Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need Help Urgently !


  • Please log in to reply
21 replies to this topic

#1 Dave Lister

Dave Lister

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:11:11 AM

Posted 11 January 2007 - 03:58 PM

Hi, could somebody please help, I'm at my wits end. My PC is running really slowly, I've run adaware SE, spybot search & destroy, norton antivirus, spyware doctor & pccillin. They all find infections, they say that they have deleted the problem files, but when they are run again, they find the same problems.
They are, Astakiller, Smitfraud-C.Toolbar888, Virtumonde.
I also get a message about a file called spoolsc.exe & spooisv.exe & a few other variants of the same file.

If anybody can help me I would be eternally grateful

Oh, almost forgot, I just ran Hijack this and this is a copy of the log

Logfile of HijackThis v1.99.1
Scan saved at 17:53:34, on 11/01/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
D:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\svchost.exe
d:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
d:\Program Files\Spyware Doctor\sdhelp.exe
D:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe
H:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\System32\svchost.exe
D:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
d:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\Program Files\SAGEM\TalkTalk Broadband\dslmon.exe
d:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
d:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
D:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
H:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Fast4
R3 - URLSearchHook: (no name) - {2CC6F585-BD33-BEA5-E49F-010402BC848A} - SpyElim.dll (file missing)
R3 - URLSearchHook: (no name) - {67681676-7877-013A-B9A5-E46D5C9D00F2} - AliceSD.dll (file missing)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Trend Micro Antifraud Toolbar - {871F91FD-3A92-4988-A842-16AB2CFF5AF1} - d:\PROGRA~1\TRENDM~1\INTERN~1\PccIeBar.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [AnimatedWallpaper] C:\Program Files\3d Animated Wallpaper\AnimWallpaper.exe
O4 - HKLM\..\Run: [Error Nuker] d:\Program Files\Error Nuker\bin\ErrorNuker.exe autostart
O4 - HKLM\..\Run: [driver64] hyandex.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [Services] C:\WINDOWS\System32\vxboizfc.exe
O4 - HKLM\..\Run: [Windows Tilehome] Tilehome.com
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [pccguide.exe] "d:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\RunServices: [Windows Tilehome] Tilehome.com
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Spy Remover] D:\Program Files\Rizal\Spy Remover\SpyRemover.exe
O4 - HKCU\..\Run: [PcSync] H:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "H:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Spyware Doctor] "D:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Advanced Uninstaller PRO Installation Monitor] "D:\Program Files\Innovative Solutions\Advanced Uninstaller PRO 2006 version 7\monitor.exe"
O4 - Global Startup: BlueSoleil.lnk = ?
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\TalkTalk Broadband\dslmon.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AB982542-A8AC-4715-973A-E677240C0AC6}: NameServer = 62.24.222.135 62.24.222.134
O18 - Protocol: bw+0 - {156C3AFE-3382-4813-9BA2-533A4CC01D14} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {156C3AFE-3382-4813-9BA2-533A4CC01D14} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {156C3AFE-3382-4813-9BA2-533A4CC01D14} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {156C3AFE-3382-4813-9BA2-533A4CC01D14} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {156C3AFE-3382-4813-9BA2-533A4CC01D14} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {156C3AFE-3382-4813-9BA2-533A4CC01D14} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {156C3AFE-3382-4813-9BA2-533A4CC01D14} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {156C3AFE-3382-4813-9BA2-533A4CC01D14} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {156C3AFE-3382-4813-9BA2-533A4CC01D14} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {156C3AFE-3382-4813-9BA2-533A4CC01D14} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {156C3AFE-3382-4813-9BA2-533A4CC01D14} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {156C3AFE-3382-4813-9BA2-533A4CC01D14} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {156C3AFE-3382-4813-9BA2-533A4CC01D14} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {156C3AFE-3382-4813-9BA2-533A4CC01D14} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {156C3AFE-3382-4813-9BA2-533A4CC01D14} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {156C3AFE-3382-4813-9BA2-533A4CC01D14} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {156C3AFE-3382-4813-9BA2-533A4CC01D14} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {156C3AFE-3382-4813-9BA2-533A4CC01D14} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {156C3AFE-3382-4813-9BA2-533A4CC01D14} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {156C3AFE-3382-4813-9BA2-533A4CC01D14} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {156C3AFE-3382-4813-9BA2-533A4CC01D14} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {156C3AFE-3382-4813-9BA2-533A4CC01D14} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {156C3AFE-3382-4813-9BA2-533A4CC01D14} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {156C3AFE-3382-4813-9BA2-533A4CC01D14} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {156C3AFE-3382-4813-9BA2-533A4CC01D14} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {156C3AFE-3382-4813-9BA2-533A4CC01D14} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {156C3AFE-3382-4813-9BA2-533A4CC01D14} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {156C3AFE-3382-4813-9BA2-533A4CC01D14} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {156C3AFE-3382-4813-9BA2-533A4CC01D14} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {156C3AFE-3382-4813-9BA2-533A4CC01D14} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {156C3AFE-3382-4813-9BA2-533A4CC01D14} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {156C3AFE-3382-4813-9BA2-533A4CC01D14} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {156C3AFE-3382-4813-9BA2-533A4CC01D14} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {156C3AFE-3382-4813-9BA2-533A4CC01D14} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {156C3AFE-3382-4813-9BA2-533A4CC01D14} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {156C3AFE-3382-4813-9BA2-533A4CC01D14} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {156C3AFE-3382-4813-9BA2-533A4CC01D14} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {156C3AFE-3382-4813-9BA2-533A4CC01D14} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {156C3AFE-3382-4813-9BA2-533A4CC01D14} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {156C3AFE-3382-4813-9BA2-533A4CC01D14} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {156C3AFE-3382-4813-9BA2-533A4CC01D14} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {156C3AFE-3382-4813-9BA2-533A4CC01D14} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {156C3AFE-3382-4813-9BA2-533A4CC01D14} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {156C3AFE-3382-4813-9BA2-533A4CC01D14} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {156C3AFE-3382-4813-9BA2-533A4CC01D14} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {156C3AFE-3382-4813-9BA2-533A4CC01D14} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {156C3AFE-3382-4813-9BA2-533A4CC01D14} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {156C3AFE-3382-4813-9BA2-533A4CC01D14} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {156C3AFE-3382-4813-9BA2-533A4CC01D14} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {156C3AFE-3382-4813-9BA2-533A4CC01D14} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {156C3AFE-3382-4813-9BA2-533A4CC01D14} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {156C3AFE-3382-4813-9BA2-533A4CC01D14} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {156C3AFE-3382-4813-9BA2-533A4CC01D14} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {156C3AFE-3382-4813-9BA2-533A4CC01D14} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {156C3AFE-3382-4813-9BA2-533A4CC01D14} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {156C3AFE-3382-4813-9BA2-533A4CC01D14} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {156C3AFE-3382-4813-9BA2-533A4CC01D14} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {156C3AFE-3382-4813-9BA2-533A4CC01D14} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {156C3AFE-3382-4813-9BA2-533A4CC01D14} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {156C3AFE-3382-4813-9BA2-533A4CC01D14} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {156C3AFE-3382-4813-9BA2-533A4CC01D14} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {156C3AFE-3382-4813-9BA2-533A4CC01D14} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {156C3AFE-3382-4813-9BA2-533A4CC01D14} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {156C3AFE-3382-4813-9BA2-533A4CC01D14} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {156C3AFE-3382-4813-9BA2-533A4CC01D14} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {156C3AFE-3382-4813-9BA2-533A4CC01D14} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {156C3AFE-3382-4813-9BA2-533A4CC01D14} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {156C3AFE-3382-4813-9BA2-533A4CC01D14} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {156C3AFE-3382-4813-9BA2-533A4CC01D14} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {156C3AFE-3382-4813-9BA2-533A4CC01D14} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {156C3AFE-3382-4813-9BA2-533A4CC01D14} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {156C3AFE-3382-4813-9BA2-533A4CC01D14} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {156C3AFE-3382-4813-9BA2-533A4CC01D14} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {156C3AFE-3382-4813-9BA2-533A4CC01D14} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {156C3AFE-3382-4813-9BA2-533A4CC01D14} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {156C3AFE-3382-4813-9BA2-533A4CC01D14} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {156C3AFE-3382-4813-9BA2-533A4CC01D14} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O20 - AppInit_DLLs: C:\WINDOWS\System32\svch65.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodata Limited License Service - Unknown owner - C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - D:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - d:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - d:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\WINDOWS\system32\spoolsv.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - d:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - d:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - d:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Windows Terminal Services - Unknown owner - C:\WINDOWS\system32\spoolsc.exe (file missing)



