.dll
2009-01-09 19:59 21,888 ac------ c:\windows\system32\dllcache\mxcard.sys
2009-01-09 19:59 103,296 ac------ c:\windows\system32\dllcache\mtxvideo.sys
2009-01-09 19:59 5,504 ac------ c:\windows\system32\dllcache\mstee.sys
2009-01-09 19:59 49,024 ac------ c:\windows\system32\dllcache\mstape.sys
2009-01-09 19:59 12,416 ac------ c:\windows\system32\dllcache\msriffwv.sys
2009-01-09 19:59 2,944 ac------ c:\windows\system32\dllcache\msmpu401.sys
2009-01-09 19:59 22,016 ac------ c:\windows\system32\dllcache\msircomm.sys
2009-01-09 19:58 35,200 ac------ c:\windows\system32\dllcache\msgame.sys
2009-01-09 19:58 6,016 ac------ c:\windows\system32\dllcache\msfsio.sys
2009-01-09 19:58 56,832 ac------ c:\windows\system32\dllcache\msdvbnp.ax
2009-01-09 19:58 51,200 ac------ c:\windows\system32\dllcache\msdv.sys
2009-01-09 19:58 17,280 ac------ c:\windows\system32\dllcache\mraid35x.sys
2009-01-09 19:58 15,232 ac------ c:\windows\system32\dllcache\mpe.sys
2009-01-09 19:58 12,160 ac------ c:\windows\system32\dllcache\mouhid.sys
2009-01-09 19:58 16,128 ac------ c:\windows\system32\dllcache\modemcsa.sys
2009-01-09 19:58 6,528 ac------ c:\windows\system32\dllcache\miniqic.sys
2009-01-09 19:58 320,384 ac------ c:\windows\system32\dllcache\mgaum.sys
2009-01-09 19:58 235,648 ac------ c:\windows\system32\dllcache\mgaud.dll
2009-01-09 19:58 26,112 ac------ c:\windows\system32\dllcache\memstpci.sys
2009-01-09 19:56 727,786 ac------ c:\windows\system32\dllcache\ltck000c.sys
2009-01-09 19:55 6,144 ac------ c:\windows\system32\dllcache\kbd106.dll
2009-01-09 19:54 372,824 ac------ c:\windows\system32\dllcache\iconf32.dll
2009-01-09 19:54 100,992 ac------ c:\windows\system32\dllcache\icam5usb.sys
2009-01-09 19:54 20,480 ac------ c:\windows\system32\dllcache\icam5ext.dll
2009-01-09 19:54 45,056 ac------ c:\windows\system32\dllcache\icam5com.dll
2009-01-09 19:54 154,496 ac------ c:\windows\system32\dllcache\icam4usb.sys
2009-01-09 19:54 61,952 ac------ c:\windows\system32\dllcache\icam4ext.dll
2009-01-09 19:54 91,136 ac------ c:\windows\system32\dllcache\icam4com.dll
2009-01-09 19:54 26,624 ac------ c:\windows\system32\dllcache\icam3ext.dll
2009-01-09 19:54 141,056 ac------ c:\windows\system32\dllcache\icam3.sys
2009-01-09 19:54 38,528 ac------ c:\windows\system32\dllcache\ibmvcap.sys
2009-01-09 19:54 109,085 ac------ c:\windows\system32\dllcache\ibmtrp.sys
2009-01-09 19:53 100,936 ac------ c:\windows\system32\dllcache\ibmtok.sys
2009-01-09 19:53 9,216 ac------ c:\windows\system32\dllcache\ibmsgnet.dll
2009-01-09 19:53 28,700 ac------ c:\windows\system32\dllcache\ibmexmp.sys
2009-01-09 19:53 161,020 ac------ c:\windows\system32\dllcache\i81xnt5.sys
2009-01-09 19:53 702,845 ac------ c:\windows\system32\dllcache\i81xdnt5.dll
2009-01-09 19:53 58,592 ac------ c:\windows\system32\dllcache\i740nt5.sys
2009-01-09 19:53 353,184 ac------ c:\windows\system32\dllcache\i740dnt5.dll
2009-01-09 19:53 18,560 ac------ c:\windows\system32\dllcache\i2omp.sys
2009-01-09 19:53 8,576 ac------ c:\windows\system32\dllcache\i2omgmt.sys
2009-01-09 19:53 488,383 ac------ c:\windows\system32\dllcache\hsf_v124.sys
2009-01-09 19:53 50,751 ac------ c:\windows\system32\dllcache\hsf_tone.sys
2009-01-09 19:53 73,279 ac------ c:\windows\system32\dllcache\hsf_spkp.sys
2009-01-09 19:51 31,232 ac------ c:\windows\system32\dllcache\hpgt42tk.dll
2009-01-09 19:50 1,733,120 ac------ c:\windows\system32\dllcache\g400d.dll
2009-01-09 19:49 16,074 ac------ c:\windows\system32\dllcache\fa312nd5.sys
2009-01-09 19:48 53,248 ac------ c:\windows\system32\dllcache\eqndiag.exe
2009-01-09 19:47 117,760 ac------ c:\windows\system32\dllcache\e100b325.sys
2009-01-09 19:46 29,531 ac------ c:\windows\system32\dllcache\dgapci.sys
2009-01-09 19:45 216,064 ac------ c:\windows\system32\dllcache\cpscan.dll
2009-01-09 19:44 13,824 ac------ c:\windows\system32\dllcache\bulltlp3.sys
2009-01-09 19:43 36,096 ac------ c:\windows\system32\dllcache\avcaudio.sys
2009-01-09 19:42 66,048 ac------ c:\windows\system32\dllcache\s3legacy.dll
2009-01-09 19:10 <DIR> --d----- c:\program files\Trend Micro
2009-01-09 19:00 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-01-09 19:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-01-09 18:25 <DIR> --d----- c:\program files\Lavasoft
2009-01-09 18:25 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-01-09 17:27 <DIR> --d----- c:\windows\system32\scripting
2009-01-09 17:27 <DIR> --d----- c:\windows\system32\en
2009-01-09 17:27 <DIR> --d----- c:\windows\l2schemas
2009-01-09 17:27 <DIR> --d----- c:\windows\system32\bits
2009-01-09 17:25 <DIR> --d----- c:\windows\ServicePackFiles
2009-01-09 17:22 <DIR> --d----- c:\windows\system32\ReinstallBackups
2009-01-03 20:14 <DIR> --d----- c:\windows\system32\appmgmt

