Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Thiselt.exe ? Please Help!


  • This topic is locked This topic is locked
14 replies to this topic

#1 Red_Scorpion

Red_Scorpion

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:13 PM

Posted 26 July 2006 - 12:34 PM

Hi there, i have an IE window that pops-up everytime i reboot my computer and stalls there for a long time, i have hard time closing it, and while trying that i get "system low on virtual memory" messages from windows and more than 20 instances of dumprep.exe running in my taskmanager.
Everything goes back to normal once i get to close IE as long as i dont reboot computer.
I noticed haing a process called "thiselt.exe" runing as well, and after searching the net found out that it's a malware.
Another process that i had to terminate was "1 Admin.exe" no ide what that is!
I did full scans, AVG & Ad-aware with no luck.

I got the HJT logs but thislet and 1 Admin don't show in them because i had terminated the process.
I also removed the 2 entries from my startup in msconfig.
Any ideas how i can get rid of them?

Thanks for the help!



Logfile of HijackThis v1.99.1
Scan saved at 1:24:33 PM, on 26/07/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Winamp\winamp.exe
C:\Documents and Settings\Moi\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.utrjfzjdpyimtswp.org/J1IdtubztE...W9jMUNFQOs7.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.isketch.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {45E83043-1F6F-4D22-A5E7-0138EA171B49} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppD...sharingctrl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1110739805918
O16 - DPF: {66D393D5-4D80-497C-9F4F-F3839E090202} (PlayerOCX Control) - http://www.pysoft.com/Downloads/WebCamPlayerOCX.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O18 - Protocol: bw+0 - {A60343BB-1916-4A96-A3BE-B5BB0BCB3885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {A60343BB-1916-4A96-A3BE-B5BB0BCB3885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {A60343BB-1916-4A96-A3BE-B5BB0BCB3885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {A60343BB-1916-4A96-A3BE-B5BB0BCB3885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {A60343BB-1916-4A96-A3BE-B5BB0BCB3885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {A60343BB-1916-4A96-A3BE-B5BB0BCB3885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {A60343BB-1916-4A96-A3BE-B5BB0BCB3885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {A60343BB-1916-4A96-A3BE-B5BB0BCB3885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {A60343BB-1916-4A96-A3BE-B5BB0BCB3885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {A60343BB-1916-4A96-A3BE-B5BB0BCB3885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {A60343BB-1916-4A96-A3BE-B5BB0BCB3885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {A60343BB-1916-4A96-A3BE-B5BB0BCB3885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {A60343BB-1916-4A96-A3BE-B5BB0BCB3885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {A60343BB-1916-4A96-A3BE-B5BB0BCB3885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {A60343BB-1916-4A96-A3BE-B5BB0BCB3885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {A60343BB-1916-4A96-A3BE-B5BB0BCB3885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {A60343BB-1916-4A96-A3BE-B5BB0BCB3885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {A60343BB-1916-4A96-A3BE-B5BB0BCB3885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {A60343BB-1916-4A96-A3BE-B5BB0BCB3885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {A60343BB-1916-4A96-A3BE-B5BB0BCB3885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {A60343BB-1916-4A96-A3BE-B5BB0BCB3885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {A60343BB-1916-4A96-A3BE-B5BB0BCB3885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {A60343BB-1916-4A96-A3BE-B5BB0BCB3885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {A60343BB-1916-4A96-A3BE-B5BB0BCB3885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {A60343BB-1916-4A96-A3BE-B5BB0BCB3885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {A60343BB-1916-4A96-A3BE-B5BB0BCB3885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {A60343BB-1916-4A96-A3BE-B5BB0BCB3885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {A60343BB-1916-4A96-A3BE-B5BB0BCB3885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {A60343BB-1916-4A96-A3BE-B5BB0BCB3885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {A60343BB-1916-4A96-A3BE-B5BB0BCB3885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {A60343BB-1916-4A96-A3BE-B5BB0BCB3885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {A60343BB-1916-4A96-A3BE-B5BB0BCB3885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {A60343BB-1916-4A96-A3BE-B5BB0BCB3885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {A60343BB-1916-4A96-A3BE-B5BB0BCB3885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {A60343BB-1916-4A96-A3BE-B5BB0BCB3885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {A60343BB-1916-4A96-A3BE-B5BB0BCB3885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {A60343BB-1916-4A96-A3BE-B5BB0BCB3885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {A60343BB-1916-4A96-A3BE-B5BB0BCB3885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {A60343BB-1916-4A96-A3BE-B5BB0BCB3885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {A60343BB-1916-4A96-A3BE-B5BB0BCB3885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {A60343BB-1916-4A96-A3BE-B5BB0BCB3885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {A60343BB-1916-4A96-A3BE-B5BB0BCB3885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {A60343BB-1916-4A96-A3BE-B5BB0BCB3885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {A60343BB-1916-4A96-A3BE-B5BB0BCB3885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {A60343BB-1916-4A96-A3BE-B5BB0BCB3885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {A60343BB-1916-4A96-A3BE-B5BB0BCB3885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {A60343BB-1916-4A96-A3BE-B5BB0BCB3885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {A60343BB-1916-4A96-A3BE-B5BB0BCB3885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {A60343BB-1916-4A96-A3BE-B5BB0BCB3885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {A60343BB-1916-4A96-A3BE-B5BB0BCB3885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {A60343BB-1916-4A96-A3BE-B5BB0BCB3885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {A60343BB-1916-4A96-A3BE-B5BB0BCB3885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {A60343BB-1916-4A96-A3BE-B5BB0BCB3885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {A60343BB-1916-4A96-A3BE-B5BB0BCB3885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {A60343BB-1916-4A96-A3BE-B5BB0BCB3885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {A60343BB-1916-4A96-A3BE-B5BB0BCB3885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {A60343BB-1916-4A96-A3BE-B5BB0BCB3885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {A60343BB-1916-4A96-A3BE-B5BB0BCB3885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {A60343BB-1916-4A96-A3BE-B5BB0BCB3885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {A60343BB-1916-4A96-A3BE-B5BB0BCB3885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {A60343BB-1916-4A96-A3BE-B5BB0BCB3885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {A60343BB-1916-4A96-A3BE-B5BB0BCB3885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {A60343BB-1916-4A96-A3BE-B5BB0BCB3885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {A60343BB-1916-4A96-A3BE-B5BB0BCB3885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {A60343BB-1916-4A96-A3BE-B5BB0BCB3885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {A60343BB-1916-4A96-A3BE-B5BB0BCB3885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {A60343BB-1916-4A96-A3BE-B5BB0BCB3885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {A60343BB-1916-4A96-A3BE-B5BB0BCB3885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {A60343BB-1916-4A96-A3BE-B5BB0BCB3885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {A60343BB-1916-4A96-A3BE-B5BB0BCB3885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {A60343BB-1916-4A96-A3BE-B5BB0BCB3885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {A60343BB-1916-4A96-A3BE-B5BB0BCB3885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {A60343BB-1916-4A96-A3BE-B5BB0BCB3885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {A60343BB-1916-4A96-A3BE-B5BB0BCB3885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {A60343BB-1916-4A96-A3BE-B5BB0BCB3885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {A60343BB-1916-4A96-A3BE-B5BB0BCB3885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: offline-8876480 - {A60343BB-1916-4A96-A3BE-B5BB0BCB3885} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

