Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Clicker.fr And Slow Pc


  • This topic is locked This topic is locked
30 replies to this topic

#1 Beltway

Beltway

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:05:40 AM

Posted 16 November 2006 - 02:29 AM

How can I get rid of Clicker.FR and how can I make my PC run quicker? I know a lot of that stuff on startup is not needed but not exactly what. Also, I would like to make my PC surf quicker, I get the feeling it is pokey due to some of these things running. The main thing though is the Clicker.FR which AVG cannot get rid of. What can I delete without harming my system?



Logfile of HijackThis v1.99.1
Scan saved at 11:13:11 PM, on 11/15/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
C:\PROGRA~1\Symantec\WinFax\WFXSWTCH.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\ACT\SideACT.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\Admin\Desktop\stng260.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/1/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.searchv.com/1/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/1/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.searchv.com/1/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\Symantec\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKCU\..\Run: [LDM] \Program\
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Tukati:4] C:\Program Files\Tukati\Redistributor\4\TukatiRedistributor.exe -r:4 -x:2
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Configuration Wizard.lnk = C:\Program Files\Symantec\WinFax\WTNSETUP.EXE
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: SideACT!.lnk = C:\Program Files\ACT\SideACT.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {5721FA68-5ABD-40A8-81F1-4136691194BF} (Launcher Class) - https://www.play.net/components/activex/AXSAL.ocx
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1153864241656
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1153864219406
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9BF607E0-4CC1-4099-9A07-362C9E4FB090} (WStarter Control) - http://live.pdbox.co.kr:8057/WStarter.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_1_5_0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5ECED8F9-DC69-4DCF-B94E-B4C3E31E7AD7}: NameServer = 85.255.116.98,85.255.112.142
O17 - HKLM\System\CCS\Services\Tcpip\..\{CD415C26-7DAF-4003-83CB-57CB3711A63C}: NameServer = 85.255.116.98,85.255.112.142
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.98 85.255.112.142
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.98 85.255.112.142
O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: C:\WINDOWS\System32\wmfhotfix.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

BC AdBot (Login to Remove)

 


#2 Beltway

Beltway
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:05:40 AM

Posted 16 November 2006 - 02:54 AM

I know I can get rid of the limewire at startup by going through the limewire program, but I know that is not what is slowing me down because I always stop that program manually after startup. I also often end the process for spysub.exe because it is a huge resource hog.

#3 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:01:40 PM

Posted 16 November 2006 - 12:27 PM

Hello Beltway, and welcome to BleepingComputer. My name is Charles and I will be dealing with your log today.

Please take note of the following:
  • I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine
  • The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
Please give me some time to look over your log and I will get back to you as soon as possible.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#4 Beltway

Beltway
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:05:40 AM

Posted 16 November 2006 - 03:01 PM

Hello Beltway, and welcome to BleepingComputer. My name is Charles and I will be dealing with your log today.

Please take note of the following:

  • I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine
  • The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
Please give me some time to look over your log and I will get back to you as soon as possible.
Thanks,
Charles


sounds great Charles :thumbsup:

#5 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:01:40 PM

Posted 16 November 2006 - 04:12 PM

Hello Beltway, sorry for the delay in getting back to you.

======

how can I make my PC run quicker? I know a lot of that stuff on startup is not needed but not exactly what. Also, I would like to make my PC surf quicker, I get the feeling it is pokey due to some of these things running.

I have a few things for you to do to make your computer faster at the end of our fix, when your computer is free from any malware.

======

Please print off a copy of these instructions, and also save them to a Notepad file on your desktop, so they are easily accessible, especially whilst in Safe Mode (you can't use the Internet)

======

I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
  • False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
  • System Performance Problems: Your system may lock up due to both software products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either AVG or NOD32.

======

Please disable CounterSpy, as it may hinder in fixing of some HijackThis entries. You can re-enable it after you're clean.

To disable CounterSpy:
  • Right Click on the CounterSpy Icon located in your system tray.
  • With your mouse, hover over Active Protection Status (This should be enabled)
  • A menu will slide out, then right click on Disable Active Protection
Once your log is clean please re-enable CounterSpy.

======

Disable SpywareGuard:

Right click the running icon of Spywareguard, it will open the program.
Then go to Menu, file, exit.
Then confirm the program is closed.

======

1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
5) Restart your computer.

======

Scan again with HijackThis and put a checkmark next to each of the following entries (if present):

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/1/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.searchv.com/1/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/1/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.searchv.com/1/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
O4 - HKCU\..\Run: [LDM] \Program\
O16 - DPF: {9BF607E0-4CC1-4099-9A07-362C9E4FB090} (WStarter Control) - http://live.pdbox.co.kr:8057/WStarter.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5ECED8F9-DC69-4DCF-B94E-B4C3E31E7AD7}: NameServer = 85.255.116.98,85.255.112.142
O17 - HKLM\System\CCS\Services\Tcpip\..\{CD415C26-7DAF-4003-83CB-57CB3711A63C}: NameServer = 85.255.116.98,85.255.112.142
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.98 85.255.112.142
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.98 85.255.112.142
O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)


Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

======

Go to Control Panel. - If you are using Windows XP's Category View, select the Network and Internet Connections category. If you are in Classic View, go to the next step .
Double-click the Network Connections icon
Right-click the Local Area Connection icon and select Properties.
Hilight Internet Protocol (TCP/IP) and click the Properties button.
Be sure Obtain DNS server address automatically is selected.
OK your way out.

======

Go to Start > Run and type in cmd
Click OK.
This will open a command prompt.
Type or copy and paste the following line in the command window:

ipconfig /flushdns

Hit Enter
Exit the command window

======

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.
Once the desktop loads post the text that will open (report.txt) and a new Hijackthis log in the forum please.