==================== Find3M ====================

2009-01-10 00:26 90,112 a------- c:\windows\DUMP754f.tmp
2009-01-09 23:29 90,112 a------- c:\windows\DUMP90f5.tmp
2009-01-09 23:28 90,112 a------- c:\windows\DUMP2dd6.tmp
2009-01-09 23:27 90,112 a------- c:\windows\DUMP2bb3.tmp
2009-01-09 17:30 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-10-23 12:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-15 16:57 332,800 a------- c:\windows\system32\SET1E.tmp

============= FINISH: 23:16:07.84 ===============

Attached Files

BC AdBot (Login to Remove)


#2 Bleeeeeeeeeeeeeep

  • Topic Starter

  • Members
  • 3 posts
  • Local time:12:31 AM

Posted 16 January 2009 - 02:46 PM

Update: AVG Resident Shield has flagged up a trojan described as Generic11.ATBQ. When selecting more details it gives svchost.exe.
I can find next to nothing about this on the internet. Previously I've clicked Heal but it has come back. This time I checked Power User and clicked remove to vault. Too early to say what effect this has had.

Does anyone know about this trojan and could it be related to the sensapi.dll issue described in my original post?
The sensapi.dll pop-up pops up nearly 200 times in the first minute at startup with zlclient.exe in the title bar. Once I've closed all these by clicking the x in the corner it seems to behave itself.

Any help would be much appreciated.

Edit: I turned off System Restore as the virus report was giving a restore file as the source.