Thanks again in advance

BC AdBot (Login to Remove)

 


m

#2 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 11 January 2007 - 05:42 PM

Add remove programs – remove Logitech desktop messenger

You may want to print this or save it to notepad as we will go to safe mode.

Fix these with HiJackThis – mark them, close IE, click fix checked

R3 - URLSearchHook: (no name) - {2CC6F585-BD33-BEA5-E49F-010402BC848A} - SpyElim.dll (file missing)

R3 - URLSearchHook: (no name) - {67681676-7877-013A-B9A5-E46D5C9D00F2} - AliceSD.dll (file missing)

O4 - HKLM\..\Run: [driver64] hyandex.exe

O4 - HKLM\..\Run: [Services] C:\WINDOWS\System32\vxboizfc.exe

O4 - HKLM\..\Run: [Windows Tilehome] Tilehome.com

O4 - HKLM\..\RunServices: [Windows Tilehome] Tilehome.com

O20 - AppInit_DLLs: C:\WINDOWS\System32\svch65.dll

O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\WINDOWS\system32\spoolsv.exe (file missing)

O23 - Service: Windows Terminal Services - Unknown owner - C:\WINDOWS\system32\spoolsc.exe (file missing)
==============================
Click Start > Run > and type in:

services.msc

Click OK.

In the services window find this exact name

Print Spooler

Rightclick and choose "Properties". Beside "Startup Type" in the dropdown menu select "Disabled". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Click Apply then OK. File-Exit the Services utility.


Repeat for Windows Terminal Services
=============================
DownLoad http://www.downloads.subratam.org/KillBox.zip or
http://www.thespykiller.co.uk/files/killbox.exe

Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.



Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

START – RUN – type in %temp% - OK - Edit – Select all – File – Delete

Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

Not all temp files will delete and that is normal
Empty the recycle bin
Boot

Download Superantispyware

http://www.superantispyware.com/superantis...efreevspro.html

Install it and double-click the icon on your desktop to run it.
· It will ask if you want to update the program definitions, click Yes.
· Under Configuration and Preferences, click the Preferences button.
· Click the Scanning Control tab.
· Under Scanner Options make sure the following are checked:
o Close browsers before scanning
o Scan for tracking cookies
o Terminate memory threats before quarantining.
o Please leave the others unchecked.
o Click the Close button to leave the control center screen.
· On the main screen, under Scan for Harmful Software click Scan your computer.
· On the left check C:\Fixed Drive.
· On the right, under Complete Scan, choose Perform Complete Scan.
· Click Next to start the scan. Please be patient while it scans your computer.
· After the scan is complete a summary box will appear. Click OK.
· Make sure everything in the white box has a check next to it, then click Next.
· It will quarantine what it found and if it asks if you want to reboot, click Yes.
· To retrieve the removal information for me please do the following:
o After reboot, double-click the SUPERAntispyware icon on your desktop.
o Click Preferences. Click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o It will open in your default text editor (such as Notepad/Wordpad).
o Please highlight everything in the notepad, then right-click and choose copy.
· Click close and close again to exit the program.
· Please paste that information here for me with a new HijackThis log.


Please give feedback on what worked/didn’t work and the current status of your system
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#3 Dave Lister

Dave Lister
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:11:11 AM

Posted 12 January 2007 - 03:16 PM

Hi MFDnSC, thanks for getting back to me so quickly.

A couple of things, whenever i boot up it tells me there is no disk in a: and i have to click cancel every time, also my printer drivers have gone and it won't let me re-install, and I'm getting a buffer overrun message for C:\windows\explorer and if i click ok it shuts all the windows and refreshes the desktop, but it has been doing this intermittently prior to me posting this.

I started following your instructions but I think I may have misunderstood and made things worse, I hope we can put it right. Here goes, I followed your instructions ok up to running killbox and you said "copy each of the following lines" into the "full path of file to delete" box in killbox., but i wasn't clear what following lines you meant, i couldn't see any and I thought you may have meant the first ones from the Hijack this list, so I put those in, sorry. It wasn't until I re-read your instructions I realised I had screwed up.
I followed everything else exactly as you said, but i'm not sure if I've created even more problems now.
When you asked me to run the Superantispyware scan, you specified C: drive, I have a D,G & H hard disk, do you need a log including these or not?