BC AdBot (Login to Remove)

 


m

#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:13 PM

Posted 01 August 2006 - 06:33 AM

Hey Red_Scorpion, welcome to BleepingComputer.
You have a LOP infection.

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.

Click on start, then control panel, and then double-click on add/remove programs. From within add/remove program uninstall the following if they exist by double-clicking on the following entries:

Logitech Desktop Messenger

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.utrjfzjdpyimtswp.org/J1IdtubztE...W9jMUNFQOs7.htm
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {66D393D5-4D80-497C-9F4F-F3839E090202} (PlayerOCX Control) - http://www.pysoft.com/Downloads/WebCamPlayerOCX.cab


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

* Open HijackThis.
Click on Open Misc Tools Section
Make sure that both boxes beside "Generate StartupList Log" are checked:
  • List all minor sections(Full)
  • List Empty Sections(Complete)
Click Generate StartupList Log.
Click Yes at the prompt.
It will open a text file. Please copy the entire contents of that page and paste it here

Run HijackThis.
On the first menu, click Open the Misc Tools Section
Click Open Uninstall Manager
Click Save List - Save it anywhere.
A notepad will pop-up after it's saved, please copy everything in that Notepad and paste it here.

Download Findlop by Metallica. Unzip it to your desktop.
Double click findlop.bat. It will open a notepad file.
Copy the content of that file and paste it here in your reply.

So please post back with the following logs:
1) A new Hijackthis log
2) A startup list
3) The uninstall list
4) The Findlop log.

David

#3 Red_Scorpion

Red_Scorpion
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:13 PM

Posted 03 August 2006 - 10:04 AM

Hello David :thumbsup:
Thanks a lot for your help, I really appreciate it!
Here are the results of my new scans:

1) A new Hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 10:45:59 AM, on 03/08/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Moi\Desktop\Douja\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {45E83043-1F6F-4D22-A5E7-0138EA171B49} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppD...sharingctrl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1110739805918
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe


2) A startup list

StartupList report, 03/08/2006, 10:43:14 AM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Moi\Desktop\Douja\HijackThis.EXE
Detected: Windows XP (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 (6.00.2600.0000)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Moi\Desktop\Douja\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Moi\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
*No files*

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

AVG7_CC = C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
AVG7_EMC = C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
LVCOMSX = C:\WINDOWS\System32\LVCOMSX.EXE
LogitechVideoRepair = C:\Program Files\Logitech\Video\ISStart.exe
LogitechVideoTray = C:\Program Files\Logitech\Video\LogiTray.exe
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
MSConfig = C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

CTFMON.EXE = C:\WINDOWS\System32\ctfmon.exe
LogitechSoftwareUpdate = "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
msnmsgr = "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\System32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.Install.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

[{ACC563BC-4266-43f0-B6ED-9D38C4202C7E}] *
StubPath = rundll32 iesetup.dll,IEAccessUserInst

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\sstext3d.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\FlashFXP\IEFlash.dll - {E5A1691B-D188-4419-AD02-90002030B8EE}

--------------------------------------------------

Enumerating Task Scheduler jobs:

A2E57E939192F9EB.job
AA36535C9181C854.job

--------------------------------------------------

Enumerating Download Program Files:

[MessengerStatsClient Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MessengerStatsPAClient.dll
CODEBASE = http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

[Minesweeper Flags Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\minesweeper.dll
CODEBASE = http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab

[{3334504D-9980-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/0/C...C4D/mp43dmo.CAB

[FileSharingCtrl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\fsmsngr-fr.dll
CODEBASE = http://appdirectory.messenger.msn.com/AppD...sharingctrl.cab

[MSN Photo Upload Tool]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MsnPUpld.dll
CODEBASE = http://spaces.msn.com//PhotoUpload/MsnPUpld.cab

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\System32\wuweb.dll
CODEBASE = http://v5.windowsupdate.microsoft.com/v5co...b?1110739805918

[Java Plug-in 1.5.0_02]
InProcServer32 = C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab

[MessengerStatsClient Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\messengerstatsclient.dll
CODEBASE = http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

[ZoneIntro Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\Zintro.ocx
CODEBASE = http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab

[Java Plug-in 1.5.0_01]
InProcServer32 = C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab

[Java Plug-in 1.5.0_02]
InProcServer32 = C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\Macromed\Flash\Flash8.ocx
CODEBASE = http://fpdownload.macromedia.com/get/flash...ent/swflash.cab

[WheelofFortune Object]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\WoF.ocx
CODEBASE = http://messenger.zone.msn.com/binary/WoF.cab31267.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Intel® 82801 Audio Driver Install Service (WDM): system32\drivers\ac97intc.sys (manual start)
Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
Intel AGP Bus Filter: System32\DRIVERS\agp440.sys (system)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
AVG7 Alert Manager Server: C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (autostart)
AVG7 Kernel: \SystemRoot\System32\Drivers\avg7core.sys (system)
AVG7 Wrap Driver: \SystemRoot\System32\Drivers\avg7rsw.sys (system)
AVG7 Rezident Driver: \SystemRoot\System32\Drivers\avg7rsxp.sys (system)
AVG7 Update Service: C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe (autostart)
AVG Network Redirector: \??\C:\WINDOWS\System32\Drivers\avgtdi.sys (autostart)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
MAC Bridge: System32\DRIVERS\bridge.sys (manual start)
MAC Bridge Miniport: System32\DRIVERS\bridge.sys (manual start)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Closed Caption Decoder: System32\DRIVERS\CCDECODE.sys (manual start)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: C:\WINDOWS\System32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (manual start)
COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Logical Disk Manager Driver: System32\drivers\dmio.sys (system)
dmload: System32\drivers\dmload.sys (system)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
Intel® PRO Adapter Driver: System32\DRIVERS\e100b325.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
GEARAspiWDM: System32\Drivers\GEARAspiWDM.sys (manual start)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Microsoft HID Class Driver: System32\DRIVERS\hidusb.sys (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
InstallDriver Table Manager: C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (manual start)
IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)
IntelIde: System32\DRIVERS\intelide.sys (system)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
iPodService: C:\Program Files\iPod\bin\iPodService.exe (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Logitech USB Monitor Filter: system32\drivers\lvusbsta.sys (manual start)
Macromedia Licensing Service: "C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe" (manual start)
Machine Debug Manager: "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE" (autostart)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: System32\DRIVERS\mouhid.sys (manual start)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\System32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft Streaming Tee/Sink-to-Sink Converter: system32\drivers\MSTEE.sys (manual start)
NABTS/FEC VBI Codec: System32\DRIVERS\NABTSFEC.sys (manual start)
Microsoft TV/Video Connection: System32\DRIVERS\NdisIP.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (manual start)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (manual start)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NETGEAR WG311v2 802.11g Wireless PCI Adapter: System32\DRIVERS\netwg311.sys (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
nv4: System32\DRIVERS\nv4.sys (manual start)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
Office Source Engine: C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (manual start)
Intel PentiumIII Processor Driver: System32\DRIVERS\p3.sys (system)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
Logitech QuickCam Express(PID_0928): System32\DRIVERS\LV561AV.SYS (manual start)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
PxHelp20: System32\DRIVERS\PxHelp20.sys (system)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Terminal Server Device Redirector Driver: System32\DRIVERS\rdpdr.sys (manual start)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card Helper: %SystemRoot%\System32\SCardSvr.exe (manual start)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
BDA Slip De-Framer: System32\DRIVERS\SLIP.sys (manual start)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: System32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
BDA IPSink: System32\DRIVERS\StreamIP.sys (manual start)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{63C4C402-EBD3-4058-990C-E8418EB5FD5E} (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Telnet: C:\WINDOWS\System32\tlntsvr.exe (manual start)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows User Mode Driver Framework: C:\WINDOWS\System32\wdfmgr.exe (autostart)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Upload Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
USB2 Enabled Hub: System32\DRIVERS\usbhub.sys (manual start)
USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start)
VgaSave: \SystemRoot\System32\drivers\vga.sys (system)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Windows Management Instrumentation Driver Extensions: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
Windows Socket 2.0 Non-IFS Service Provider Support Environment: \SystemRoot\System32\drivers\ws2ifsl.sys (disabled)
World Standard Teletext Codec: System32\DRIVERS\WSTCODEC.SYS (manual start)
Automatic Updates: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\DOCUME~1\Moi\LOCALS~1\Temp\GLB1A2B.EXE||C:\WINDOWS\bwUnin-7.2.0.157-8876480SL.exe


--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 32,707 bytes
Report generated in 0.203 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