Edited by Bleeeeeeeeeeeeeep, 16 January 2009 - 07:56 PM.

#3 suebaby41


    W.A.M. (Women Against Malware)

  • Malware Response Team
  • 6,248 posts
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:08:31 PM

Posted 25 January 2009 - 01:45 PM

Welcome to the BleepingComputer Forums.

Since it has been a few days since you scanned your computer with HijackThis, we will need a new HijackThis log. If you have not already downloaded Random's System Information Tool (RSIT), please download Random's System Information Tool (RSIT) by random/random which includes a HijackThis log and save it to your desktop. If you have RSIT already on your computer, please run it again.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Please post the contents of log.txt.
Thank you for your patience.

Please see Preparation Guide for use before posting about your potential Malware problem.

If you have already posted this log at another forum or if you decide to seek help at another forum, please let us know. There is a shortage of helpers and taking the time of two volunteer helpers means that someone else may not be helped.

Please post your HijackThis log as a reply to this thread and not as an attachment. I am always leery of opening attachments so I always request that HijackThis logs are to be posted as a reply to the thread. I do not think that you are attaching anything scary but others may do so.

While we are working on your HijackThis log, please:
  • Reply to this thread; do not start another!
  • Do not make any changes on your computer during the cleaning process or download/add programs on your computer unless instructed to do so.
  • Do not run any other tool until instructed to do so!
  • Let me know if any of the links do not work or if any of the tools do not work.
  • Tell me about problems or symptoms that occur during the fix.
  • Do not run any other programs or open any other windows while doing a fix.
  • Ask any questions that you have regarding the fix(es), the infection(s), the performance of your computer, etc.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#4 Bleeeeeeeeeeeeeep

  • Topic Starter

  • Members
  • 3 posts
  • Local time:12:31 AM

Posted 27 January 2009 - 04:05 AM

Hi and many thanks for your attention to this. I've given the PC back to my friend so there's a delay getting the information but here's the new RSIT log.

Kind regards,


Logfile of random's system information tool 1.05 (written by random/random)
Run by admin at 2009-01-26 22:16:14
Microsoft Windows XP Professional Service Pack 3
System drive C: has 51 GB (89%) free of 57 GB
Total RAM: 503 MB (33% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:16:31, on 26/01/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\1KUDXDO4\RSIT[1].exe
C:\Program Files\Trend Micro\HijackThis\admin.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1221228441250
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1221228431390
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

End of file - 5904 bytes

======Scheduled tasks folder======


#5 suebaby41


    W.A.M. (Women Against Malware)

  • Malware Response Team
  • 6,248 posts
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:08:31 PM

Posted 30 January 2009 - 03:05 PM

Step 1

The entry below indicates that you have LinkScanner installed on your computer.

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dlll

WebmasterWorld says:
LinkScanner was withdrawn because it was a security risk for AVG users.

I recommend that you remove AVG V8 and reload it without the website scanner or download AVG Free. Please see this thread regarding LinkScanner Concerns AVG Stops Real-Time Scanning".

On July 5, 2008 Peter Cameron, a managing director of AVG for Australia and New Zealand, said that the AVG free edition is already fixed, and a new commercial version will be released on July 9. He pointed to a new version of free AVG 8 (build 138, July 4) that "addressed and rectified the issue," and also said that the old version of free AVG 8 was currently getting auto-updated with the new code, but that this usually takes a few days to propagate to the users.

Step 2

You may want to print this page. Make sure to work through the fixes in the order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Step 3

In Normal Mode, run an online malware check from at least two and preferably three (one may catch something that another one may not) of the following sites
Computer Associates Online Virus Scan
Kaspersky Online Virus Scanner
McAfee FreeScan
Panda's ActiveScan
Trend Micro™ HouseCall
Windows Live Safety Center Free Online Scan
WindowSecurity.com TrojanScan
When you have completed the scans, if you get a report of files that cannot be cleaned / deleted, make a note of the file location of anything that cannot be cleaned / deleted. Please edit the log(s) and remove:
  • items listed as "Object is locked skipped"
  • items reported that are in a quarantine folder
Please post the edited list in your next reply.