If I'm unsure in future, I'll ask you before I go ahead and do anything, I'm just thankful that I'm able to still use it to get online and post this reply

Anyway, here is the Superantispyware log followed by the new Hijack this log.



SUPERAntiSpyware Scan Log
Generated 01/12/2007 at 06:44 PM

Application Version : 3.4.1000

Core Rules Database Version : 3143
Trace Rules Database Version: 1175

Scan type : Complete Scan
Total Scan Time : 00:33:43

Memory items scanned : 402
Memory threats detected : 0
Registry items scanned : 5727
Registry threats detected : 9
File items scanned : 2075
File threats detected : 8

Adware.Tracking Cookie
C:\Documents and Settings\Ade\Cookies\ade@revsci[1].txt
C:\Documents and Settings\Ade\Cookies\ade@adultadworld[2].txt
C:\Documents and Settings\Ade\Cookies\ade@ads.autotrader.co[1].txt
C:\Documents and Settings\Ade\Cookies\ade@audit.median[1].txt
C:\Documents and Settings\Ade\Cookies\ade@image.masterstats[1].txt
C:\Documents and Settings\Ade\Cookies\ade@sc[1].txt
C:\Documents and Settings\Ade\Cookies\ade@a[1].txt
C:\Documents and Settings\Ade\Cookies\ade@s[1].txt

Unclassified.Unknown Origin
HKCR\CLSID\{B9EE66CA-433D-7E40-0E41-7DBE07FC4F7A}
HKCR\CLSID\{B9EE66CA-433D-7E40-0E41-7DBE07FC4F7A}\Data
HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}
HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}\InprocServer32
HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}\InprocServer32#ThreadingModel

Parasite.CoolWebSearch Variant
HKCR\CLSID\{11B80E45-BEC0-8756-1DFA-87AE79FA25EC}
HKCR\CLSID\{11B80E45-BEC0-8756-1DFA-87AE79FA25EC}\Data

Trojan.SmartFinder
HKCR\CLSID\{55E45715-27B3-13CA-5DEF-A4B59535A970}
HKCR\CLSID\{55E45715-27B3-13CA-5DEF-A4B59535A970}\Data


HIJACK THIS LOG

Logfile of HijackThis v1.99.1
Scan saved at 20:12:05, on 12/01/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Autodata Limited

Shared\Service\ADCDLicSvc.exe
D:\Program Files\IVT

Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\svchost.exe
d:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
d:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec

Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
d:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
d:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
D:\Program Files\Trend Micro\Internet Security

2006\pccguide.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
H:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
D:\Program Files\Spyware Doctor\swdoctor.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\SAGEM\TalkTalk Broadband\dslmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
d:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
H:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet

Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Window Title = Microsoft Internet

Explorer provided by Fast4
O3 - Toolbar: MSN -

{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program

Files\MSN Apps\MSN

Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: &Radio -

{8E718888-423F-11D2-876E-00A0C9082467} -

C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Trend Micro Antifraud Toolbar -

{871F91FD-3A92-4988-A842-16AB2CFF5AF1} -

d:\PROGRA~1\TRENDM~1\INTERN~1\PccIeBar.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [AnimatedWallpaper] C:\Program

Files\3d Animated Wallpaper\AnimWallpaper.exe
O4 - HKLM\..\Run: [Error Nuker] d:\Program Files\Error

Nuker\bin\ErrorNuker.exe autostart
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent]

rundll32.exe

bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program

Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [NeroFilterCheck]

C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [pccguide.exe] "d:\Program

Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN

Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Spy Remover] D:\Program

Files\Rizal\Spy Remover\SpyRemover.exe
O4 - HKCU\..\Run: [PcSync] H:\Program

Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [H/PC Connection Agent] "H:\Program

Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Spyware Doctor] "D:\Program

Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Advanced Uninstaller PRO

Installation Monitor] "D:\Program Files\Innovative

Solutions\Advanced Uninstaller PRO 2006 version

7\monitor.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program

Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: BlueSoleil.lnk = ?
O4 - Global Startup: DSLMON.lnk = C:\Program

Files\SAGEM\TalkTalk Broadband\dslmon.exe
O4 - Global Startup: EPSON Status Monitor 3

Environment Check.lnk =

C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EX

E
O4 - Global Startup: InterVideo WinCinema Manager.lnk

= C:\Program

Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program

Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Spyware Doctor -

{2D663D1A-8670-49D9-A1A5-4C56B4E14E84} -

D:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32}

(DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC}

(MessengerStatsClient Class) -

http://messenger.zone.msn.com/binary/MessengerStatsPAC

lient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592}

(ZoneIntro Class) -

http://messenger.zone.msn.com/binary/ZIntro.cab47946.c

ab
O17 -

HKLM\System\CCS\Services\Tcpip\..\{AB982542-A8AC-4715-

973A-E677240C0AC6}: NameServer = 62.24.252.134

62.24.252.135
O23 - Service: Ati HotKey Poller - ATI Technologies

Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner -

C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodata Limited License Service -

Unknown owner - C:\Program Files\Common Files\Autodata

Limited Shared\Service\ADCDLicSvc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner

- D:\Program Files\IVT

Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Trend Micro Central Control Component

(PcCtlCom) - Trend Micro Incorporated. -

d:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC

Tools Research Pty Ltd - d:\Program Files\Spyware

Doctor\sdhelp.exe
O23 - Service: Symantec Core LC - Symantec Corporation

- C:\Program Files\Common Files\Symantec

Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv)

- Trend Micro Incorporated. -

d:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) -

Trend Micro Inc. -

d:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) -

Trend Micro Inc. -

d:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

#4 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 12 January 2007 - 05:03 PM

Please post the log again - but in notepad uncheck in FORMAT wordwrap
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#5 Dave Lister

Dave Lister
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:11:11 AM

Posted 12 January 2007 - 05:14 PM

ok, here goes

SUPERAntiSpyware Scan Log
Generated 01/12/2007 at 06:44 PM

Application Version : 3.4.1000

Core Rules Database Version : 3143
Trace Rules Database Version: 1175

Scan type : Complete Scan
Total Scan Time : 00:33:43

Memory items scanned : 402
Memory threats detected : 0
Registry items scanned : 5727
Registry threats detected : 9
File items scanned : 2075
File threats detected : 8