3) The uninstall list

Ad-Aware SE Personal
Adobe Photoshop CS
Adobe Reader 7.0.7
AVG Free Edition
BitTornado 0.3.7
FlashFXP v3
Google Talk (remove only)
HijackThis 1.99.1
iTunes
J2SE Runtime Environment 5.0 Update 1
J2SE Runtime Environment 5.0 Update 2
Logitech Print Service
Logitech QuickCam Software
Logitech® Camera Driver
Macromedia Dreamweaver MX 2004
Macromedia Extension Manager
Macromedia Flash Player 8
Microsoft DirectX 9.0 SDK Update (Summer 2004)
Microsoft Encarta Encyclopedia Standard 2004
Microsoft Office Professional Edition 2003
Microsoft Windows Journal Viewer
Mozilla Firefox (1.5.0.5)
MSN Messenger 7.5
QuickTime
RealPlayer
Shockwave
Skype 1.3
SmartFTP
SpywareBlaster v3.5.1
Winamp (remove only)
Windows Installer Clean Up
Windows Media Format Runtime
Windows Media Player 10
WinMX
WinRAR archiver


4) The Findlop log

[TRACE] Enumerating jobs and queues
[TRACE] Activating job 'A2E57E939192F9EB.job'
[TRACE] Printing all job properties

ApplicationName: 'c:\docume~1\ben\applic~1\four01~1\setup bike wma.exe'
Parameters: ''
WorkingDirectory: ''
Comment: ''
Creator: 'Ben'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 09/12/2005 2:00:00
NextRun: 08/03/2006 11:00:00
StartError: 0x80070003
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 1
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 06/26/2001
EndDate: 00/00/0000
StartTime: 00:00
MinutesDuration: 1440
MinutesInterval: 60
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0


[TRACE] Activating job 'AA36535C9181C854.job'
[TRACE] Printing all job properties

ApplicationName: 'c:\docume~1\moi\applic~1\four01~1\setup bike wma.exe'
Parameters: ''
WorkingDirectory: ''
Comment: ''
Creator: 'Dooj'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 11/13/2005 14:00:00
NextRun: 08/03/2006 11:00:00
StartError: 0x80070003
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 1
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 02/03/1995
EndDate: 00/00/0000
StartTime: 00:00
MinutesDuration: 1440
MinutesInterval: 60
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0

#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:13 PM

Posted 03 August 2006 - 03:04 PM

Heya Red_Scorpion :thumbsup:

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.

1) Open notepad and copy and paste next content in it:

%systemdrive%
cd %WinDir%\Tasks
attrib -r -s -h A2E57E939192F9EB.job
attrib -r -s -h AA36535C9181C854.job
del A3F8B181918729BD.job
del AA36535C9181C854.job

Save this as remjobs.bat , choose to save as *all files and place it on your desktop.
Doubleclick on remjobs.bat. A doswindow will open and close again, this is normal.

2) Please search and delete this folder:

C:\Documents and Settings\Moi\Application Data\four01 <--Windows abbeviates long file/folder names. This folder's name begins with four01 and will sound like random words strung together. If there is more than one folder beginning with those letters, don't delete but write down the exact names and post them back here. The right folder to delete wil contain the file 'setup bike wma.exe'

3) Download Combofix to your desktop.
Doubleclick combo.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.

David

#5 Red_Scorpion

Red_Scorpion
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:13 PM

Posted 03 August 2006 - 11:53 PM

hi again :thumbsup:
I couldn't find the folder four01~ nor the file setup bike wma.exe
I looked the location specified and i also did a search but no luck.
I did follow the other instructions though and here are my results.

Thanks again for the help!! You rock!

Logfile of HijackThis v1.99.1
Scan saved at 12:47:57 AM, on 04/08/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Moi\Desktop\Douja\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {45E83043-1F6F-4D22-A5E7-0138EA171B49} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppD...sharingctrl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1110739805918
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe


----------------------------------------------------------------------------------------------------------------------


Start Time= 04/08/2006 0:39:26.05
Running from: C:\Documents and Settings\Moi\Desktop

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report

)))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-07-22 23:14:08 118784 ( ..... )

"C:\WINDOWS\bwUnin-7.2.0.157-8876480SL.exe"
2006-07-22 01:34:28 ( .D... ) "C:\Program Files\Windows Installer

Clean Up"
2006-07-22 00:09:12 129649 ( A.... ) "C:\WINDOWS\elpp100drop.exe"
2006-07-22 00:09:12 ( .D... ) "C:\Program Files\elticons"
2006-07-22 00:09:10 319294 ( A.... ) "C:\WINDOWS\YOINSI.exe"
2006-07-22 00:09:06 36864 ( A.... ) "C:\WINDOWS\thiselt.exe"
2006-07-13 01:18:32 ( .D... ) "C:\Program Files\Paltalk Messenger"
2006-06-24 12:52:56 ( .D... ) "C:\Program Files\BitTornado"
2006-05-17 14:32:20 25088 ( A.... ) "C:\WINDOWS\system32\msxml3a.dll"


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days

)))))))))))))))))))))))))))))))))))))))))))