Step 4

I recommend using Spyware Blaster.
  • Please download SpywareBlaster and save it to your desktop.
  • Double click on it to install the program.
  • Follow the prompts and choose the default locations when installing the program.
  • When the program is installed, it will place an icon on your desktop.
  • Double click on the SpywareBlaster icon and you will be presented with a brief tutorial. On the first page of this tutorial, you will see some of the SpywareBlaster features
  • Click on the Next button to proceed to the second page of the tutorial.
  • If you want to purchase the software, then you should select Automatic Updating. If you do not plan on purchasing the software, then you should select the option for Manual Updating. Press the Next button.
  • At the next screen, click Finish.
  • At the next screen, Protection Status, click Enable All Protection.
  • Click Download Latest Protection Updates. This will ensure that SpywareBlaster has the latest definitions so that it can protect your browser more efficiently. You should update SpywareBlaster regularly, as much as every few days, in order to provide the best protection. Each time you update, be sure to click Enable All Protection.
Step 5

Malwarebytes' Anti-Malware is FREEWARE, however you may upgrade to the PRO version which contains realtime protection, scheduled scanning and updating.
  • Please download Malwarebytes Anti-Malware (MBAM). Alternate download link
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing scan. If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from the Malware Bytes Web site. Scroll down the page until you see Latest Database; click Download from GT500.org
  • Double-click on mbam-rules.exe to install.
  • On the Scanner tab, make sure the Perform Quick Scan option is selected.
  • Click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and Scan in progress will show at the top. It may take some time to complete; please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully.
  • At the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
  • Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
Step 6
  • Please download SUPERAntiSpyware (SAS) - SUPERAntiSpyware Free Version For Home Users
  • Install it and double-click the icon on your desktop to run it.
  • It will ask if you want to update the program definitions, click Yes.
  • Under Configuration and Preferences, click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options, make sure the following are checked:
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
    • Please leave the others unchecked.
  • Click the Close button to leave the control center screen.
  • On the main screen, under Scan for Harmful Software, click Scan your computer.
  • On the left, check C:\Fixed Drive.
  • On the right, under Complete Scan, choose Perform Complete Scan.
  • Click Next to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a summary box will appear. Click OK.
  • Make sure everything in the white box has a check next to it, then click Next.
  • It will quarantine what it found and if it asks if you want to reboot, click Yes.
  • To retrieve the removal information, please do the following:
    • After reboot, double-click the SUPERAntispyware icon on your desktop.
    • Click Preferences. Click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • It will open in your default text editor (such as Notepad/Wordpad).
    • Please highlight everything in the notepad, then right-click and choose Copy.
    • Click Close and Close again to exit the program.
  • Please post that information with a new HijackThis log.
Step 7
  • Please download the ATF-Cleaner by Atribune.
  • Double-click ATF-Cleaner.exe to run the program.
  • Check the boxes to the left of:
    • Windows Temp
    • Current User Temp
    • All Users Temp
    • Temporary Internet Files
    • Prefetch (Windows XP) only
    • Java Cache
  • The rest are optional - if you want to remove them all, check Select All.
  • Click the Empty Selected button.
  • When you get the Done Cleaning message, click OK.
  • Follow the same steps for Firefox or Opera. You have the option of checking No if you want to save your passwords.
  • Click Exit on the Main menu to close the program.
Do not run it yet.

Step 8

Optional Fixes is the name that we use for fixes for unnecessary programs that load during startup and run in the background. These programs are not required to start automatically as you can start them manually if you need them. You would be removing the program from your startup but you would not be removing the program itself.