Adware.Tracking Cookie
C:\Documents and Settings\Ade\Cookies\ade@revsci[1].txt
C:\Documents and Settings\Ade\Cookies\ade@adultadworld[2].txt
C:\Documents and Settings\Ade\Cookies\ade@ads.autotrader.co[1].txt
C:\Documents and Settings\Ade\Cookies\ade@audit.median[1].txt
C:\Documents and Settings\Ade\Cookies\ade@image.masterstats[1].txt
C:\Documents and Settings\Ade\Cookies\ade@sc[1].txt
C:\Documents and Settings\Ade\Cookies\ade@a[1].txt
C:\Documents and Settings\Ade\Cookies\ade@s[1].txt

Unclassified.Unknown Origin
HKCR\CLSID\{B9EE66CA-433D-7E40-0E41-7DBE07FC4F7A}
HKCR\CLSID\{B9EE66CA-433D-7E40-0E41-7DBE07FC4F7A}\Data
HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}
HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}\InprocServer32
HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}\InprocServer32#ThreadingModel

Parasite.CoolWebSearch Variant
HKCR\CLSID\{11B80E45-BEC0-8756-1DFA-87AE79FA25EC}
HKCR\CLSID\{11B80E45-BEC0-8756-1DFA-87AE79FA25EC}\Data

Trojan.SmartFinder
HKCR\CLSID\{55E45715-27B3-13CA-5DEF-A4B59535A970}
HKCR\CLSID\{55E45715-27B3-13CA-5DEF-A4B59535A970}\Data




Logfile of HijackThis v1.99.1
Scan saved at 20:12:05, on 12/01/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
D:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\svchost.exe
d:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
d:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
d:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
d:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
D:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
H:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
D:\Program Files\Spyware Doctor\swdoctor.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\SAGEM\TalkTalk Broadband\dslmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
d:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
H:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Fast4
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Trend Micro Antifraud Toolbar - {871F91FD-3A92-4988-A842-16AB2CFF5AF1} - d:\PROGRA~1\TRENDM~1\INTERN~1\PccIeBar.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [AnimatedWallpaper] C:\Program Files\3d Animated Wallpaper\AnimWallpaper.exe
O4 - HKLM\..\Run: [Error Nuker] d:\Program Files\Error Nuker\bin\ErrorNuker.exe autostart
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [pccguide.exe] "d:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Spy Remover] D:\Program Files\Rizal\Spy Remover\SpyRemover.exe
O4 - HKCU\..\Run: [PcSync] H:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [H/PC Connection Agent] "H:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Spyware Doctor] "D:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Advanced Uninstaller PRO Installation Monitor] "D:\Program Files\Innovative Solutions\Advanced Uninstaller PRO 2006 version 7\monitor.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: BlueSoleil.lnk = ?
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\TalkTalk Broadband\dslmon.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AB982542-A8AC-4715-973A-E677240C0AC6}: NameServer = 62.24.252.134 62.24.252.135
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodata Limited License Service - Unknown owner - C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - D:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - d:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - d:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - d:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - d:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - d:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe



hope this is ok. Thanks again

#6 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 12 January 2007 - 06:08 PM

Log looks fine

I see nothing that would try to access A:

I screwed up and did not provide the files to delete, but you were correct going after the files in the list above,


When exactly do you get the A: message

Give me more on the IE error



IE Fix - http://windowsxp.mvps.org/IEFIX.htm - Repair - http://www.theeldergeek.com/repair_ie6.htm
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#7 Dave Lister

Dave Lister
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:11:11 AM

Posted 12 January 2007 - 06:28 PM

Hi, I get the A: drive error as soon as the machine boots up, usually twice, hit cancel and it seems ok.
The message is, no disk in drive, insert a disk into drive A:
cancel, try again , continue

the other popup window is titled Microsoft visual C++ runtime library
buffer overrun detected!
program c:\windows\explorer.exe

a buffer overrun has been detected which has corrupted the program's internal state. the program cannot safely continue execution and must be terminated

the only option is ok, if i click it, all windows close and the system refreshes, then i get the A: drive message again, but only once.

If i want to continue using the pc, I have to move the message box to the edge of the screen or i just continually go around in circles

#8 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 12 January 2007 - 07:45 PM

Is the A: message before or after XP has loaded - if before change the boot sequences in your BIOS

Uninstall the MSN toolbar

Did you do the IE Fix - repair?

Edited by MFDnSC, 12 January 2007 - 07:46 PM.

"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#9 Dave Lister

Dave Lister
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:11:11 AM

Posted 13 January 2007 - 02:12 PM

Hi, yes I ran the IE fix, I'm going to uninstall the msn toolbar after posting this.
I've run spybot, adaware se, spyware doctor & superantispyware, i'm posting the threat info below
when i click fix, then re-run the software, they're still finding the same problems. Any ideas?

Thanks

spyware doctor log

Virtumonde HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C} Elevated
Virtumonde HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}## Elevated
Virtumonde HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}\InprocServer32 Elevated
Virtumonde HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}\InprocServer32## Elevated
Virtumonde HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}\InprocServer32##ThreadingModel Elevated
Virtumonde HKLM\Software\Classes\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C} Elevated
Virtumonde HKLM\Software\Classes\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}## Elevated
Virtumonde HKLM\Software\Classes\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}\InprocServer32 Elevated
Virtumonde HKLM\Software\Classes\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}\InprocServer32## Elevated
Virtumonde HKLM\Software\Classes\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}\InprocServer32##ThreadingModel Elevated
Virtumonde HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C} Elevated
Virtumonde HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}##





--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

--- Search result list ---
Smitfraud-C.Toolbar888: Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}

AstaKiller: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}

Virtumonde: Browser helper object (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}






SUPERAntiSpyware Scan Log

Generated 01/13/2007 at 02:25 PM

Application Version : 3.4.1000

Core Rules Database Version : 3143
Trace Rules Database Version: 1175

Scan type : Complete Scan
Total Scan Time : 01:50:11

Memory items scanned : 395
Memory threats detected : 0
Registry items scanned : 5723
Registry threats detected : 3
File items scanned : 10032
File threats detected : 0

Unclassified.Unknown Origin
HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}
HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}\InprocServer32
HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}\InprocServer32#ThreadingModel

#10 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 13 January 2007 - 02:45 PM

This is a false positive - make sure your definitions are current
Smitfraud-C.Toolbar888: Class ID (Registry key, nothing done)

Download http://downloads.andymanchesta.com/RemovalTools/SDFix.exe and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
· Restart your computer
· After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
· Instead of Windows loading as normal, the Advanced Options Menu should appear;
· Select the first option, to run Windows in Safe Mode, then press Enter.
· Choose your usual account.
· Open the extracted SDFix folder and double click RunThis.bat to start the script.
· Type Y to begin the cleanup process.
· It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
· Press any Key and it will restart the PC.
· When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
· Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
· Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#11 Dave Lister