2006-07-24 23:49 118,784 C:\WINDOWS\bwUnin-7.2.0.157-8876480SL.exe
2006-07-22 00:09 36,864 C:\WINDOWS\thiselt.exe
2006-07-22 00:09 319,294 C:\WINDOWS\YOINSI.exe
2006-07-22 00:09 129,649 C:\WINDOWS\elpp100drop.exe
2006-07-15 22:24 6,144 C:\WINDOWS\system32\kbdth3.dll
2006-07-15 22:24 6,144 C:\WINDOWS\system32\kbdth2.dll
2006-07-15 22:24 6,144 C:\WINDOWS\system32\kbdinpun.dll
2006-07-15 22:24 6,144 C:\WINDOWS\system32\ftlx041e.dll
2006-07-15 22:24 5,632 C:\WINDOWS\system32\kbdvntc.dll
2006-07-15 22:24 5,632 C:\WINDOWS\system32\kbdusa.dll
2006-07-15 22:24 5,632 C:\WINDOWS\system32\kbdurdu.dll
2006-07-15 22:24 5,632 C:\WINDOWS\system32\kbdth1.dll
2006-07-15 22:24 5,632 C:\WINDOWS\system32\kbdth0.dll
2006-07-15 22:24 5,632 C:\WINDOWS\system32\kbdsyr2.dll
2006-07-15 22:24 5,632 C:\WINDOWS\system32\kbdsyr1.dll
2006-07-15 22:24 5,632 C:\WINDOWS\system32\kbdintel.dll
2006-07-15 22:24 5,632 C:\WINDOWS\system32\kbdintam.dll
2006-07-15 22:24 5,632 C:\WINDOWS\system32\kbdinmar.dll
2006-07-15 22:24 5,632 C:\WINDOWS\system32\kbdinkan.dll
2006-07-15 22:24 5,632 C:\WINDOWS\system32\kbdinhin.dll
2006-07-15 22:24 5,632 C:\WINDOWS\system32\kbdinguj.dll
2006-07-15 22:24 5,632 C:\WINDOWS\system32\kbdindev.dll
2006-07-15 22:24 5,632 C:\WINDOWS\system32\kbdheb.dll
2006-07-15 22:24 5,632 C:\WINDOWS\system32\kbdfa.dll
2006-07-15 22:24 5,632 C:\WINDOWS\system32\kbddiv2.dll
2006-07-15 22:24 5,632 C:\WINDOWS\system32\kbddiv1.dll
2006-07-15 22:24 5,632 C:\WINDOWS\system32\kbda3.dll
2006-07-15 22:24 5,632 C:\WINDOWS\system32\kbda2.dll
2006-07-15 22:24 5,632 C:\WINDOWS\system32\kbda1.dll
2006-07-15 22:24 5,120 C:\WINDOWS\system32\kbdgeo.dll
2006-07-15 22:24 5,120 C:\WINDOWS\system32\kbdarmw.dll
2006-07-15 22:24 5,120 C:\WINDOWS\system32\kbdarme.dll
2006-07-15 22:24 185,344 C:\WINDOWS\system32\Thawbrkr.dll
2006-07-15 22:24 10,752 C:\WINDOWS\system32\c_iscii.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points

))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"AVG7_EMC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgemc.exe"
"LVCOMSX"="C:\\WINDOWS\\System32\\LVCOMSX.EXE"
"LogitechVideoRepair"="C:\\Program Files\\Logitech\\Video\\ISStart.exe "
"LogitechVideoTray"="C:\\Program Files\\Logitech\\Video\\LogiTray.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"MSConfig"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\MSConfig.exe /auto"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\ctfmon.exe"
"LogitechSoftwareUpdate"="\"C:\\Program Files\\Logitech\\Video\\ManifestEngine.exe\" boot"
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,50,00,00,00,00,00,00,00,d0,02,00,00,3a,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,50,00,00,00,00,00,00,00,d0,02,00,00,3a,02,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and

Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed

Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Coal hide]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="1 Admin"
"hkey"="HKCU"
"inimapping"="0"
"command"="C:\\DOCUME~1\\Moi\\APPLIC~1\\FOUR01~1\\1 Admin.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctfmon"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\System32\\ctfmon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="googletalk"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Google\\Google Talk\\googletalk.exe\" /autostart"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\license bold bib info]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TransSend"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NEWDOT~1"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pop06apelt]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="thiselt"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\thiselt.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.5.0_02\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AdobeUpdateManager"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_7

-reboot 1"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webHancer Survey

Companion]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="whSurvey"
"hkey"="HKLM"
"inimapping"="0"




Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\A2E57E939192F9EB.job

Completion time: 04/08/2006 0:39:48.99
ComboFix ver 06.07.15/28 - This logfile is located at C:\ComboFix.txt

#6 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:13 PM

Posted 04 August 2006 - 03:51 AM

Hey Red_Scorpion :thumbsup:

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.

1) Download KillBox from the following link :
http://www.bleepingcomputer.com/files/killbox.php
Unzip the folder to your desktop.

Start Killbox.exe
Select the "Delete on Reboot" option.
Click on the "All Files" button (!important!),which will then flash green.
Copy the complete text in bold below to the clipboard by highlighting the filepaths and pressing Control + C:

C:\WINDOWS\bwUnin-7.2.0.157-8876480SL.exe
C:\WINDOWS\elpp100drop.exe
C:\Program Files\elticons
C:\WINDOWS\YOINSI.exe
C:\WINDOWS\thiselt.exe


Open 'file' in the killboxmenu on top and choose Paste from clipboard
You must use the file File menu--pasting by right-clicking the mouse will only enter one file.
Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click "yes".
Click OK at any Pending File Rename Operations prompt, let me know if there appear.
If you don't get that message, reboot manually.
Your computer should reboot now.