Your computer may be sluggish due to the many programs loading during startup and running in the background that are not necessary. Windows has a facility for starting programs at startup time. Some of these programs are required for your computer and the applications installed on it to run correctly. A good example of such a program is a virus-checking application that must always run, constantly checking for and isolating or removing files with viruses. Other such programs are not strictly required, or are optional. In some cases, you can gain significant performance enhancements by disabling the automatic startup of these programs. In many cases, the functionality offered by the programs is still available by starting the programs manually by, for example, starting the program from the Windows Start->Programs menu. Media players and instant messaging programs often fall into this category. In fact, it is common for many modern software applications, when installed, to add programs at startup that add items to the system tray or shortcut (context) menus in Windows Explorer to provide quick access to the features and functions of these applications. While they may be useful, they do increase boot time and consume system resources. It is advised that you disable these programs so that they do not take up necessary resources or slow the boot time.

Other than ScanRegistry, SystemTray, StateMgr, antivirus program entries, and firewall program entries, very few others need to load and run.

Read the articles below to see if it applies to your computer problem with being slow to respond.
Help! My computer is slow!
50 Tips for a Super Fast PC
4 Ways to Speed Up Your Computer's Performance
It's not always malware: How to fix the top 10 Internet Explorer issues

If you decide that you want to stop the Optional Fixes in your startup, let me know and I will give you a list with instructions. You would be removing the program from your startup but you would not be removing the program itself.

Step 9

Let’s run ATF-Cleaner to ensure no malware is hiding in temporary folders and for general computer cleanup to free space on your computer.

Step 10

Please run HijackThis in Normal Mode and post:
  • the list of file names and locations for any files that cannot be cleaned / deleted that were reported after you completed the online scans.
  • the log from MalwareBytes
  • the log from SUPERAntiSpyware
  • a new HijackThis log
Please advise me of any problems you still have.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#6 suebaby41


    W.A.M. (Women Against Malware)

  • Malware Response Team
  • 6,248 posts
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:08:31 PM

Posted 15 February 2009 - 12:57 PM

Tips To Protect Your Computer
  • Avoid clicking on links in instant messages.
  • Avoid opening email attachments.
  • Avoid visiting every poker site on the net.
  • Avoid downloading all that free cute junk.
  • Avoid using the peer-to-peer file sharing.
  • Avoid getting those handy toolbar doodads for your browsers.
  • Malware is out there just waiting to pounce on your system if you only pass by where they are lurking which may be at some seemingly innocent web site. Be careful because some of the malware are so vicious that no one can possibly save you once you let them in.
  • Remember that new malware emerges every week of the year. Take responsibility for protecting your system because you are its first and best defense.
Tools Downloaded To Clean Your Computer

I may have asked you to install some tools. Whether or not you need to keep these programs must be decided by you. If you choose to uninstall them, follow these directions:
  • Click Start > Control Panel.
  • In Control Panel, double-click Add or Remove Programs.
  • In Add or Remove Programs, highlight the program, click Remove.
  • Close the Add or Remove Programs and the Control Panel windows.
Optional Tools:
  • Ad-Aware 2008 scans, detects, and removes spyware on your computer.
  • ATF-Cleaner cleans all user temp folders, Java cache, (which seems to be harboring more and more malware), the cache, cookies, history, download history, visited links and saved passwords. Scan weekly if you have high Internet use.
  • Trend Micro's HijackThis or random's System Information Tool (RSIT) may be uninstalled; however, if you should ever encounter another problem and seek help in this forum or others like it, you will need to download this application.
  • SUPERAntiSpyware scans, detects, and removes spyware on your computer.
  • Malwarebytes ' Anti-Malware scans, detects, and removes malware on your computer.
  • a-squared Free scans, detects, and removes trojans, worms, spyware on your computer.
  • Spybot S&D scans, detects, and removes malware on your computer.
If you have changed the default settings for files/folders, please restore the default settings for files/folders.
  • Go to My Computer.
  • Select the Tools menu and click Folder Options.
  • Click the View tab.
  • Under Advanced Settings, click the Restore Defaults button in the lower right corner.
  • Click Apply and then the OK and close My Computer.
Please take the time to read the "Steps To Keep Your Computer Clean And Secure" below.


