Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Avg Anti Virus Found C:\windows\system32 \drivers\etc\ Hosts Changed., What Do I Do, Is This A Problem, How Do I Fix It?


  • This topic is locked This topic is locked
16 replies to this topic

#1 big--phil

big--phil

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ireland
  • Local time:07:47 AM

Posted 31 January 2007 - 03:31 PM

Hi, my AVG anti-virus says that the status of "C:\WINDOWS\system32\drivers\etc\hosts" is 'changed', should i be worried and if so how do i fix it?

Thanks



Logfile of HijackThis v1.99.1
Scan saved at 20:21:06, on 31/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ucd.ie/computing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http:\\proxy.ucd.ie\proxy.pac
O1 - Hosts: 108.112.42.206 ad.doubleclick.net
O1 - Hosts: 184.169.44.29 upgrade.bitdefender.com
O1 - Hosts: 106.62.59.13 report.bitdefender.com
O1 - Hosts: 178.95.95.213 ad.fastclick.net
O1 - Hosts: 107.116.117.138 ads.fastclick.net
O1 - Hosts: 174.15.27.94 ar.atwola.com
O1 - Hosts: 115.27.183.221 atdmt.com
O1 - Hosts: 183.97.110.57 avp.ch
O1 - Hosts: 114.153.7.176 avp.com
O1 - Hosts: 179.51.181.210 avp.ru
O1 - Hosts: 108.15.197.227 awaps.net
O1 - Hosts: 180.66.164.240 banner.fastclick.net
O1 - Hosts: 112.56.109.230 banners.fastclick.net
O1 - Hosts: 177.137.61.67 ca.com
O1 - Hosts: 111.18.29.102 www.ca.com
O1 - Hosts: 180.140.140.115 click.atdmt.com
O1 - Hosts: 104.148.31.185 clicks.atdmt.com
O1 - Hosts: 186.213.124.100 customer.symantec.com
O1 - Hosts: 100.96.64.129 dispatch.mcafee.com
O1 - Hosts: 183.2.101.136 download.mcafee.com
O1 - Hosts: 104.210.98.148 download.microsoft.com
O1 - Hosts: 181.159.189.68 downloads.microsoft.com
O1 - Hosts: 112.218.150.78 downloads-eu1.kaspersky-labs.com
O1 - Hosts: 181.65.170.225 downloads-eu2.kaspersky-labs.com
O1 - Hosts: 115.202.138.212 downloads-eu3.kaspersky-labs.com
O1 - Hosts: 185.37.50.218 downloads-us1.kaspersky-labs.com
O1 - Hosts: 109.114.81.80 downloads-us2.kaspersky-labs.com
O1 - Hosts: 180.183.191.200 downloads-us3.kaspersky-labs.com
O1 - Hosts: 111.63.81.72 downloads1.kaspersky-labs.com
O1 - Hosts: 187.45.123.197 downloads2.kaspersky-labs.com
O1 - Hosts: 102.48.18.192 downloads3.kaspersky-labs.com
O1 - Hosts: 180.188.144.114 downloads4.kaspersky-labs.com
O1 - Hosts: 111.57.62.146 engine.awaps.net
O1 - Hosts: 179.113.96.3 f-secure.com
O1 - Hosts: 100.178.73.135 fastclick.net
O1 - Hosts: 182.38.71.88 ftp.avp.ch
O1 - Hosts: 107.152.141.111 ftp.downloads2.kaspersky-labs.com
O1 - Hosts: 186.39.46.12 ftp.f-secure.com
O1 - Hosts: 106.65.181.226 ftp.kasperskylab.ru
O1 - Hosts: 174.100.75.218 ftp.sophos.com
O1 - Hosts: 111.138.97.30 go.microsoft.com
O1 - Hosts: 174.194.28.31 ids.kaspersky-labs.com
O1 - Hosts: 110.101.147.64 kaspersky-labs.com
O1 - Hosts: 182.218.134.18 kaspersky.com
O1 - Hosts: 110.50.113.133 liveupdate.symantec.com
O1 - Hosts: 178.160.128.199 liveupdate.symantecliveupdate.com
O1 - Hosts: 115.84.151.31 mast.mcafee.com
O1 - Hosts: 185.0.220.131 mcafee.com
O1 - Hosts: 109.92.142.185 media.fastclick.net
O1 - Hosts: 176.171.191.233 msdn.microsoft.com
O1 - Hosts: 103.113.37.211 my-etrust.com