======

Open HijackThis
- Click the Config... button, then go to the Misc Tools section.
- Click on Open Uninstall Manager. You'll see a list of programs.
- Click on Save List...

The file "uninstall_list.txt" will be created. Copy and paste the contents of this file to your next reply.

======

Please post back with the following
- C:\fixwareout\report.txt
- New HJT log
- Uninstall list

Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#6 Beltway

Beltway
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:05:40 AM

Posted 19 November 2006 - 10:52 PM

Logfile of HijackThis v1.99.1
Scan saved at 7:39:07 PM, on 11/19/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\Symantec\WinFax\WFXSWTCH.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\ACT\SideACT.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Admin\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\Symantec\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Tukati:4] C:\Program Files\Tukati\Redistributor\4\TukatiRedistributor.exe -r:4 -x:2
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [LDM] \Program\
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Configuration Wizard.lnk = C:\Program Files\Symantec\WinFax\WTNSETUP.EXE
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: SideACT!.lnk = C:\Program Files\ACT\SideACT.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {5721FA68-5ABD-40A8-81F1-4136691194BF} (Launcher Class) - https://www.play.net/components/activex/AXSAL.ocx
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1153864241656
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1153864219406
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_1_5_0.cab
O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: C:\WINDOWS\System32\wmfhotfix.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe


Fixwareout ver 1.003
Last edited 8/11/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\swen
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eno
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eerht
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ruof
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\evif
...

Microsoft ® Windows Script Host Version 5.6
Random Runs removed from HKLM
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Searching by size/names...

»»»»»
Search five digit cs, dm and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal

Other suspects.
Directory of C:\WINDOWS\system32
{235C64D4-310D-4666-9DDB-2157D3CE4B59}.exe
{402560F5-62E5-4874-95B2-00D0858FC410}.exe

»»»»» Misc files.

»»»»» Checking for older varients covered by the Rem3 tool.


µTorrent
56K Soft Modem (I56LVP-X7)
AC3Filter (remove only)
ACT!
Ad-Aware SE Personal
Adobe Download Manager 2.0 (Remove Only)
Adobe Reader 6.0.1
Adobe Reader 6.0.2 CE
Adobe SVG Viewer 3.0
Adobe® Photoshop® Album Starter Edition 3.0
afreeca Á¦°Ĺ
Age of Empires III
Age of Mythology
Age of Mythology - The Titans Expansion
Artifact 2
Avery® Wizard 2.1 for Microsoft® Word 2002
AVG Free Edition
Bink and Smacker
BitLord 1.1
BitTornado 0.3.12
BitTorrent 4.0.1
CCleaner (remove only)
Codec Pack - All In 1 6.0.2.6
Concord WinFax Plugin v3.0
Corel Painter IX
Deer Park Alpha 2 (1.0+)
DivX Player
DivX Pro Trial
Dominions II (remove only)
Dr. DivX Trial
eMule
EXEtender Player
ffdshow
FireAnt RC1
GameSpy Arcade
Google Earth
HijackThis 1.99.1
Hot Ice
HP Memories Disc
HP Photo and Imaging 2.0 - All-in-One
HP Photo and Imaging 2.0 - All-in-One Drivers
HP Photo and Imaging 2.0 - hp psc 1200 series
hp psc 1200 series
hp psc 1200 series
Image Resizer Powertoy for Windows XP
Intel Application Accelerator
IsoBuster 1.4
J2SE Runtime Environment 5.0 Update 8
Java 2 Runtime Environment, SE v1.4.1_02
Java 2 Runtime Environment, SE v1.4.2_05
Java Web Start
Juice 2.2
Kazaa Lite v2.1.0 [K++ Edition] [build 3]
Kohan Ahriman's Gift Demo
Lavasoft Reghance 2.1
LimeWire 4.12.6
LiveReg (Symantec Corporation)
LiveUpdate 1.6 (Symantec Corporation)
Logitech Desktop Messenger
Logitech SetPoint
Macromedia Flash Player 8
ManageMore Business Software
Media Exchange
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft Data Access Components KB870669
Microsoft Office XP Professional with FrontPage
mIRC
Moonlight-Elecard MPEG Player
Mozilla Firefox (2.0)
Mozilla Thunderbird (1.5.0.8)
MSN Add-in for Windows Messenger
MSN Gaming Zone
MSN Messenger 7.5
MSXML4 Parser
MyLife Organized 1.7.2 (Evaluation)
Myth II 1.5.1 Demo
Nero Suite
Noble Armada Demo
NVIDIA Drivers
Outlook Express Q823353
Panda ActiveScan
PeerGuardian 2.0
Populous: The Beginning
PPStream
QuickBooks Pro 2001
QuickTime
ReaConverter Pro 3.4
RealArcade
RealPlayer
Registry Mechanic 5.2
SBC Yahoo! Applications
SBC Yahoo! DSL Activation
SBC Yahoo! Messenger Explorer Bar
SBNews: News Robot v 8.3
Sid Meier's Civilization 4
Space Empires IV Gold
Space Empires V Demo
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
SpywareGuard v2.2
Steel Panthers World At War v8.20
Supremacy Four Paths To Power
Sygate Personal Firewall
Symantec WinFax PRO
Taipan 1.05
Task Manager 2007
TES Construction Set
Thomas Guide DE
TVUPlayer 2.2.0
Unreal Streaming Media Player v 4.0
Update for Windows XP (KB898461)
Voice Editor 3
Warlords Battlecry II Demo
Web Savings from Ebates
Winamp (remove only)
WinAVIVideoConverter
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 9 Hotfix [See KB885492 for more information]
Windows Media Player Hotfix [See wm828026 for more information]
Windows WMF Metafile Vulnerability HotFix 1.4
Windows XP Hotfix - KB821557
Windows XP Hotfix - KB823182
Windows XP Hotfix - KB823559
Windows XP Hotfix - KB823980
Windows XP Hotfix - KB824105
Windows XP Hotfix - KB824141
Windows XP Hotfix - KB824146
Windows XP Hotfix - KB825119
Windows XP Hotfix - KB828028
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB833987
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB837001
Windows XP Hotfix - KB839645
Windows XP Hotfix - KB840315
Windows XP Hotfix - KB840374
Windows XP Hotfix - KB840987
Windows XP Hotfix - KB841356
Windows XP Hotfix - KB841533
Windows XP Hotfix - KB841873
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB871250
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB873376
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885523
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB891711
Windows XP Hotfix - KB891781
Windows XP Hotfix (SP2) [See Q329048 for more information]
Windows XP Hotfix (SP2) [See Q329115 for more information]
Windows XP Hotfix (SP2) [See Q329390 for more information]
Windows XP Hotfix (SP2) [See Q329834 for more information]
Windows XP Hotfix (SP2) Q328310
Windows XP Hotfix (SP2) Q329170
Windows XP Hotfix (SP2) Q329441
Windows XP Hotfix (SP2) Q331953
Windows XP Hotfix (SP2) Q810565
Windows XP Hotfix (SP2) Q810577
Windows XP Hotfix (SP2) Q810833
Windows XP Hotfix (SP2) Q811493
Windows XP Hotfix (SP2) Q814033
Windows XP Hotfix (SP2) Q815021
Windows XP Hotfix (SP2) Q817287
Windows XP Hotfix (SP2) Q817606
WinRAR archiver
WinZip
Wizard's Quest
x264 Revision 440 x264.nl (remove only)
Yahoo! Install Manager
Yahoo! Messenger