2) Please set your system to show all files.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

3) Please search again for this folder now:
C:\Documents and Settings\Moi\Application Data\four01 <--Windows abbeviates long file/folder names. This folder's name begins with four01 and will sound like random words strung together. If there is more than one folder beginning with those letters, don't delete but write down the exact names and post them back here. The right folder to delete wil contain the file 'setup bike wma.exe'
If you still can't find after showing hidden files just say.

4) Open notepad and copy and paste next content in it:

%systemdrive%
cd %WinDir%\Tasks
attrib -r -s -h A2E57E939192F9EB.job
del A2E57E939192F9EB.job

Save this as remjobs2.bat , choose to save as *all files and place it on your desktop.
Doubleclick on remjobs.bat. A doswindow will open and close again, this is normal.

5) Please open notepad and and copy and paste next bold in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Coal hide]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\license bold bib info]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pop06apelt]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webHancer Survey Companion]

Save this as "fix.reg" Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

6) Run HijackThis.
On the first menu, click Open the Misc Tools Section
Click Open Uninstall Manager
Click Save List - Save it anywhere.
A notepad will pop-up after it's saved, please copy everything in that Notepad and paste it here.

Please post back with:
1) A new Combofix log
2) A new Hijackthis log
3) The add/remove uninstall list.

David

#7 Red_Scorpion

Red_Scorpion
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:13 PM

Posted 06 August 2006 - 03:48 PM

Hey D.
I did all you asked me to, but still can not find the folder four01~.

Anyways, here are my news logs:

Combofix:

Start Time= 06/08/2006 16:42:57.39
Running from: C:\Documents and Settings\Moi\Desktop

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-07-22 01:34:28 ( .D... ) "C:\Program Files\Windows Installer Clean Up"
2006-07-22 00:09:12 ( .D... ) "C:\Program Files\elticons"
2006-07-13 01:18:32 ( .D... ) "C:\Program Files\Paltalk Messenger"
2006-06-24 12:52:56 ( .D... ) "C:\Program Files\BitTornado"
2006-05-17 14:32:20 25088 ( A.... ) "C:\WINDOWS\system32\msxml3a.dll"


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-07-15 22:24 6,144 C:\WINDOWS\system32\kbdth3.dll
2006-07-15 22:24 6,144 C:\WINDOWS\system32\kbdth2.dll
2006-07-15 22:24 6,144 C:\WINDOWS\system32\kbdinpun.dll
2006-07-15 22:24 6,144 C:\WINDOWS\system32\ftlx041e.dll
2006-07-15 22:24 5,632 C:\WINDOWS\system32\kbdvntc.dll
2006-07-15 22:24 5,632 C:\WINDOWS\system32\kbdusa.dll
2006-07-15 22:24 5,632 C:\WINDOWS\system32\kbdurdu.dll
2006-07-15 22:24 5,632 C:\WINDOWS\system32\kbdth1.dll
2006-07-15 22:24 5,632 C:\WINDOWS\system32\kbdth0.dll
2006-07-15 22:24 5,632 C:\WINDOWS\system32\kbdsyr2.dll
2006-07-15 22:24 5,632 C:\WINDOWS\system32\kbdsyr1.dll
2006-07-15 22:24 5,632 C:\WINDOWS\system32\kbdintel.dll
2006-07-15 22:24 5,632 C:\WINDOWS\system32\kbdintam.dll
2006-07-15 22:24 5,632 C:\WINDOWS\system32\kbdinmar.dll
2006-07-15 22:24 5,632 C:\WINDOWS\system32\kbdinkan.dll
2006-07-15 22:24 5,632 C:\WINDOWS\system32\kbdinhin.dll
2006-07-15 22:24 5,632 C:\WINDOWS\system32\kbdinguj.dll
2006-07-15 22:24 5,632 C:\WINDOWS\system32\kbdindev.dll
2006-07-15 22:24 5,632 C:\WINDOWS\system32\kbdheb.dll
2006-07-15 22:24 5,632 C:\WINDOWS\system32\kbdfa.dll
2006-07-15 22:24 5,632 C:\WINDOWS\system32\kbddiv2.dll
2006-07-15 22:24 5,632 C:\WINDOWS\system32\kbddiv1.dll
2006-07-15 22:24 5,632 C:\WINDOWS\system32\kbda3.dll
2006-07-15 22:24 5,632 C:\WINDOWS\system32\kbda2.dll
2006-07-15 22:24 5,632 C:\WINDOWS\system32\kbda1.dll
2006-07-15 22:24 5,120 C:\WINDOWS\system32\kbdgeo.dll
2006-07-15 22:24 5,120 C:\WINDOWS\system32\kbdarmw.dll
2006-07-15 22:24 5,120 C:\WINDOWS\system32\kbdarme.dll
2006-07-15 22:24 185,344 C:\WINDOWS\system32\Thawbrkr.dll
2006-07-15 22:24 10,752 C:\WINDOWS\system32\c_iscii.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"AVG7_EMC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgemc.exe"
"LVCOMSX"="C:\\WINDOWS\\System32\\LVCOMSX.EXE"
"LogitechVideoRepair"="C:\\Program Files\\Logitech\\Video\\ISStart.exe "
"LogitechVideoTray"="C:\\Program Files\\Logitech\\Video\\LogiTray.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\ctfmon.exe"
"LogitechSoftwareUpdate"="\"C:\\Program Files\\Logitech\\Video\\ManifestEngine.exe\" boot"
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,50,00,00,00,00,00,00,00,d0,02,00,00,3a,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,50,00,00,00,00,00,00,00,d0,02,00,00,3a,02,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctfmon"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\System32\\ctfmon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="googletalk"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Google\\Google Talk\\googletalk.exe\" /autostart"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.5.0_02\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AdobeUpdateManager"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_7 -reboot 1"
"inimapping"="0"