O1 - Hosts: 180.172.202.29 nai.com
O1 - Hosts: 115.89.143.98 networkassociates.com
O1 - Hosts: 174.46.37.27 office.microsoft.com
O1 - Hosts: 109.188.51.100 phx.corporate-ir.net
O1 - Hosts: 185.45.204.116 rads.mcafee.com
O1 - Hosts: 109.120.41.223 secure.nai.com
O1 - Hosts: 177.7.179.127 securityresponse.symantec.com
O1 - Hosts: 108.217.74.1 service1.symantec.com
O1 - Hosts: 109.170.21.186 spd.atdmt.com
O1 - Hosts: 187.58.188.136 support.microsoft.com
O1 - Hosts: 101.13.209.239 symantec.com
O1 - Hosts: 176.188.88.223 trendmicro.com
O1 - Hosts: 105.130.169.168 update.symantec.com
O1 - Hosts: 182.123.36.37 updates.symantec.com
O1 - Hosts: 108.110.33.59 updates1.kaspersky-labs.com
O1 - Hosts: 183.59.213.85 updates2.kaspersky-labs.com
O1 - Hosts: 100.8.14.248 updates3.kaspersky-labs.com
O1 - Hosts: 177.203.115.101 updates4.kaspersky-labs.com
O1 - Hosts: 115.99.75.57 updates5.kaspersky-labs.com
O1 - Hosts: 177.164.21.164 us.mcafee.com
O1 - Hosts: 104.191.68.232 vil.nai.com
O1 - Hosts: 178.104.12.229 viruslist.com
O1 - Hosts: 115.45.29.170 viruslist.ru
O1 - Hosts: 180.17.225.124 windowsupdate.microsoft.com
O1 - Hosts: 101.14.104.106 www.avp.ch
O1 - Hosts: 187.220.183.234 www.avp.com
O1 - Hosts: 106.32.32.175 www.avp.ru
O1 - Hosts: 186.54.74.45 www.awaps.net
O1 - Hosts: 101.143.19.123 www.ca.com
O1 - Hosts: 174.32.86.13 www.f-secure.com
O1 - Hosts: 105.116.161.207 www.fastclick.net
O1 - Hosts: 181.161.67.179 www.grisoft.com
O1 - Hosts: 112.172.26.189 www.kaspersky-labs.com
O1 - Hosts: 184.209.149.39 www.kaspersky.com
O1 - Hosts: 101.182.189.240 www.kaspersky.ru
O1 - Hosts: 173.37.26.35 www.mcafee.com
O1 - Hosts: 112.46.139.229 www.my-etrust.com
O1 - Hosts: 178.225.214.176 www.nai.com
O1 - Hosts: 108.150.114.26 www.networkassociates.com
O1 - Hosts: 178.182.181.42 www.sophos.com
O1 - Hosts: 109.208.204.78 www.symantec.com
O1 - Hosts: 185.128.102.236 www.trendmicro.com
O1 - Hosts: 106.65.196.108 www.viruslist.com
O1 - Hosts: 179.223.125.67 www.viruslist.ru
O1 - Hosts: 103.38.35.138 www3.ca.com
O1 - Hosts: 175.24.52.173 avp.ch
O1 - Hosts: 112.167.176.41 avp.com
O1 - Hosts: 181.132.72.29 avp.ru
O1 - Hosts: 108.51.94.92 awaps.net
O1 - Hosts: 184.196.64.44 f-secure.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RunBus Class - {4865F155-CE00-4E93-A414-147844D7C81A} - C:\WINDOWS\system32\tcblwjaj.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: IEPlugin Class - {CF7C3CF0-4B15-11D1-ABED-709549C10000} - C:\Program Files\Advanced System Optimizer\IEHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Chckup] C:\WINDOWS\system32\Netverchk.exe
O4 - HKCU\..\Run: [Windows Firewall] C:\WINDOWS\System32\drivers\svchost.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Paddy Power Poker - {40B2063F-DB01-4962-BE63-59435C01283C} - C:\PROGRA~1\PADDYP~1\client.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.pcservicecall.co.uk
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: FHSZOXEJVN - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Philip\LOCALS~1\Temp\FHSZOXEJVN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:47 AM

Posted 31 January 2007 - 04:15 PM

Hello Phil, my name is David, welcome to Bleeping Computer!