I noticed that Spyware Guard, which I turned off and exited, was running when the computer came on, probably I need to turn off "turn on on start up" which I did not do when I exited the progam initially. It asked me if I wanted to allow the 5 new values, which I did, because I figured it was not supposed to be on anyways. These values were all having to do with IE, so now when I use IE it goes to the msn page. I almost always use firefox if I can.

I noticed AVG has caught clicker.FR again already but now it has disappeared. This is weird because usually it just keeps coming up and when I click heal or try to put it into the AVG vault it won't let me, but rather it simply reaappears in the middle of the screen notifying me of its presence - yet now, it just disappeared.

Can this Clicker.FR thing, make it unsafe for me to access personal information?

Thanks for your help. Sorry it took me so long to get back to you. Usually it should not take me more than 24 hours.

#7 Beltway

Beltway
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:05:40 AM

Posted 19 November 2006 - 11:11 PM

I noticed the instant that I connected to the internet with firefox that clicker.FR popped up from the AVG Res shield

But something different is happening. It pops up and then the notice disappears. It used to just continually pop up and countdown from 30 seconds, disappear for a 1/10th second and reappear. Now its gone without touching anything.

edit: And now, bang, its back again as soon as I open my thunderbird email

but once again it did the countdown, this time, popped back up for another thirty second count down, and then no more. I doubt that means it is gone from my system though

edit: now again when I click firefox its back. can I just manually delete the file which is C:\WINDOWS\system32\{402560F5-62E5-4874-95B2-00D0858FC410}.exe

I am assuming that that won't do anything because the thing can regenerate itself somehow? and that it might be dangerous to just delete it?

edit: I notice also that now when I click heal it says "object was succesfully healed" but I guess it must be recreating itself from somewhere?

edit: again, its back when I click firefox but now it succesfully heals

Edited by Beltway, 19 November 2006 - 11:57 PM.


#8 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:01:40 PM

Posted 20 November 2006 - 01:42 PM

Hello Beltway, sorry for the delay in getting back to you.

Please print off a copy of these instructions, and also save them to a Notepad file on your desktop, so they are easily accessible, especially whilst in Safe Mode (you can't use the Internet)

======

I noticed that Spyware Guard, which I turned off and exited, was running when the computer came on, probably I need to turn off "turn on on start up" which I did not do

Can you do this for me please. The reason we do this is because if it is running in the background, it can interfere with some of the fixes we need to make using HijackThis.

======

Can this Clicker.FR thing, make it unsafe for me to access personal information?

That depends on what else is lurking on your computer that we cannot see. But since it's better to be safe than sorry, and since you are concerned about it, you can change all your passwords from another (clean) computer to prevent anything like this happening.

======

Since your last post, you seem to have moved HijackThis from C:\Program Files\HijackThis to your Desktop. Although this makes it easier for you to access, it is not a good idea; HJT creates backups of the items we fix, and if it is on the Desktop they will be created there too. Then you might accidentally delete them, and if we do something wrong, we won't have any backups to restore. Please move it back to where it was originally, please.

======

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
  • Install AVG Anti-Spyware by double clicking the installer.
  • Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
  • On the main screen under Your Computer's security.
    • Click on Change state next to Resident shield. It should now change to inactive.
    • Click on Change state next to Automatic updates. It should now change to inactive.
    • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
    • Wait until you see the Update succesfull message.
  • Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

======

Make sure that you can see hidden files.
  • Click Start.
  • Click My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Uncheck the Hide file extensions for known file types.
  • Click OK.
======

Go to Start | Control Panel | Add/Remove Programs and remove the following (if they exist):

Web Savings from Ebates

Logitech Desktop Messenger
Logitech® Desktop Messenger (LDM) is a free service designed to deliver software support, news and information you can use. LDM ensures that you have simple, speedy, and effortless access to product upgrades, technology tips, and technology news and offers that are relevant to you. LDM delivers information right to your desktop, allowing you to take advantage of all of the advanced features of the Logitech products you own, while staying abreast of new computer-related product and service developments (Logitech and otherwise) that are applicable to your life. Once a week, when connected to the internet, Logitech Desktop Messenger will automatically connect with Logitech servers to see if there are any new messages for you. It performs this check during idle time to avoid slowing down other applications that may be accessing the Internet. If there is a message on the server, then Logitech Desktop Messenger will download the message utilizing bandwidth that would otherwise be unused. After the message is downloaded, Logitech Desktop Messenger will wait for one minute of keyboard and mouse inactivity before displaying the message on your screen. I suggest doing all updates yourself and removing this application!