Dave Lister
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:11:11 AM

Posted 13 January 2007 - 06:33 PM

Here you go, as requested. Before i ran sdfix, when i ran superantispyware, it found 3 issues, clicked next to delete, then ran it again and it showed 9. I'm going to run it again after posting this to you. Will let you know the results


SDFix: Version 1.58

13/01/2007 - 21:26:06.40

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:

Checking Services:

Name:

Windows Terminal Services

Path:

"C:\WINDOWS\system32\spoolsc.exe"

Windows Terminal Services Deleted

Restoring Windows Registry Entries
Restoring Default Hosts File

Rebooting

Normal Mode:

Checking Files:


Files will be copied to Backups folder then removed:

C:\WINDOWS\SYSTEM32\ADDAH32.EXE - Deleted
C:\WINDOWS\SYSTEM32\ADDCO.EXE - Deleted
C:\WINDOWS\SYSTEM32\ADDEN.EXE - Deleted
C:\WINDOWS\SYSTEM32\ADDHB32.EXE - Deleted
C:\WINDOWS\SYSTEM32\ADDIH32.EXE - Deleted
C:\WINDOWS\SYSTEM32\ADDKD.EXE - Deleted
C:\WINDOWS\SYSTEM32\ADDLK32.EXE - Deleted
C:\WINDOWS\SYSTEM32\ADDME32.EXE - Deleted
C:\WINDOWS\SYSTEM32\ADDMJ32.EXE - Deleted
C:\WINDOWS\SYSTEM32\ADDMU.EXE - Deleted
C:\WINDOWS\SYSTEM32\ADDQS32.EXE - Deleted
C:\WINDOWS\SYSTEM32\ADDSZ.EXE - Deleted
C:\WINDOWS\SYSTEM32\ADDXW.EXE - Deleted
C:\WINDOWS\SYSTEM32\APIBR.EXE - Deleted
C:\WINDOWS\SYSTEM32\APIGI.EXE - Deleted
C:\WINDOWS\SYSTEM32\APIHE32.EXE - Deleted
C:\WINDOWS\SYSTEM32\APIQZ32.EXE - Deleted
C:\WINDOWS\SYSTEM32\APISM.EXE - Deleted
C:\WINDOWS\SYSTEM32\APIVP32.EXE - Deleted
C:\WINDOWS\SYSTEM32\APIWQ32.EXE - Deleted
C:\WINDOWS\SYSTEM32\APIZC.EXE - Deleted
C:\WINDOWS\SYSTEM32\APPAG.EXE - Deleted
C:\WINDOWS\SYSTEM32\APPAH.EXE - Deleted
C:\WINDOWS\SYSTEM32\APPCK.EXE - Deleted
C:\WINDOWS\SYSTEM32\APPEA.EXE - Deleted
C:\WINDOWS\SYSTEM32\APPNW32.EXE - Deleted
C:\WINDOWS\SYSTEM32\APPOK.EXE - Deleted
C:\WINDOWS\SYSTEM32\APPPD32.EXE - Deleted
C:\WINDOWS\SYSTEM32\APPVR32.EXE - Deleted
C:\WINDOWS\SYSTEM32\APPZJ32.EXE - Deleted
C:\WINDOWS\SYSTEM32\ATLCZ32.EXE - Deleted
C:\WINDOWS\SYSTEM32\ATLDL.EXE - Deleted
C:\WINDOWS\SYSTEM32\ATLET32.EXE - Deleted
C:\WINDOWS\SYSTEM32\ATLHI.EXE - Deleted
C:\WINDOWS\SYSTEM32\ATLIZ32.EXE - Deleted
C:\WINDOWS\SYSTEM32\ATLLR32.EXE - Deleted
C:\WINDOWS\SYSTEM32\ATLYB32.EXE - Deleted
C:\WINDOWS\SYSTEM32\CRAB.EXE - Deleted
C:\WINDOWS\SYSTEM32\CREB.EXE - Deleted
C:\WINDOWS\SYSTEM32\CREO.EXE - Deleted
C:\WINDOWS\SYSTEM32\CRKS.EXE - Deleted
C:\WINDOWS\SYSTEM32\CRYY32.EXE - Deleted
C:\WINDOWS\SYSTEM32\D3BX.EXE - Deleted
C:\WINDOWS\SYSTEM32\D3GO.EXE - Deleted
C:\WINDOWS\SYSTEM32\D3MZ32.EXE - Deleted
C:\WINDOWS\SYSTEM32\D3UP32.EXE - Deleted
C:\WINDOWS\SYSTEM32\D3VC.EXE - Deleted
C:\WINDOWS\SYSTEM32\D3YA32.EXE - Deleted
C:\WINDOWS\SYSTEM32\IEDG.EXE - Deleted
C:\WINDOWS\SYSTEM32\IEDY.EXE - Deleted
C:\WINDOWS\SYSTEM32\IEOU32.EXE - Deleted
C:\WINDOWS\SYSTEM32\IEQT.EXE - Deleted
C:\WINDOWS\SYSTEM32\IERG.EXE - Deleted
C:\WINDOWS\SYSTEM32\IETM32.EXE - Deleted
C:\WINDOWS\SYSTEM32\IEYG.EXE - Deleted
C:\WINDOWS\SYSTEM32\IPAH.EXE - Deleted