My first remark is to say that yes, unfortunately you are infected. To be more specific, from the Hijackthis log you posted I can see you are infected with Sdbot trojans/worms, which are capable of backdoor activity. To be brief, due to the status of some of the files you have on your computer, I strongly recommend that you do the following immediately. Disconnect the infected computer from the internet until the computer can be cleaned. From a clean computer, change your online passwords-- for email, for banks, eBay, forums etc.... Do not change passwords or do any transactions while using the infected computer because the attacker may get the new passwords and transaction information.

I've research the entries, and found this information, in case you find it useful:

Netverchk.exe is Trojan/Backdoor. It has the ability to change the hosts file.

So, that's the first thing, I recommend you change your passwords.
Here are two useful links, in case you wish to read more on the infection you have:
http://fileinfo.prevx.com/spyware/qqe7ee46...VERCHK.EXE.html

Ok, now onto the removal, please follow these instructions exactly as posted, it's important. Also it is a good idea to print off these instructions. There is a possibility some of the instructions will need to be carried out where internet access is not available. It is important that you complete the instructions in the right order, and that you don't miss out any steps.

I do not recommend that you have more than one anti virus product installed and running on your computer at a time.
The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to create "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause false alarms - When the anti virus software tells you that your PC has a virus when it actually doesn't. Also it can cause system performance problems; your system may lock up due to both software products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either AVG or Avast.

I have noticed from your log that you have various online poker programs installed on your computer. I understand that you may use these games on a regular basis but I think it's important to note that often these kind of programs are installed with other unwanted software, namely spyware or adware. If you did not install these programs yourself, or you do not use them any more, I would definitely recommend that you uninstall them from your computer, even if it is simply a precautionary measure. The amount of different poker software which arises on the internet means it is impossible to keep track of which ones are infected and which ones are not. If you do use the software, and wish to continue doing so, please ignore this. If you do decide to go ahead and remove the poker software, you should be able uninstall them via add/remove which can be found in the control panel. Let me know if you have any problems whilst doing so.

Open hijackthis, click 'config' (bottom right) Choose the tab 'misc Tools' on top.
Choose 'delete a file on reboot'. In the field, copy and paste the filepath a few lines below.
Click open. Hijackthis will tell you that this file will be deleted on next reboot and if you want to reboot now.
When asked if you want to reboot now, say No.:
C:\WINDOWS\System32\drivers\svchost.exe

Please do the same for this file:
C:\WINDOWS\system32\Netverchk.exe

When asked to reboot, please choose Yes. Your system will reboot now.

Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

O2 - BHO: RunBus Class - {4865F155-CE00-4E93-A414-147844D7C81A} - C:\WINDOWS\system32\tcblwjaj.dll (file missing)
O4 - HKCU\..\Run: [Chckup] C:\WINDOWS\system32\Netverchk.exe
O4 - HKCU\..\Run: [Windows Firewall] C:\WINDOWS\System32\drivers\svchost.exe
O9 - Extra button: Paddy Power Poker - {40B2063F-DB01-4962-BE63-59435C01283C} - C:\PROGRA~1\PADDYP~1\client.exe
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O23 - Service: FHSZOXEJVN - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Philip\LOCALS~1\Temp\FHSZOXEJVN.exe


Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Please download hoster from here.
Unzip Hoster.zip, and open Hoster.exe
Then click on "Restore Microsoft Hosts File"
Close program when complete.

Download and save Blacklight to your desktop.
Double-click blbeta.exe then accept the agreement.
Click on scan then click next,
You'll see a list of all items found.
Do not choose for rename yet! I want to see the log first; legitimate items can also be present.
There is a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)
Post the contents of the log in your next reply.

Also post a new Hijackthis log.

David

#3 big--phil

big--phil
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ireland
  • Local time:07:47 AM

Posted 31 January 2007 - 05:04 PM

hi david, thanks very much for helping me. :thumbsup: I followed your steps and got as far as using the application 'hoster.exe', when i opened this i was unable to press the 'Restore Microsoft Host Files' button, the only button that was pressable was 'make hosts writable'.What should i do?
I've downloaded Backlight but I haven't used it yet.

Also thanks for the tips and I plan on removing my poker games.