µTorrent
BitLord 1.1
BitTornado 0.3.12
BitTorrent 4.0.1
eMule
Kazaa Lite v2.1.0 [K++ Edition] [build 3]
LimeWire 4.12.6

You are using PeerToPeer programs. These are optional removals. However, anytime you are running any type of p2p application, you are more prone to infection by malware. The choice to remove it is entirely up to you, but I would strongly recommend that you get rid of them. If you do not want to, please at least refrain from using any peer-to-peer programs for the remainder of my fix.
Read this article for alternatives that will provide some of the same function without the garbage:
http://www.spywareinfo.com/articles/p2p/ or http://p2p.malwareremoval.com/

Remember that these may require you to reboot your computer to complete the uninstallation- just let them.

======

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 5.0 Update 9.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-1_5_0_09-windowsi586-p.exe to install the newest version.
======

Scan again with HijackThis and put a checkmark next to each of the following entries (if present):

O4 - HKCU\..\Run: [LDM] \Program\
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)


Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

======

Now, please reboot your computer into Safe Mode. This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep. Then select Safe Mode from the list.

======

Next, please find and delete the following files/folders (if present):

C:\Program Files\Web Savings from Ebates <--Folder
C:\WINDOWS\system32\{235C64D4-310D-4666-9DDB-2157D3CE4B59}.exe <--File
C:\WINDOWS\system32\{402560F5-62E5-4874-95B2-00D0858FC410}.exe <--File

If you removed the P2P programs, delete these folders:

C:\Program Files\µTorrent
C:\Program Files\BitLord
C:\Program Files\BitTornado
C:\Program Files\BitTorrent
C:\Program Files\eMule
C:\Program Files\Kazaa
C:\Program Files\LimeWire

If you removed Logitech Desktop Messenger, delete this folder:

C:\Program Files\Logitech Desktop Messenger

======

* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
======

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act?
      • Click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan?
      • All checkboxes should be ticked.
    • Under Possibly unwanted software:
      • All checkboxes should be ticked.
    • Under Reports:
      • Select Automatically generate report after every scan and uncheck Only if threats were found.
    • Under What to scan?
      • Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.
    IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
      Posted Image
  • When done, click the Save Scan Report button. (4)
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
======

Reoot into Normal Mode again.

======

Download this file - combofix.exe
Double click combofix.exe and then follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

======

Please post me back the following logs (you may need more than one reply to get them all in!):
- New Hijackthis log
- AVG log
- ComboFix log

Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#9 Beltway

Beltway
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:05:40 AM

Posted 21 November 2006 - 02:30 AM

Wow thanks for the all the next steps I won't have a chance to complete this tonight but I will try to do it by tomorrow!

#10 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:01:40 PM

Posted 21 November 2006 - 03:49 AM

OK, good luck, I look forward to hearing your results! :thumbsup:

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#11 Beltway

Beltway
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:05:40 AM

Posted 23 November 2006 - 04:40 PM

Hello Beltway, sorry for the delay in getting back to you.

Please print off a copy of these instructions, and also save them to a Notepad file on your desktop, so they are easily accessible, especially whilst in Safe Mode (you can't use the Internet)

Done.

======


QUOTE
I noticed that Spyware Guard, which I turned off and exited, was running when the computer came on, probably I need to turn off "turn on on start up" which I did not do

Can you do this for me please. The reason we do this is because if it is running in the background, it can interfere with some of the fixes we need to make using HijackThis.

Done ( I deactivated it)

======


QUOTE
Can this Clicker.FR thing, make it unsafe for me to access personal information?

That depends on what else is lurking on your computer that we cannot see. But since it's better to be safe than sorry, and since you are concerned about it, you can change all your passwords from another (clean) computer to prevent anything like this happening.

OK, but I guess I would have to do that from another PC every time I logged on again from this PC So effectively I am out of the game or I have to take the risk.

======

Since your last post, you seem to have moved HijackThis from C:\Program Files\HijackThis to your Desktop. Although this makes it easier for you to access, it is not a good idea; HJT creates backups of the items we fix, and if it is on the Desktop they will be created there too. Then you might accidentally delete them, and if we do something wrong, we won't have any backups to restore. Please move it back to where it was originally, please.

Yes I had two copies on my PC. I have removed them both but kept the backups. I don’t know how it got on the Desk but for some reason this program won’t move from the desktop. I downloaded it again and saved it on C.

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
• Install AVG Anti-Spyware by double clicking the installer.
• Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
• On the main screen under Your Computer's security.
o Click on Change state next to Resident shield. It should now change to inactive.
o Click on Change state next to Automatic updates. It should now change to inactive.
o Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
o Wait until you see the Update succesfull message.
• Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
• Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

I believe it worked out fine because I watched it download the update although I never saw the phrase “Update Succesfull” Just to be safe I installed it manually as well.




======

Make sure that you can see hidden files.
1. Click Start.
2. Click My Computer.
3. Select the Tools menu and click Folder Options.
4. Select the View Tab.
5. Under the Hidden files and folders heading select Show hidden files and folders.
6. Uncheck the Hide protected operating system files (recommended) option.
7. Click Yes to confirm.
8. Uncheck the Hide file extensions for known file types.
9. Click OK.
I noticed the hidden files was already unchecked probably from a previous attempt at fixing something a long time ago.