Contents of the 'Scheduled Tasks' folder

Completion time: 06/08/2006 16:43:16.78
ComboFix ver 06.07.15/28 - This logfile is located at C:\ComboFix.txt

ComboFix.2006-08-06.164257.txt


HJT:

Logfile of HijackThis v1.99.1
Scan saved at 4:45:37 PM, on 06/08/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Moi\Desktop\Douja\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {45E83043-1F6F-4D22-A5E7-0138EA171B49} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppD...sharingctrl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1110739805918
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe


Uninstall List:

Ad-Aware SE Personal
Adobe Photoshop CS
Adobe Reader 7.0.7
AVG Free Edition
BitTornado 0.3.7
FlashFXP v3
Google Talk (remove only)
HijackThis 1.99.1
iTunes
J2SE Runtime Environment 5.0 Update 1
J2SE Runtime Environment 5.0 Update 2
Logitech Print Service
Logitech QuickCam Software
Logitech® Camera Driver
Macromedia Dreamweaver MX 2004
Macromedia Extension Manager
Macromedia Flash Player 8
Microsoft DirectX 9.0 SDK Update (Summer 2004)
Microsoft Encarta Encyclopedia Standard 2004
Microsoft Office Professional Edition 2003
Microsoft Windows Journal Viewer
Mozilla Firefox (1.5.0.6)
MSN Messenger 7.5
QuickTime
RealPlayer
Shockwave
Skype 1.3
SmartFTP
SpywareBlaster v3.5.1
Winamp (remove only)
Windows Installer Clean Up
Windows Media Format Runtime
Windows Media Player 10
WinMX
WinRAR archiver

#8 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:13 PM

Posted 06 August 2006 - 04:17 PM

This is looking much better! :thumbsup:

Just a small bit to do now.

Go to this page.
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, copy and paste next in the field:

C:\WINDOWS\system32\msxml3a.dll

Then click the Send File button below.
Please let me know when you have submitted the file.

Please delete this folder:
C:\Program Files\elticons

Malware like this normally never comes alone and there are probably infected files left on your computer.
Please visit Panda Online to carry out a virus scan.
Once you are on the Panda site click the Scan your PC button.
A new window will open...click the Check Now button.
Enter your personal details.
Click the big Scan Now button.
It will ask to install various content - please allow this.
It will start downloading the files it requires for the scan, which may take a while.
When download is complete, click on Local Disks to start the scan.
When the scan completes, click the See Report button.
Click Save Report and save the file to your desktop.
Post the contents of the report in your next reply, along with a new Hijackthis log.
Also let me know how the computer is running.

David

#9 Red_Scorpion

Red_Scorpion
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:13 PM

Posted 06 August 2006 - 05:14 PM

DAVID!! You are my hero :thumbsup:
I submitted the file you asked for, and got the new logs.
Compter is much faster and finally when i reboot i don't get any stupid IE pop-ups!!Great :flowers:

HJT:

Logfile of HijackThis v1.99.1
Scan saved at 6:04:43 PM, on 06/08/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Moi\Desktop\Douja\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {45E83043-1F6F-4D22-A5E7-0138EA171B49} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppD...sharingctrl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1110739805918
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe



Panda Scan Logs:



Incident Status Location

Adware:Adware/MediaTickets Not disinfected C:\!KillBox\YOINSI.exe
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Ali D\Application Data\Mozilla\Firefox\Profiles\hn4pfc81.default\cookies.txt[.go.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Ali D\Cookies\ben@ad.yieldmanager[1].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Ali D\Cookies\ben@adopt.hbmediapro[2].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Ali D\Cookies\ben@adultfriendfinder[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Ali D\Cookies\ben@belnk[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Ali D\Cookies\ben@dist.belnk[2].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Ali D\Cookies\ben@go[2].txt
Adware:Adware/Lop Not disinfected C:\Documents and Settings\Ali D\Desktop\AliDesktop\lopremover.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\Ali D\Local Settings\Temporary Internet Files\Content.IE5\2LWZIX25\upAYB[1].int
Adware:Adware/Lop Not disinfected C:\Documents and Settings\Ali D\Local Settings\Temporary Internet Files\Content.IE5\KHOBO3SF\upAYB_unk[2].int
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\p452xzfr.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\p452xzfr.default\cookies.txt[.go.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\p452xzfr.default\cookies.txt[.ehg-dig.hitbox.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\p452xzfr.default\cookies.txt[.hitbox.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\tws9qoy5.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\tws9qoy5.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\tws9qoy5.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\tws9qoy5.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\tws9qoy5.default\cookies.txt[.belnk.com/]
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\tws9qoy5.default\cookies.txt[.revenue.net/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\tws9qoy5.default\cookies.txt[searchportal.information.com/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\tws9qoy5.default\cookies.txt[.xiti.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\tws9qoy5.default\cookies.txt[.go.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Guest\Cookies\guest@2o7[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Guest\Cookies\guest@ig.com[2].txt
Adware:Adware/Lop Not disinfected C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\ZC8CNV9G\newpass2[1].htm


Again, thanks a lot for your help! i really do appreciate it.
Douja

#10 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:13 PM

Posted 07 August 2006 - 03:51 AM

Please empty this folder:
C:\!KillBox

I want you to clean your cache and cookies from your internet explorer.
There are a few infected files which need to be removed from your system.