Logfile of HijackThis v1.99.1
Scan saved at 21:57:22, on 31/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\Philip\LOCALS~1\Temp\Rar$EX00.218\Hoster\Hoster.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ucd.ie/computing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http:\\proxy.ucd.ie\proxy.pac
O1 - Hosts: 108.112.42.206 ad.doubleclick.net
O1 - Hosts: 184.169.44.29 upgrade.bitdefender.com
O1 - Hosts: 106.62.59.13 report.bitdefender.com
O1 - Hosts: 178.95.95.213 ad.fastclick.net
O1 - Hosts: 107.116.117.138 ads.fastclick.net
O1 - Hosts: 174.15.27.94 ar.atwola.com
O1 - Hosts: 115.27.183.221 atdmt.com
O1 - Hosts: 183.97.110.57 avp.ch
O1 - Hosts: 114.153.7.176 avp.com
O1 - Hosts: 179.51.181.210 avp.ru
O1 - Hosts: 108.15.197.227 awaps.net
O1 - Hosts: 180.66.164.240 banner.fastclick.net
O1 - Hosts: 112.56.109.230 banners.fastclick.net
O1 - Hosts: 177.137.61.67 ca.com
O1 - Hosts: 111.18.29.102 www.ca.com
O1 - Hosts: 180.140.140.115 click.atdmt.com
O1 - Hosts: 104.148.31.185 clicks.atdmt.com
O1 - Hosts: 186.213.124.100 customer.symantec.com
O1 - Hosts: 100.96.64.129 dispatch.mcafee.com
O1 - Hosts: 183.2.101.136 download.mcafee.com
O1 - Hosts: 104.210.98.148 download.microsoft.com
O1 - Hosts: 181.159.189.68 downloads.microsoft.com
O1 - Hosts: 112.218.150.78 downloads-eu1.kaspersky-labs.com
O1 - Hosts: 181.65.170.225 downloads-eu2.kaspersky-labs.com
O1 - Hosts: 115.202.138.212 downloads-eu3.kaspersky-labs.com
O1 - Hosts: 185.37.50.218 downloads-us1.kaspersky-labs.com
O1 - Hosts: 109.114.81.80 downloads-us2.kaspersky-labs.com
O1 - Hosts: 180.183.191.200 downloads-us3.kaspersky-labs.com
O1 - Hosts: 111.63.81.72 downloads1.kaspersky-labs.com
O1 - Hosts: 187.45.123.197 downloads2.kaspersky-labs.com
O1 - Hosts: 102.48.18.192 downloads3.kaspersky-labs.com
O1 - Hosts: 180.188.144.114 downloads4.kaspersky-labs.com
O1 - Hosts: 111.57.62.146 engine.awaps.net
O1 - Hosts: 179.113.96.3 f-secure.com
O1 - Hosts: 100.178.73.135 fastclick.net
O1 - Hosts: 182.38.71.88 ftp.avp.ch
O1 - Hosts: 107.152.141.111 ftp.downloads2.kaspersky-labs.com
O1 - Hosts: 186.39.46.12 ftp.f-secure.com
O1 - Hosts: 106.65.181.226 ftp.kasperskylab.ru
O1 - Hosts: 174.100.75.218 ftp.sophos.com
O1 - Hosts: 111.138.97.30 go.microsoft.com
O1 - Hosts: 174.194.28.31 ids.kaspersky-labs.com
O1 - Hosts: 110.101.147.64 kaspersky-labs.com
O1 - Hosts: 182.218.134.18 kaspersky.com
O1 - Hosts: 110.50.113.133 liveupdate.symantec.com
O1 - Hosts: 178.160.128.199 liveupdate.symantecliveupdate.com
O1 - Hosts: 115.84.151.31 mast.mcafee.com
O1 - Hosts: 185.0.220.131 mcafee.com
O1 - Hosts: 109.92.142.185 media.fastclick.net
O1 - Hosts: 176.171.191.233 msdn.microsoft.com
O1 - Hosts: 103.113.37.211 my-etrust.com
O1 - Hosts: 180.172.202.29 nai.com
O1 - Hosts: 115.89.143.98 networkassociates.com
O1 - Hosts: 174.46.37.27 office.microsoft.com
O1 - Hosts: 109.188.51.100 phx.corporate-ir.net
O1 - Hosts: 185.45.204.116 rads.mcafee.com
O1 - Hosts: 109.120.41.223 secure.nai.com
O1 - Hosts: 177.7.179.127 securityresponse.symantec.com
O1 - Hosts: 108.217.74.1 service1.symantec.com
O1 - Hosts: 109.170.21.186 spd.atdmt.com
O1 - Hosts: 187.58.188.136 support.microsoft.com
O1 - Hosts: 101.13.209.239 symantec.com
O1 - Hosts: 176.188.88.223 trendmicro.com
O1 - Hosts: 105.130.169.168 update.symantec.com
O1 - Hosts: 182.123.36.37 updates.symantec.com
O1 - Hosts: 108.110.33.59 updates1.kaspersky-labs.com
O1 - Hosts: 183.59.213.85 updates2.kaspersky-labs.com
O1 - Hosts: 100.8.14.248 updates3.kaspersky-labs.com
O1 - Hosts: 177.203.115.101 updates4.kaspersky-labs.com
O1 - Hosts: 115.99.75.57 updates5.kaspersky-labs.com
O1 - Hosts: 177.164.21.164 us.mcafee.com
O1 - Hosts: 104.191.68.232 vil.nai.com
O1 - Hosts: 178.104.12.229 viruslist.com
O1 - Hosts: 115.45.29.170 viruslist.ru
O1 - Hosts: 180.17.225.124 windowsupdate.microsoft.com
O1 - Hosts: 101.14.104.106 www.avp.ch
O1 - Hosts: 187.220.183.234 www.avp.com
O1 - Hosts: 106.32.32.175 www.avp.ru
O1 - Hosts: 186.54.74.45 www.awaps.net
O1 - Hosts: 101.143.19.123 www.ca.com
O1 - Hosts: 174.32.86.13 www.f-secure.com
O1 - Hosts: 105.116.161.207 www.fastclick.net
O1 - Hosts: 181.161.67.179 www.grisoft.com
O1 - Hosts: 112.172.26.189 www.kaspersky-labs.com
O1 - Hosts: 184.209.149.39 www.kaspersky.com
O1 - Hosts: 101.182.189.240 www.kaspersky.ru
O1 - Hosts: 173.37.26.35 www.mcafee.com
O1 - Hosts: 112.46.139.229 www.my-etrust.com
O1 - Hosts: 178.225.214.176 www.nai.com
O1 - Hosts: 108.150.114.26 www.networkassociates.com
O1 - Hosts: 178.182.181.42 www.sophos.com
O1 - Hosts: 109.208.204.78 www.symantec.com
O1 - Hosts: 185.128.102.236 www.trendmicro.com
O1 - Hosts: 106.65.196.108 www.viruslist.com
O1 - Hosts: 179.223.125.67 www.viruslist.ru
O1 - Hosts: 103.38.35.138 www3.ca.com
O1 - Hosts: 175.24.52.173 avp.ch
O1 - Hosts: 112.167.176.41 avp.com
O1 - Hosts: 181.132.72.29 avp.ru
O1 - Hosts: 108.51.94.92 awaps.net
O1 - Hosts: 184.196.64.44 f-secure.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: IEPlugin Class - {CF7C3CF0-4B15-11D1-ABED-709549C10000} - C:\Program Files\Advanced System Optimizer\IEHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.pcservicecall.co.uk
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