C:\WINDOWS\SYSTEM32\IPDE32.EXE - Deleted
C:\WINDOWS\SYSTEM32\IPHR.EXE - Deleted
C:\WINDOWS\SYSTEM32\IPQJ.EXE - Deleted
C:\WINDOWS\SYSTEM32\IPRC.EXE - Deleted
C:\WINDOWS\SYSTEM32\IPSW32.EXE - Deleted
C:\WINDOWS\SYSTEM32\IPZH.EXE - Deleted
C:\WINDOWS\SYSTEM32\JAVAMJ32.EXE - Deleted
C:\WINDOWS\SYSTEM32\JAVAOC32.EXE - Deleted
C:\WINDOWS\SYSTEM32\JAVARX.EXE - Deleted
C:\WINDOWS\SYSTEM32\JAVAVH32.EXE - Deleted
C:\WINDOWS\SYSTEM32\JAVAVM.EXE - Deleted
C:\WINDOWS\SYSTEM32\MFCDO.EXE - Deleted
C:\WINDOWS\SYSTEM32\MFCGD.EXE - Deleted
C:\WINDOWS\SYSTEM32\MFCHL.EXE - Deleted
C:\WINDOWS\SYSTEM32\MFCHV.EXE - Deleted
C:\WINDOWS\SYSTEM32\MFCLU.EXE - Deleted
C:\WINDOWS\SYSTEM32\MFCMD32.EXE - Deleted
C:\WINDOWS\SYSTEM32\MFCNF.EXE - Deleted
C:\WINDOWS\SYSTEM32\MFCVU32.EXE - Deleted
C:\WINDOWS\SYSTEM32\MFCYD.EXE - Deleted
C:\WINDOWS\SYSTEM32\MSCS32.EXE - Deleted
C:\WINDOWS\SYSTEM32\MSDK32.EXE - Deleted
C:\WINDOWS\SYSTEM32\MSFJ.EXE - Deleted
C:\WINDOWS\SYSTEM32\MSJY32.EXE - Deleted
C:\WINDOWS\SYSTEM32\MSKZ.EXE - Deleted
C:\WINDOWS\SYSTEM32\MSLJ.EXE - Deleted
C:\WINDOWS\SYSTEM32\MSNS32.EXE - Deleted
C:\WINDOWS\SYSTEM32\MSOG32.EXE - Deleted
C:\WINDOWS\SYSTEM32\MSOX32.EXE - Deleted
C:\WINDOWS\SYSTEM32\MSSB.EXE - Deleted
C:\WINDOWS\SYSTEM32\MSWQ.EXE - Deleted
C:\WINDOWS\SYSTEM32\MSYF32.EXE - Deleted
C:\WINDOWS\SYSTEM32\NETAR.EXE - Deleted
C:\WINDOWS\SYSTEM32\NETED32.EXE - Deleted
C:\WINDOWS\SYSTEM32\NETEQ.EXE - Deleted
C:\WINDOWS\SYSTEM32\NETFN32.EXE - Deleted
C:\WINDOWS\SYSTEM32\NETLK.EXE - Deleted
C:\WINDOWS\SYSTEM32\NETMH32.EXE - Deleted
C:\WINDOWS\SYSTEM32\NETMS32.EXE - Deleted
C:\WINDOWS\SYSTEM32\NETOB32.EXE - Deleted
C:\WINDOWS\SYSTEM32\NETRL.EXE - Deleted
C:\WINDOWS\SYSTEM32\NETTL.EXE - Deleted
C:\WINDOWS\SYSTEM32\NETXR32.EXE - Deleted
C:\WINDOWS\SYSTEM32\NTCL.EXE - Deleted
C:\WINDOWS\SYSTEM32\NTDB32.EXE - Deleted
C:\WINDOWS\SYSTEM32\NTHV.EXE - Deleted
C:\WINDOWS\SYSTEM32\NTKJ32.EXE - Deleted
C:\WINDOWS\SYSTEM32\NTSJ.EXE - Deleted
C:\WINDOWS\SYSTEM32\NTTM32.EXE - Deleted
C:\WINDOWS\SYSTEM32\NTWX32.EXE - Deleted
C:\WINDOWS\SYSTEM32\NTYL.EXE - Deleted
C:\WINDOWS\SYSTEM32\SDKID.EXE - Deleted
C:\WINDOWS\SYSTEM32\SDKLM32.EXE - Deleted
C:\WINDOWS\SYSTEM32\SDKOP32.EXE - Deleted
C:\WINDOWS\SYSTEM32\SDKSM32.EXE - Deleted
C:\WINDOWS\SYSTEM32\SDKYB.EXE - Deleted
C:\WINDOWS\SYSTEM32\SDKYL32.EXE - Deleted
C:\WINDOWS\SYSTEM32\SYSCY.EXE - Deleted
C:\WINDOWS\SYSTEM32\SYSDB32.EXE - Deleted
C:\WINDOWS\SYSTEM32\SYSIB.EXE - Deleted
C:\WINDOWS\SYSTEM32\SYSQS32.EXE - Deleted
C:\WINDOWS\SYSTEM32\SYSWF.EXE - Deleted
C:\WINDOWS\SYSTEM32\SYSWS32.EXE - Deleted
C:\WINDOWS\SYSTEM32\SYSXM32.EXE - Deleted
C:\WINDOWS\SYSTEM32\SYSYC.EXE - Deleted
C:\WINDOWS\SYSTEM32\WINCR.EXE - Deleted
C:\WINDOWS\SYSTEM32\WINEB32.EXE - Deleted
C:\WINDOWS\SYSTEM32\WINJD.EXE - Deleted
C:\WINDOWS\SYSTEM32\WINVO.EXE - Deleted
C:\PROGRA~1\LOGITECH\IMVIDE~1\VIDEOIM.EXE - Deleted
C:\WINDOWS\system32\.exe - Deleted
C:\WINDOWS\system32\TFTP1908 - Deleted
C:\WINDOWS\system32\TFTP3380 - Deleted
C:\WINDOWS\system32\winsecure.exe - Deleted
C:\WINDOWS\Temp\removalfile.bat - Deleted