° Close all instances of Internet Explorer .
° Go to your control panel and open "Internet Options".
° Click on the "General" tab.
° Click the "Delete Cookies" button, then the "Delete Files" button.
° When prompted, place a tick in the "Delete all offline content" box and click OK.

Also, please clean other Temporary files and Empty the Recycle Bin

° Go to start and click on the "run" button.
° Type the following in the fox --> cleanmgr and click ok.
° Let it scan your system for files to remove.
° Make sure only Temporary Files, Temporary Internet Files, and Recycle Bin are checked.
° Press OK to remove them.

I also want you to clean your cache and cookies from your firefox browser.
There are a few infected files which need to be removed from your system.

° Open the firefox browser.
° Click on the "tools" button and click on "options".
° Click "privacy" in the menu on the left side window.
° Open the History, Cookies and Cache tabs individually.
° Choose the "clear" button on each.
° Click OK to close the Options window

Please reboot. I see a clean log now :thumbsup:
How is everything running?
David

#11 Red_Scorpion

Red_Scorpion
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:13 PM

Posted 08 August 2006 - 01:48 AM

Hey D,
I did everything you asked for, computer seems to be running good after reboot :thumbsup:
I got you new HTJ logs just in case :flowers:
I got something on my desktop called "Thumbs.db" can i just delete it now along with all the other files i had created for the tests?


Logfile of HijackThis v1.99.1
Scan saved at 2:44:33 AM, on 08/08/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Documents and Settings\Moi\Desktop\Douja\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {45E83043-1F6F-4D22-A5E7-0138EA171B49} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppD...sharingctrl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1110739805918
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

#12 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:13 PM

Posted 08 August 2006 - 05:24 AM

Hey there,
You are very welcome.

Let's remove that file from your desktop.
Open up the Control Panel
Select Folder Options
Click the View tab (see picture below)
Check "Do not cache thumbnails"
Click the OK button

The latest log is looking clean!
Follow this list and your potential for being infected again will be reduced dramatically.

Use an Anti Virus Software -
* It is very important that your computer has an anti-virus software running on your machine.
* This alone can save you a lot of trouble with malware in the future. See this link for a listing of some on line & their stand-alone anti virus programs:
* Click here for more information on -> Computer Safety On line - Anti-Virus
* I would recommend Grisoft's AVG or AVAST.
* These are the more secure and better ones.

Update your Anti Virus Software - It is imperitive that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.

Use a Firewall -
* I can not stress how important it is that you use a Firewall on your computer.
* Without a firewall your computer is susceptible to being hacked and taken over.
* Simply using a Firewall in its default configuration can lower your risk greatly.
* For an article on Firewalls and a listing of some available ones see the link below:
* Click here for more information on -> Computer Safety On line - Software Firewalls
* I would recommend ZoneAlarm as a firewall as it's easy to use.

Visit Microsoft's Windows Update Site Frequently -
* It is important that you visit http://www.windowsupdate.com regularly.
* This will ensure your computer has always the latest security updates available installed on your computer.
* If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Next, if they're not already present, I would recommend the download and installation of some or all of the following programs (all free), and the updating of them regularly

Install Spybot© - Search and Destroy- Install and download Spybot - Search and Destroy with its TeaTimer option.
* This will provide real-time spyware & hijacker protection on your computer alongside your virus protection.
* You should also scan your computer with program on a regular basis just as you would an anti virus software.
* A tutorial on installing & using this product can be found here:
* Click here for more info -->Instructions for - Spybot S & D and Ad-aware

Install Lavasofts© Ad-Aware - Install and download Ad-Aware.
* You should also scan your computer with the program on a regular basis just as you would an anti virus software in conjunction with Spybot.
* A tutorial on installing & using this product can be found here:
* Click here for more info -->Instructions for - Spybot S & D and Ad-aware

Install Javacools© SpywareBlaster -
* SpywareBlaster will added a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs.
* A article on anti-malware products with links for this program and others can be found here:
* Click here for more info -->Computer Safety on line - Anti-Malware

Update all these programs regularly - Make sure you update all the programs I have listed regularly.
Without regular updates you WILL NOT be protected when new malicious programs are released.

If you have any addition questions just ask...
David

#13 Red_Scorpion

Red_Scorpion
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:13 PM

Posted 21 August 2006 - 09:18 AM

DAVID!!
Hello my friend, and thank you very much for your help.
I followed all the instructions, computer is running great, i am very thankful to everything, you guys rock!
As I said before "YOU ARE MY HERO" :thumbsup:

Take care and keep fighting!
D.

#14 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:13 PM

Posted 21 August 2006 - 10:28 AM

You're welcome :thumbsup:

Since this issue appears resolved, this Topic is now closed.

If you need this topic reopened, please request this by sending me
a PM with the address of the thread using the link here. This applies only to the original topic starter.

Everyone else please begin a New Topic.

#15 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:13 PM

Posted 19 November 2006 - 05:44 AM

Since this issue appears resolved, this Topic is now closed.

If you need this topic reopened, please request this by sending me
a PM with the address of the thread using the link here. This applies only to the original topic starter.

Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users