#4 big--phil

big--phil
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ireland
  • Local time:07:47 AM

Posted 31 January 2007 - 05:12 PM

Also, i read links on the infection and was wondering do you recommend downloading Prevx1?

Thanks again.

#5 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:47 AM

Posted 01 February 2007 - 02:14 PM

Hi there Big Phil! You're welcome for the help so far.

As far as the hoster is concerned, I think you might just be missing the button that needs to be pressed. After downloading the hoster from the link I provided, after unzipping click on hoster.exe to open the program, and the main interface window will open. If you look on the right hand side in the middle you should see the button for "Restore Microsoft Hosts File". Click on that, which should take a few seconds, then exit the program. I've included a screen shot of the program for clarification in case it helps:

Posted Image

As far as Prevx is concerned I would certainly hold off installing it for the time being. At the moment you have 2 active antiviral programs, Avast and AVG AV (not AVG antispyware, that is something different). As I said in my last post, I do not recommend that you have more than one anti virus product installed and running on your computer at a time. It can cause system performance problems; your system may lock up due to both software products attempting to access the same file at the same time. Therefore please go to add/remove in the control panel and remove either AVG antivirus (not the antispyware program) or Avast, it's an imperative step and I have no doubt you will notice the improvement in performance after removing one of them. If you went ahead and installed Prevx antivirus now, you would have 3 active AV's running, which, as you can imagine, is a really bad idea, and your system will do doubt slow to a crawl. So, by the time of the next reply, please uninstall either AVG AV or Avast.