Alternate Stream Check:

C:\WINDOWS\system32
No streams found.
Final Check:

Remaining Services:
------------------


Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"D:\\Halflife 2\\hl2.exe"="D:\\Halflife 2\\hl2.exe:*:Disabled:hl2"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\PopCap Games\\AstroPop Deluxe\\WinAP.exe"="C:\\Program Files\\PopCap Games\\AstroPop Deluxe\\WinAP.exe:*:Disabled:AstroPop Deluxe"
"D:\\Program Files\\eXeem\\eXeem.exe"="D:\\Program Files\\eXeem\\eXeem.exe:*:Disabled:eXeem"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.0"
"D:\\utorrent 1.5.exe"="D:\\utorrent 1.5.exe:*:Enabled:µTorrent"
"D:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"="D:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe:*:Enabled:BlueSoleil"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.0"


Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Listing Files with hidden attributes:

C:\NTDETECT.COM
C:\WINDOWS\system32\awtrsrs.dll
C:\WINDOWS\system32\byxvtur.dll
C:\WINDOWS\system32\byxxxut.dll
C:\WINDOWS\system32\efcyyvw.dll
C:\WINDOWS\system32\gebxwwu.dll
C:\WINDOWS\system32\iifcdax.dll
C:\WINDOWS\system32\iifcyyx.dll
C:\WINDOWS\system32\iiigd.dll
C:\WINDOWS\system32\jkkhghi.dll
C:\WINDOWS\system32\jkkhhgh.dll
C:\WINDOWS\system32\jkkjiih.dll
C:\WINDOWS\system32\ljjkllj.dll
C:\WINDOWS\system32\nnnmklm.dll
C:\WINDOWS\system32\nnnmljg.dll
C:\WINDOWS\system32\opnnomm.dll
C:\WINDOWS\system32\pmnlmkk.dll
C:\WINDOWS\system32\qomkjkh.dll
C:\WINDOWS\system32\vtuuspo.dll
C:\WINDOWS\system32\xxyvuvu.dll
C:\WINDOWS\system32\xxywurs.dll
C:\WINDOWS\system32\xxywwwx.dll
C:\WINDOWS\system32\yayvvtu.dll
C:\WINDOWS\system32\yayxxuv.dll
C:\WINDOWS\system32\yayywxx.dll
C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\cdplayer.exe.manifest
C:\WINDOWS\system32\logonui.exe.manifest
C:\hiberfil.sys
C:\IO.SYS
C:\MSDOS.SYS
C:\pagefile.sys
C:\Documents and Settings\Ade\Local Settings\Temp\BIT6.tmp
C:\WINDOWS\system32\dgiii.tmp
C:\WINDOWS\system32\config\default.tmp.LOG
C:\WINDOWS\system32\config\software.tmp.LOG
C:\WINDOWS\system32\config\system.tmp.LOG

Finished


Logfile of HijackThis v1.99.1

Scan saved at 23:30:52, on 13/01/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
D:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
d:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
d:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
d:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
d:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
d:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
d:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
H:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
D:\Program Files\Spyware Doctor\swdoctor.exe
D:\Program Files\Innovative Solutions\Advanced Uninstaller PRO 2006 version 7\monitor.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\SAGEM\TalkTalk Broadband\dslmon.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
H:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Fast4
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Trend Micro Antifraud Toolbar - {871F91FD-3A92-4988-A842-16AB2CFF5AF1} - d:\PROGRA~1\TRENDM~1\INTERN~1\PccIeBar.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [AnimatedWallpaper] C:\Program Files\3d Animated Wallpaper\AnimWallpaper.exe
O4 - HKLM\..\Run: [Error Nuker] d:\Program Files\Error Nuker\bin\ErrorNuker.exe autostart
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [pccguide.exe] "d:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Spy Remover] D:\Program Files\Rizal\Spy Remover\SpyRemover.exe
O4 - HKCU\..\Run: [PcSync] H:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [H/PC Connection Agent] "H:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Spyware Doctor] "D:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Advanced Uninstaller PRO Installation Monitor] "D:\Program Files\Innovative Solutions\Advanced Uninstaller PRO 2006 version 7\monitor.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: BlueSoleil.lnk = ?
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\TalkTalk Broadband\dslmon.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AB982542-A8AC-4715-973A-E677240C0AC6}: NameServer = 62.24.128.18 62.24.128.17
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodata Limited License Service - Unknown owner - C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - D:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - d:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - d:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - d:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - d:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - d:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

#12 Dave Lister

Dave Lister
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:11:11 AM

Posted 14 January 2007 - 06:03 AM

Hi, when i booted up today and logged in, I got a blue screen message I've never seen before after about 2 minutes

It said, If you've never seen this message before, reboot

STOP: 0x0000008E 0xC0000005, 0xBF870358, 00xB7DF8C94, 0x00000000

Win32.sys-(missed the last line of numbers because it rebooted before i could jot them all down, but it was a line similar to one of the above numbers)

after it had rebooted i got the following message:

the system has recovered from a serious error
error signature
BCCode 1000008e BCP1:C0000005 BCP2:BF870558 BCP3:B7DF8C94 BCP4:00000000
OSVer:S_1_2600 SP:1_0 Product:256_1

Error report contents
C:\WINDOWS\Minidump\Mini011407-01.dmp
C:\Docume~1\ade\locals~1\temp\wer2.tmp.dir00\sysdata.xml

I'm also getting the "dial a connection" box popping up on it's own

#13 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 14 January 2007 - 10:34 AM

Please download http://www.atribune.org/ccount/click.php?id=4 to C:\
Double-click VundoFix.exe to run it.
click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES.
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Please post the contents of C:\vundofix.txt and a new HijackThis log.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot.
==========================

Go to the link below and download the trial version of SpySweeper:

SpySweeper http://www.webroot.com/consumer/products/s...4129&ac=tsg

(It's a 2 week trial.)

* Click the Try Spy Sweeper for FreeDownload the trial link. (Download Antivirus if required)
* Install it. During the install it will prompt for updates, these can be gotten now or later
* Once the program is installed, it will open.
* It will prompt you to update to the latest definitions, if not already done so, before proceding check to ensure that you are up to date (Click Home > Bottom middle of page will tell you) .
* Once the definitions are installed, click Options on the left side.
* Click the Options tab on the left hand side.
* Chose Custom Sweep (Raido Buttom)
* Chose Change Settings (Link)
* Where to Sweep
> Select My Computer
* What to Sweep
> Select all options available (enable Virus scan if available)
* Skip File Types
> Do not skip any file types
* Advanced Options
> Select all options available


* Click Sweep on the left side.
* Click the Black arrow next to start full sweep
* Select Start Custom Sweep
* When it's done scanning, copy Items Found into Notepad
* Make sure everything has a check next to it, then click the Next button.
* It will remove all of the items found.
* Click the Summary tab and click Finish.
* Compare the contents of the notepad to the report
* Place the contens of the notepad into your next reply identifying any items not removed.

If Spy Sweeper Suggests rebooting and scanning again repeat process and copy that information into your next reply as well.


Also post a new Hijack This log.
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#14 Dave Lister

Dave Lister
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:11:11 AM

Posted 15 January 2007 - 08:20 AM

Hi, I Will attempt to do as you have advised, but after installing some Windows security updates last night, it will only boot up in safe mode. I've had to post this from work. I will try again tonight and keep you informed

Thanks

#15 Dave Lister

Dave Lister
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:11:11 AM

Posted 15 January 2007 - 04:32 PM

Hi, Vundofix worked a treat, here's a copy of the logfile, followed by the new Hijackthis logfile
I'm running Spysweeper overnight, will send you the results tomorrow

VundoFix V6.3.2

Checking Java version...

Sun Java not detected
Scan started at 18:28:20 15/01/2007

Listing files found while scanning....