Go to Start | Control Panel | Add/Remove Programs and remove the following (if they exist):

Web Savings from Ebates

Jave Virtual Machine Launcher says “Could not find the main class. Program will exit” when I try to remove it. Which is why this thing remains on the list (I have tried to remove before).



Logitech Desktop Messenger
Logitech® Desktop Messenger (LDM) is a free service designed to deliver software support, news and information you can use. LDM ensures that you have simple, speedy, and effortless access to product upgrades, technology tips, and technology news and offers that are relevant to you. LDM delivers information right to your desktop, allowing you to take advantage of all of the advanced features of the Logitech products you own, while staying abreast of new computer-related product and service developments (Logitech and otherwise) that are applicable to your life. Once a week, when connected to the internet, Logitech Desktop Messenger will automatically connect with Logitech servers to see if there are any new messages for you. It performs this check during idle time to avoid slowing down other applications that may be accessing the Internet. If there is a message on the server, then Logitech Desktop Messenger will download the message utilizing bandwidth that would otherwise be unused. After the message is downloaded, Logitech Desktop Messenger will wait for one minute of keyboard and mouse inactivity before displaying the message on your screen. I suggest doing all updates yourself and removing this application!

Java said uninstall failed “Invalid Settings” but it is no longer on the list.

µTorrent

I use this one but as you suggest, I won’t use it during this fix. And to be honest I don’t use these type of programs very much anyways.

BitLord 1.1
BitTornado 0.3.12
BitTorrent 4.0.1
eMule
Kazaa Lite v2.1.0 [K++ Edition] [build 3]

I removed them.

#12 Beltway

Beltway
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:05:40 AM

Posted 23 November 2006 - 04:42 PM

LimeWire 4.12.6

I kept this one. I use it and Utorrent occasionally but I won’t use it during this fix.

You are using PeerToPeer programs. These are optional removals. However, anytime you are running any type of p2p application, you are more prone to infection by malware. The choice to remove it is entirely up to you, but I would strongly recommend that you get rid of them. If you do not want to, please at least refrain from using any peer-to-peer programs for the remainder of my fix.
Read this article for alternatives that will provide some of the same function without the garbage:
http://www.spywareinfo.com/articles/p2p/ or http://p2p.malwareremoval.com/

Remember that these may require you to reboot your computer to complete the uninstallation- just let them.

From what I read from your links, both UTorrent and at least the current version of LimeWire do not have spyware or adware bundled within them.

======

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
• Download the latest version of Java Runtime Environment (JRE) 5.0 Update 9.
• Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
• Click the "Download" button to the right.
• Check the box that says: "Accept License Agreement".
• The page will refresh.
• Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-1_5_0_09-windowsi586-p.exe to install the newest version.

done
======

Scan again with HijackThis and put a checkmark next to each of the following entries (if present):

O4 - HKCU\..\Run: [LDM] \Program\
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)

Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

The first one was not there, the other two were checked and fixed.


Now, please reboot your computer into Safe Mode. This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep. Then select Safe Mode from the list.
I did it by going into MSconfig because I was having trouble the other way.
======

Next, please find and delete the following files/folders (if present):

C:\Program Files\Web Savings from Ebates <--Folder

Does not exist.

C:\WINDOWS\system32\{235C64D4-310D-4666-9DDB-2157D3CE4B59}.exe <--File
C:\WINDOWS\system32\{402560F5-62E5-4874-95B2-00D0858FC410}.exe <--File

If they are there I could not find them.

If you removed the P2P programs, delete these folders:

C:\Program Files\µTorrent

Keeping that one
C:\Program Files\BitLord
C:\Program Files\BitTornado
C:\Program Files\BitTorrent
C:\Program Files\eMule
C:\Program Files\Kazaa

Removed these but not all of the folders existed.
C:\Program Files\LimeWire

Keeping

If you removed Logitech Desktop Messenger, delete this folder:

C:\Program Files\Logitech Desktop Messenger

There was only a Desktop Messenger folder inside the Logitech folder which also contained the Setpoint folder. So I removed the Desktop Messenger folder inside that folder. I hope it’s the same thing.

======

* Clean your Cache and Cookies in IE:
• Close all instances of Outlook Express and Internet Explorer
• Go to Control Panel > Internet Options > General tab
• Click the "Delete Cookies" button
• Next to it, Click the "Delete Files" button
• When prompted, place a check in: "Delete all offline content", click OK

Done
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
• Go to Tools > Options.
• Click Privacy in the menu on the left side of the Options window.
• Click the Clear button located to the right of each option (History, Cookies, Cache).
• Click OK to close the Options window
Alternatively, you can clear all information stored while browsing by clicking Clear All.
A confirmation dialog box will be shown before clearing the information.
Done
* Clean other Temporary files + Recycle bin
• Go to start > run and type: cleanmgr and click ok.
• Let it scan your system for files to remove.

#13 Beltway

Beltway
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:05:40 AM

Posted 23 November 2006 - 04:45 PM

• Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
• Press OK to remove them.