Then, I see you have Windows Defender running.
The real-time protection may interfere with the fixes, that's why I want you to turn it off.

To turn real-time protection off
Open Windows Defender. (Click Start, click Programs, and then click Windows Defender.)
Click Tools, and then click General Settings.
Under Real-time protection options, Uncheck the Turn on real-time protection (recommended) check box.
Then click Save.

So, now run the hoster program as per the previous instructions.
Then run Blacklight and save its log. Post that with a new Hijackthis log.

David

#6 big--phil

big--phil
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ireland
  • Local time:07:47 AM

Posted 01 February 2007 - 03:05 PM

hi, thanks again for all your help david. I uninstalled Avast like you recommended and the computer does seem quicker :thumbsup:. I opened Hoster and I pressed the "restore microsofts host file" button but I had to press the "make files writable" button first to allow me to press the "restore microsofts host file" button. also I ran backlight and the file is below, also the new hijackthis log is below. Thanks for your patience and time :flowers:.

Here's the Backlight log:

02/01/07 19:35:42 [Info]: BlackLight Engine 1.0.55 initialized
02/01/07 19:35:42 [Info]: OS: 5.1 build 2600 (Service Pack 2)
02/01/07 19:35:42 [Note]: 7019 4
02/01/07 19:35:42 [Note]: 7005 0
02/01/07 19:36:16 [Note]: 7006 0
02/01/07 19:36:16 [Note]: 7011 1952
02/01/07 19:36:16 [Note]: 7026 0
02/01/07 19:36:16 [Note]: 7026 0
02/01/07 19:36:26 [Note]: FSRAW library version 1.7.1021
02/01/07 19:45:19 [Note]: 2000 1012
02/01/07 19:45:19 [Note]: 2000 1012
02/01/07 19:45:19 [Note]: 2000 1012




Logfile of HijackThis v1.99.1
Scan saved at 19:57:24, on 01/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\dllhost.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ucd.ie/computing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http:\\proxy.ucd.ie\proxy.pac
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: IEPlugin Class - {CF7C3CF0-4B15-11D1-ABED-709549C10000} - C:\Program Files\Advanced System Optimizer\IEHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.pcservicecall.co.uk
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

#7 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:47 AM

Posted 01 February 2007 - 03:31 PM

Great work! :thumbsup:

The Hijackthis log is looking clean now, but we have a bit more work to do. As with all infections like this they never come alone, and I have little doubt that there is a whole host of left over infected files still lurking on the computer. Oh yes, you are using a handful of programs such as Memory Optimizers. I recommend you remove any third party "Memory Manager" or "Optimizer". Windows XP memory management was designed to make the best use of Ram and these memory management utilities defeat that purpose. They push applications out of RAM into the pagefile, creating holes in the RAM and by doing so, slow down your computer.

Now I need a few more scans from you. You can re-enable Defender if you have not done so already.

Please download Combofix to your desktop.
Doubleclick combofix.exe to launch the application.
Follow the prompts that will be displayed on the screen.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply.

Please perform this online scan: Kaspersky Webscan
Read the Requirements and Privacy statement, then select "Accept"
A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
Select "Install" to download the ActiveX controls that allows ActiveScan to run.

When the download is complete it will say ready, click "Next"
Select a target to scan: Click on "My Computer"
When the scan is complete choose to save the results as "Save as Text"
Post the Kaspersky scan results in your next reply, along with a new Hijackthis log.

Also post the Combofix log.

David

#8 big--phil

big--phil
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ireland
  • Local time:07:47 AM

Posted 01 February 2007 - 03:54 PM

Hi thanks, my computer seems to be getting back to normal and is speeding up :thumbsup:, i ran combofix and the log is below. but when i went to the "Kapersky webscan" link, nothing happens when i press the "accept button". thanks again for your time. I havent uninstalled system optimiser but i havent restarted yet. do you mean that i reenable the real time protection on windows defender?