Please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. After cleaning, you will need to disable the System Restore function For Windows XP.
    Files placed in the System volume information folder are source files for the System Restore function that is available in Windows XP operating system. Files that were healed were moved in their original INFECTED state into this folder and it is necessary to DELETE them by following these steps:
    • Close all open programs. Then right-click My Computer on the Windows' desktop
    • Click on Properties.
    • Click on the System Restore tab.
    • Check Turn off System Restore on all drives.
    • Restart the system.
    • Enable System Restore by going through the first four steps again and uncheck the item mentioned in Step d.
    • You can find instructions on how to disable and enable system restore in the Windows XP System Restore Guide.
  • Make your Internet Explorer more secure: This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub frames across different domains to Prompt
    • When all these settings have been made, click on the OK button.
    • If it asks you if you want to save the settings, press the Yes button.
    • Click Apply > OK button and then the OK to exit the Internet Properties page.
  • Use a Firewall: - I cannot stress how important it is that you use a Firewall on your computer.  Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For an article on Firewalls and a listing of some available ones see the link below:
    Computer Safety On line - Software Firewalls. For more information about firewalls, and why a two-way firewall is better than the Windows XP one-way firewall, please read Understanding and Using Firewalls.
  • Use An Antivirus Software and Keep It Updated: - It is very important that your computer has an antivirus software running on your machine.  This alone can save you a lot of trouble with malware in the future.  It is imperative that you update your antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software, then it will not be able to catch any of the new variants that may come out. For an article on antivirus programs and a listing of some available ones see the link below:
    Computer Safety On line - Anti-Virus
  • Visit Microsoft's Windows Update Site Frequently: It is important that you visit Microsoft Windows Update regularly. This will ensure your computer has the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  • You should scan your computer with Spybot S&D on a regular basis just as you would an anti- virus software. A tutorial on installing & using this product can be found here:
    Using Spybot - Search & Destroy to remove Spyware from Your Computer
  • You should scan your computer with Ad-Aware 2007/2008 as well as Spybot S&D and your anti-virus program on a regular basis. A tutorial on installing & using this product can be found here:
    Ad-Aware 2008.
  • Update SpywareBlaster (at least weekly): SpywareBlaster will add a large list of programs and sites into your Internet Explorer and Firec settings that will protect you from running and downloading known malicious programs. An article on anti-malware products with links for this program and others can be found here:
    Computer Safety on line Anti Malware
  • Use the hosts file: Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate web pages. We can customize a hosts file so that it blocks certain web pages. However, it can slow down certain computers. This is why using a hosts file is optional. Download mvps hosts file Make sure you read the instructions on how to install the hosts file. There is a good tutorial HERE If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
    • Click the start button on the task bar at the bottom of your screen
    • Click run
    • In the dialog box, type services.msc
    • hit enter, then locate dns client
    • Highlight it, then doubleclick it.
    • On the dropdown box, change the setting from automatic to manual.
    • Click OK.
  • Use an alternative instant messenger program:.Trillian and Miranda IM These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  • Please read Tony Klein's excellent article: How I got Infected in the First Place
  • Please read Understanding Spyware, Browser Hijackers, and Dialers
  • Please read Simple and easy ways to keep your computer safe and secure on the Internet.
  • If you are using Internet Explorer, please consider using an alternate browser: Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built in popup blocker (as an added benefit!) that I have ever seen.
    Another good browser is Opera . Opera 9 comes loaded with the tools to keep you productive and safe. Try it today, it's absolutely free. Some of the Opera features are: Customization, BitTorrent, Content blocker, Add your favorite search engines, Thumbnail preview of tabs, Widgets, Transfer manager, Tabbed browsing, Password manager, Sessions (You can save a collection of open tabs as a session, for later retrieval, or start with the pages you had open when Opera was last closed.), Keyboard Shortcuts, Cookie control, a multitude of languages, Validate code, Toggle graphics and style sheets, and Special features such as Full-screen mode, Kiosk mode.
  • Update all these programs regularly: Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
  • If your computer was infected by a website, a program, IM, MSN, or p2p, check this site because it is Time To Fight Back.
Follow these steps and your potential for being infected again will reduce dramatically.
Good luck!

This subject is now closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users