This did not work! I tried it and it got stuck four bars into the clean. It would not budge past that point. Maybe I did not wait long enough (almost twenty minutes). It stayed on the same spot. The process was still running but nothing was happening. I cancelled and tried it again and than it would not even start! What gives? Even after many attempts it would not start again.
Now I am trying it again and I go to task manager and see the process IS running yet it does not appear on my screen nor as an application. Cleanmgr.exe is running though. I am just going to go to the next step.
======


Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
• Click on Scanner on the toolbar.
• Click on the Settings tab.
o Under How to act?
 Click on Recommended Action and choose Quarantine from the popup menu.
o Under How to scan?
 All checkboxes should be ticked.
o Under Possibly unwanted software:
 All checkboxes should be ticked.
o Under Reports:
 Select Automatically generate report after every scan and uncheck Only if threats were found.
o Under What to scan?
 Select Scan every file.
• Click on the Scan tab.
• Click on Complete System Scan to start the scan process.
• Let the program scan the machine.
• When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
o Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)



• When done, click the Save Scan Report button. (4)
o Click the Save Report as button.
o Save the report to your Desktop.
• Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

I messed up here because I did not change it to Quarantine, but left it Custom. Although on the other page it said quarrantine already (which is why I messed up).
======

Reoot into Normal Mode again.

Done


======

Download this file - combofix.exe
Double click combofix.exe and then follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

======

Please post me back the following logs (you may need more than one reply to get them all in!):
- New Hijackthis log
- AVG log
- ComboFix log

Thanks,
Charles

Done

What is this file that sometimes appears when I shut down? Hpoevm08.exe Task Manager pops up and I have to end it.


#14 Beltway

Beltway
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:05:40 AM

Posted 23 November 2006 - 04:47 PM

Logfile of HijackThis v1.99.1
Scan saved at 10:48:42 PM, on 11/22/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\Symantec\WinFax\WFXSWTCH.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\ACT\SideACT.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\Symantec\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Tukati:4] C:\Program Files\Tukati\Redistributor\4\TukatiRedistributor.exe -r:4 -x:2
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Configuration Wizard.lnk = C:\Program Files\Symantec\WinFax\WTNSETUP.EXE
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: SideACT!.lnk = C:\Program Files\ACT\SideACT.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {5721FA68-5ABD-40A8-81F1-4136691194BF} (Launcher Class) - https://www.play.net/components/activex/AXSAL.ocx
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1153864241656
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1153864219406
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_1_5_0.cab
O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: C:\WINDOWS\System32\wmfhotfix.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

Admin - 06-11-23 2:29:12.70 Service Pack 1
ComboFix 06.11.22 - Running from: "C:\Documents and Settings\Admin\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\teller.chk


((((((((((((((((((((((((((((((( Files Created from 2006-10-23 to 2006-11-23 ))))))))))))))))))))))))))))))))))


2006-11-22 13:39 <DIR> d-------- C:\Program Files\Common Files\Java
2006-11-22 00:09 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-11-19 19:15 <DIR> d-------- C:\fixwareout
2006-11-15 23:09 <DIR> d-------- C:\Program Files\HijackThis
2006-11-15 22:30 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2006-11-15 19:12 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2006-11-15 17:01 <DIR> d-------- C:\Documents and Settings\Admin\.housecall6.6
2006-11-10 23:10 <DIR> d-------- C:\Program Files\Taipan
2006-11-10 22:23 <DIR> d-------- C:\Program Files\Wizard's Quest
2006-11-08 01:15 6,144 --a------ C:\WINDOWS\system32\W95fiber.dll
2006-11-08 01:15 415,504 --a------ C:\WINDOWS\system32\Msrepl35.dll
2006-11-08 01:15 32,256 --a------ C:\WINDOWS\system32\Selfreg.dll
2006-11-08 01:15 31,744 --a------ C:\WINDOWS\system32\Hlp95en.dll
2006-11-08 01:15 20,080 --a------ C:\WINDOWS\system32\Winsspi.dll
2006-11-08 01:15 195,072 --a------ C:\WINDOWS\system32\Msodeusa.dll
2006-11-08 01:15 162,304 --a------ C:\WINDOWS\system32\vb32dx8pl.dll
2006-11-08 01:15 12,288 --a------ C:\WINDOWS\system32\Hlinkprx.dll
2006-11-08 01:15 <DIR> d-------- C:\Program Files\Task Manager 2007
2006-11-08 01:15 <DIR> d-------- C:\Program Files\Access Runtime 3
2006-11-08 00:34 <DIR> d-------- C:\Program Files\myLifeOrganized.net
2006-11-07 15:06 <DIR> d-------- C:\Program Files\UnrealStreaming
2006-11-05 23:07 <DIR> d-------- C:\Program Files\Myth II
2006-11-05 21:40 <DIR> d-------- C:\Program Files\Myth II Demo
2006-11-05 21:18 <DIR> d-------- C:\Program Files\TimeGate Studios
2006-11-01 23:44 <DIR> d-------- C:\Documents and Settings\Admin\r1ptemp96