C:\WINDOWS\system32\awtrsrs.dll
C:\WINDOWS\system32\byxvtur.dll
C:\WINDOWS\system32\byxxxut.dll
C:\WINDOWS\System32\dgiii.bak1
C:\WINDOWS\System32\dgiii.ini
C:\WINDOWS\System32\dgiii.ini2
C:\WINDOWS\System32\dgiii.tmp
C:\WINDOWS\system32\efcyyvw.dll
C:\WINDOWS\system32\gebxwwu.dll
C:\WINDOWS\system32\iifcdax.dll
C:\WINDOWS\system32\iifcyyx.dll
C:\WINDOWS\System32\iiigd.dll
C:\WINDOWS\system32\jkkhghi.dll
C:\WINDOWS\system32\jkkhhgh.dll
C:\WINDOWS\system32\jkkjiih.dll
C:\WINDOWS\system32\ljjkllj.dll
C:\WINDOWS\system32\nnnmklm.dll
C:\WINDOWS\system32\nnnmljg.dll
C:\WINDOWS\system32\opnnomm.dll
C:\WINDOWS\system32\pmnlmkk.dll
C:\WINDOWS\system32\qomkjkh.dll
C:\WINDOWS\system32\vtuuspo.dll
C:\WINDOWS\system32\xxyvuvu.dll
C:\WINDOWS\system32\xxywurs.dll
C:\WINDOWS\system32\xxywwwx.dll
C:\WINDOWS\system32\yayvvtu.dll
C:\WINDOWS\system32\yayxxuv.dll
C:\WINDOWS\system32\yayywxx.dll

Beginning removal...

Beginning removal...

Attempting to delete C:\WINDOWS\system32\awtrsrs.dll
C:\WINDOWS\system32\awtrsrs.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\byxvtur.dll
C:\WINDOWS\system32\byxvtur.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\byxxxut.dll
C:\WINDOWS\system32\byxxxut.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\dgiii.bak1
C:\WINDOWS\System32\dgiii.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\System32\dgiii.ini
C:\WINDOWS\System32\dgiii.ini Has been deleted!

Attempting to delete C:\WINDOWS\System32\dgiii.ini2
C:\WINDOWS\System32\dgiii.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\System32\dgiii.tmp
C:\WINDOWS\System32\dgiii.tmp Has been deleted!

Attempting to delete C:\WINDOWS\system32\efcyyvw.dll
C:\WINDOWS\system32\efcyyvw.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\gebxwwu.dll
C:\WINDOWS\system32\gebxwwu.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\iifcdax.dll
C:\WINDOWS\system32\iifcdax.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\iifcyyx.dll
C:\WINDOWS\system32\iifcyyx.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\iiigd.dll
C:\WINDOWS\System32\iiigd.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jkkhghi.dll
C:\WINDOWS\system32\jkkhghi.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jkkhhgh.dll
C:\WINDOWS\system32\jkkhhgh.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jkkjiih.dll
C:\WINDOWS\system32\jkkjiih.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\ljjkllj.dll
C:\WINDOWS\system32\ljjkllj.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\nnnmklm.dll
C:\WINDOWS\system32\nnnmklm.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\nnnmljg.dll
C:\WINDOWS\system32\nnnmljg.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\opnnomm.dll
C:\WINDOWS\system32\opnnomm.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmnlmkk.dll
C:\WINDOWS\system32\pmnlmkk.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\qomkjkh.dll
C:\WINDOWS\system32\qomkjkh.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vtuuspo.dll
C:\WINDOWS\system32\vtuuspo.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\xxyvuvu.dll
C:\WINDOWS\system32\xxyvuvu.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\xxywurs.dll
C:\WINDOWS\system32\xxywurs.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\xxywwwx.dll
C:\WINDOWS\system32\xxywwwx.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\yayvvtu.dll
C:\WINDOWS\system32\yayvvtu.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\yayxxuv.dll
C:\WINDOWS\system32\yayxxuv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\yayywxx.dll
C:\WINDOWS\system32\yayywxx.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

VundoFix V6.3.2

Checking Java version...

Sun Java not detected
Scan started at 20:04:14 15/01/2007

Listing files found while scanning....

C:\WINDOWS\system32\jkkjiih.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\jkkjiih.dll
C:\WINDOWS\system32\jkkjiih.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.2

Checking Java version...

Sun Java not detected
Scan started at 20:21:12 15/01/2007

Listing files found while scanning....

No infected files were found.

------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 21:10:15, on 15/01/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
D:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\svchost.exe
d:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
d:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
d:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
d:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
d:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
D:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
H:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
D:\Program Files\Spyware Doctor\swdoctor.exe
D:\Program Files\Innovative Solutions\Advanced Uninstaller PRO 2006 version 7\monitor.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\SAGEM\TalkTalk Broadband\dslmon.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
H:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Fast4
O2 - BHO: Trend Micro Antifraud Toolbar - {06647158-359E-4D10-A8DE-E6145DA90BE9} - d:\PROGRA~1\TRENDM~1\INTERN~1\PccIeBar.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - D:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - (no file)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - D:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O2 - BHO: (no name) - {D9FF6A49-2915-40B6-BE1C-EB1F134DE018} - C:\WINDOWS\System32\iiigd.dll (file missing)
O3 - Toolbar: Trend Micro Antifraud Toolbar - {871F91FD-3A92-4988-A842-16AB2CFF5AF1} - d:\PROGRA~1\TRENDM~1\INTERN~1\PccIeBar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [AnimatedWallpaper] C:\Program Files\3d Animated Wallpaper\AnimWallpaper.exe
O4 - HKLM\..\Run: [Error Nuker] d:\Program Files\Error Nuker\bin\ErrorNuker.exe autostart
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [pccguide.exe] "d:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Spy Remover] D:\Program Files\Rizal\Spy Remover\SpyRemover.exe
O4 - HKCU\..\Run: [PcSync] H:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [H/PC Connection Agent] "H:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Spyware Doctor] "D:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Advanced Uninstaller PRO Installation Monitor] "D:\Program Files\Innovative Solutions\Advanced Uninstaller PRO 2006 version 7\monitor.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: BlueSoleil.lnk = ?
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\TalkTalk Broadband\dslmon.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AB982542-A8AC-4715-973A-E677240C0AC6}: NameServer = 62.24.222.134 62.24.222.135
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodata Limited License Service - Unknown owner - C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - D:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - d:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - d:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - d:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - d:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - d:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users