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-23 02:24 -------- d-------- C:\Program Files\Mozilla Firefox
2006-11-23 00:15 -------- d-------- C:\Program Files\Logitech
2006-11-22 22:32 -------- d-------- C:\Program Files\Mozilla Thunderbird
2006-11-22 13:40 -------- d-------- C:\Program Files\Java
2006-11-22 13:39 -------- d-------- C:\Program Files\Common Files
2006-11-22 01:01 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-11-22 00:09 -------- d-------- C:\Program Files\Grisoft
2006-11-20 01:42 -------- d-------- C:\Documents and Settings\Admin\Application Data\uTorrent
2006-11-19 23:47 -------- d-------- C:\Program Files\ACT
2006-11-19 18:22 -------- d-------- C:\Program Files\ESET
2006-11-19 17:48 -------- d-------- C:\Program Files\Spybot - Search & Destroy
2006-11-15 21:59 -------- d-------- C:\Program Files\WinZip
2006-11-15 21:59 -------- d-------- C:\Program Files\WinRAR
2006-11-15 21:59 -------- d-------- C:\Program Files\Winamp
2006-11-15 21:56 -------- d-------- C:\Program Files\SpywareGuard
2006-11-15 21:54 -------- d-------- C:\Program Files\PeerGuardian2
2006-11-15 21:53 -------- d-------- C:\Program Files\MSN Messenger
2006-11-15 21:51 -------- d-------- C:\Program Files\Microsoft IntelliPoint
2006-11-15 21:44 -------- d-------- C:\Program Files\Internet Explorer
2006-11-15 12:39 -------- d-------- C:\Documents and Settings\Admin\Application Data\Lavasoft
2006-11-15 12:36 -------- d-------- C:\Program Files\Lavasoft
2006-11-06 14:36 -------- d-------- C:\Program Files\Strategy First
2006-10-22 19:06 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-10-22 19:06 -------- d-------- C:\Program Files\Common Files\Concord Shared
2006-10-22 19:05 41 --a--c--- C:\WINDOWS\WFXDEL.BAT
2006-10-22 19:05 -------- d-------- C:\Program Files\Common Files\Novell Shared
2006-10-22 18:49 -------- d-------- C:\Program Files\WinFax-Pro-1002
2006-10-21 09:02 778656 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-10-21 09:02 27904 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-10-14 19:28 -------- d-------- C:\Program Files\PPStream
2006-10-14 19:28 -------- d-------- C:\Documents and Settings\Admin\Application Data\ppstream
2006-10-14 16:12 -------- d-------- C:\Program Files\Samu Games
2006-10-14 13:07 -------- d-------- C:\Program Files\Nowcom
2006-09-29 16:26 -------- d-------- C:\Program Files\Windows Media Player
2006-09-26 22:49 23880 --a--c--- C:\Documents and Settings\Admin\Application Data\GDIPFONTCACHEV1.DAT
2006-08-02 23:26 73236480 --a------ C:\Program Files\WinFax-Pro-1002.ISO


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Yahoo! Pager"="C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"
"Tukati:4"="C:\\Program Files\\Tukati\\Redistributor\\4\\TukatiRedistributor.exe -r:4 -x:2"
"PeerGuardian"="C:\\Program Files\\PeerGuardian2\\pg2.exe"
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\System32\\ctfmon.exe"
"RealPlayer"="\"C:\\Program Files\\Real\\RealPlayer\\realplay.exe\" /RunUPGToolCommandReBoot"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"AGRSMMSG"="AGRSMMSG.exe"
"SmcService"="C:\\PROGRA~1\\Sygate\\SPF\\smc.exe -startgui"
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"IntelliPoint"="\"C:\\Program Files\\Microsoft IntelliPoint\\point32.exe\""
"AVG7_EMC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgemc.exe"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Smapp"="C:\\Program Files\\Analog Devices\\SoundMAX\\Smtray.exe"
"PCDRealtime"="C:\\WINDOWS\\realtime.exe"
"kdx"="C:\\WINDOWS\\kdx\\KHost.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"NWEReboot"=""
"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"WFXSwtch"="C:\\PROGRA~1\\Symantec\\WinFax\\WFXSWTCH.exe"
"WinFaxAppPortStarter"="wfxsnt40.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"MSConfig"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\MSConfig.exe /auto"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"="Narrator.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]
"RunNarrator"="Narrator.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{A213B520-C6C2-11d0-AF9D-008029E1027E}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoFolderOptions"=dword:00000000
"NoSaveSettings"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WksPatch"=dword:00000002
"SoundMAX Agent Service (default)"=dword:00000002

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1057817935.job
C:\WINDOWS\tasks\WebReg 20061026102709.job
C:\WINDOWS\tasks\WebReg 20061106102935.job
C:\WINDOWS\tasks\WebReg 20061111234731.job
C:\WINDOWS\tasks\WebReg 20061114120254.job
C:\WINDOWS\tasks\WebReg 20061115141911.job
C:\WINDOWS\tasks\WebReg 20061121210157.job
C:\WINDOWS\tasks\WebReg 20061122131229.job
C:\WINDOWS\tasks\WebReg 20061122225901.job

Completion time: 06-11-23 2:30:26.23
C:\ComboFix.txt ... 06-11-23 02:30

--------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 2:19:23 AM 11/23/2006

+ Scan result:



C:\Temp\Uninstall.exe -> Adware.Browvil : Cleaned with backup (quarantined).
HKU\S-1-5-21-507921405-1958367476-725345543-1003\Software\ezSearchBar2 -> Adware.EzSearchBar : Cleaned with backup (quarantined).
HKU\S-1-5-21-507921405-1958367476-725345543-1003\Software\ezSearchBar2\Script -> Adware.EzSearchBar : Cleaned with backup (quarantined).
C:\WINDOWS\system32\msiaih.dll -> Adware.Ipend : Cleaned with backup (quarantined).
C:\WINDOWS\connect.exe -> Heuristic.Win32.Dialer : Cleaned with backup (quarantined).
C:\Program Files\WinRAR\WinRar3.11_crack_by_Nidhi.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned with backup (quarantined).
:mozilla.13:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\37iiz7ns.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.6:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\37iiz7ns.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.107:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\84se92u5.Default User\cookies-1.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.109:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\84se92u5.Default User\cookies-2.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.143:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\84se92u5.Default User\cookies-1.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.220:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\84se92u5.Default User\cookies-3.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.22:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\84se92u5.Default User\cookies-5.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.23:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\84se92u5.Default User\cookies-5.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.247:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\84se92u5.Default User\cookies-1.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.24:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\84se92u5.Default User\cookies-5.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.25:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\84se92u5.Default User\cookies-2.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.26:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\84se92u5.Default User\cookies-2.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.32:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\84se92u5.Default User\cookies-1.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.342:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\84se92u5.Default User\cookies-3.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.34:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\84se92u5.Default User\cookies-1.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.35:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\84se92u5.Default User\cookies-1.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.37:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\84se92u5.Default User\cookies-1.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.49:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\84se92u5.Default User\cookies-3.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.50:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\84se92u5.Default User\cookies-3.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.51:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\84se92u5.Default User\cookies-3.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.52:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\84se92u5.Default User\cookies-3.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.53:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\84se92u5.Default User\cookies-3.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.54:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\84se92u5.Default User\cookies-3.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.74:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\84se92u5.Default User\cookies-4.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.75:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\84se92u5.Default User\cookies-4.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.76:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\84se92u5.Default User\cookies-4.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.77:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\84se92u5.Default User\cookies-4.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.82:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\84se92u5.Default User\cookies-5.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.64:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\84se92u5.Default User\cookies-3.txt -> TrackingCookie.Com : Cleaned.
:mozilla.225:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\84se92u5.Default User\cookies-1.txt -> TrackingCookie.Cqcounter : Cleaned.
:mozilla.197:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\84se92u5.Default User\cookies-1.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.198:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\84se92u5.Default User\cookies-1.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.199:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\84se92u5.Default User\cookies-1.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.203:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\84se92u5.Default User\cookies-1.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.204:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\84se92u5.Default User\cookies-1.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.205:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\84se92u5.Default User\cookies-1.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.139:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\84se92u5.Default User\cookies-3.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.140:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\84se92u5.Default User\cookies-3.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.141:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\84se92u5.Default User\cookies-3.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.142:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\84se92u5.Default User\cookies-3.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.143:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\84se92u5.Default User\cookies-3.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.144:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\84se92u5.Default User\cookies-3.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.145:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\84se92u5.Default User\cookies-3.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.146:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\84se92u5.Default User\cookies-3.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.263:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\84se92u5.Default User\cookies-3.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.264:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\84se92u5.Default User\cookies-3.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.265:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\84se92u5.Default User\cookies-3.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.266:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\84se92u5.Default User\cookies-3.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.49:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\84se92u5.Default User\cookies-1.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.50:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\84se92u5.Default User\cookies-1.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.51:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\84se92u5.Default User\cookies-1.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.52:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\84se92u5.Default User\cookies-1.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.62:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\84se92u5.Default User\cookies-5.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.63:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\84se92u5.Default User\cookies-5.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.64:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\84se92u5.Default User\cookies-5.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.65:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\84se92u5.Default User\cookies-5.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.106:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\84se92u5.Default User\cookies-2.txt -> TrackingCookie.Tracking101 : Cleaned.
:mozilla.103:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\84se92u5.Default User\cookies-2.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.11:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\84se92u5.Default User\cookies-4.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.12:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\84se92u5.Default User\cookies-4.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.13:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\84se92u5.Default User\cookies-4.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.22:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\84se92u5.Default User\cookies-3.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.23:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\84se92u5.Default User\cookies-3.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.24:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\84se92u5.Default User\cookies-3.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.25:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\84se92u5.Default User\cookies-3.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.26:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\84se92u5.Default User\cookies-3.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.27:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\84se92u5.Default User\cookies-3.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.36:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\84se92u5.Default User\cookies-5.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.37:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\84se92u5.Default User\cookies-5.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.38:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\84se92u5.Default User\cookies-5.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.67:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\84se92u5.Default User\cookies-1.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Admin\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\4EDAFDC5-2CDA-4310-8944-6DFC09\140C693C-E000-41F9-BD38-9D2524 -> Trojan.Fakealert : Cleaned with backup (quarantined).


::Report end

#15 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:01:40 PM

Posted 24 November 2006 - 06:58 AM

Hello Beltway.

Please print off a copy of these instructions, and also save them to a Notepad file on your desktop, so they are easily accessible, especially whilst in Safe Mode (you can't use the Internet)

======

From what I read from your links, both UTorrent and at least the current version of LimeWire do not have spyware or adware bundled within them.

I understand this, those two may be clean, but most, if not all of the others come bundled with malware. With P2P programs, even if it is pronounced clean, this is just the program itself, and many of the files you download with them are infected. That's why I have to reccommend that you remove them, to stop you becoming infected again in the future. This is probably where your infection came from in the first place as well.

======

It stayed on the same spot. The process was still running but nothing was happening. I cancelled and tried it again and than it would not even start! What gives? Even after many attempts it would not start again.
Now I am trying it again and I go to task manager and see the process IS running yet it does not appear on my screen nor as an application. Cleanmgr.exe is running though. I am just going to go to the next step.

Depending on how much cleanmgr has to clean, this process can take a long time, for example on a computer where it has not been run for many years, it can take hours to complete. I think it would be better if you could run it for me, just start the scan and leave it to run for a few hours. If it still gets stuck, don't worry about it, move onto the next step.

======

What is this file that sometimes appears when I shut down? Hpoevm08.exe Task Manager pops up and I have to end it.

That file is related to your printer, for more information, take a look here:
http://www.liutilities.com/products/wintas...brary/hpoevm08/

======

It looks like SpywareGuard is still running, can you check this for me and if so, disable it again.

======

Scan again with HijackThis and put a checkmark next to each of the following entries (if present):

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)


Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

======

Now, please reboot your computer into Safe Mode. This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep. Then select Safe Mode from the list.

======

Next, please find and delete the following files/folders (if present):

C:\WINDOWS\system32\vb32dx8pl.dll <--File
C:\Documents and Settings\Admin\r1ptemp96 <--Folder, unless of course you know what it is?

======

Reboot into Normal Mode again.

======

Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

======

Please run Panda's ActiveScan.
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open- click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report in your next reply
======

Post me back a New HJT log, the Panda log, and answer me the following questions:
-This file was cleaned by AVG, do you know what it is: C:\Program Files\WinRAR\WinRar3.11_crack_by_Nidhi.exe
-How do things seem to be running now?


Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users