:flowers:

Here's the combofix log:

"Philip" - 07-02-01 20:34:55 Service Pack 2
ComboFix 07.01.31 - Running from: "C:\Documents and Settings\Philip\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2007-01-01 to 2007-02-01 ))))))))))))))))))))))))))))))))))


2007-01-30 19:40 <DIR> d-------- C:\Program Files\QuickTime
2007-01-29 21:39 271,360 --a------ C:\WINDOWS\system32\drivers\atksgt.sys
2007-01-29 21:39 18,048 --a------ C:\WINDOWS\system32\drivers\lirsgt.sys
2007-01-29 19:49 <DIR> d-------- C:\DOCUME~1\Philip\Application Data\wsInspector
2007-01-29 19:31 <DIR> d-------- C:\Program Files\Startup Inspector for Windows
2007-01-29 19:19 <DIR> d-------- C:\WINDOWS\pss
2007-01-29 19:06 45,056 --a------ C:\WINDOWS\system32\WNASPI32.DLL
2007-01-29 19:06 16,512 --a------ C:\WINDOWS\system32\drivers\ASPI32.SYS
2007-01-28 17:41 <DIR> d-------- C:\Program Files\a-squared Free
2007-01-28 17:16 <DIR> d-------- C:\DOCUME~1\Philip\Application Data\Lavasoft
2007-01-28 17:15 <DIR> d-------- C:\Program Files\Lavasoft
2007-01-28 17:00 <DIR> d-------- C:\Program Files\Alwil Software
2007-01-28 16:08 <DIR> d-------- C:\HijackThis
2007-01-27 20:48 <DIR> d-------- C:\DOCUME~1\Philip\Application Data\uTorrent
2007-01-27 18:08 <DIR> d-------- C:\DOCUME~1\Philip\Application Data\Apple Computer
2007-01-25 22:49 <DIR> d-------- C:\Program Files\Apple Software Update
2007-01-25 22:48 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Apple Computer
2007-01-22 16:31 <DIR> d-------- C:\Program Files\MSN Messenger
2007-01-22 16:29 <DIR> d-------- C:\Program Files\Windows Live Messenger
2007-01-22 16:10 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-01-18 16:22 88 -r-hs---- C:\WINDOWS\system32\DC8381FC39.sys
2007-01-18 16:12 <DIR> d-------- C:\DOCUME~1\Philip\Application Data\Corel
2007-01-18 16:12 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\InstallShield
2007-01-18 16:06 <DIR> d-------- C:\Program Files\Corel
2007-01-17 23:14 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-01-17 23:12 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-01-17 23:12 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-01-17 20:16 <DIR> d-------- C:\WINDOWS\WBEM
2007-01-17 20:16 <DIR> d-------- C:\WINDOWS\system32\en-US
2007-01-17 20:13 <DIR> d--h-c--- C:\WINDOWS\ie7
2007-01-17 20:12 121,856 --------- C:\WINDOWS\system32\xmllite.dll
2007-01-17 20:12 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-01-13 00:59 <DIR> d-------- C:\Program Files\Mozilla Firefox
2007-01-12 13:03 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\Application Data\TEMP
2007-01-12 12:58 <DIR> d-------- C:\Program Files\Windows Defender
2007-01-12 12:56 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Windows Genuine Advantage
2007-01-12 00:56 <DIR> d-------- C:\WINDOWS\system32\appmgmt
2007-01-12 00:35 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-01-11 23:37 932 --a------ C:\WINDOWS\system32\winpfz32.sys
2007-01-11 23:37 36,864 --a------ C:\WINDOWS\system32\slimwser.exe
2007-01-11 23:37 <DIR> dr-h----- C:\$VAULT$.AVG
2007-01-11 23:36 <DIR> d-------- C:\WINDOWS\system32\SearchTool
2007-01-11 23:28 <DIR> d-------- C:\DOCUME~1\Philip\Shared
2007-01-11 23:28 <DIR> d-------- C:\DOCUME~1\Philip\Incomplete
2007-01-11 23:27 <DIR> d-------- C:\Program Files\LimeWire
2007-01-11 23:25 <DIR> d-------- C:\DOCUME~1\Philip\.limewire
2007-01-10 13:05 178,408 --a------ C:\WINDOWS\system32\muweb.dll
2007-01-10 13:05 127,208 --a------ C:\WINDOWS\system32\mucltui.dll
2007-01-10 01:36 <DIR> d-------- C:\DOCUME~1\Philip\Contacts
2007-01-10 01:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Windows Live Toolbar
2007-01-10 01:34 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-01-10 00:36 <DIR> d-------- C:\WINDOWS\PlayerStats
2007-01-10 00:36 <DIR> d-------- C:\DOCUME~1\Philip\Application Data\Big--Phil
2007-01-10 00:27 <DIR> d-------- C:\WINDOWS\Sun
2007-01-10 00:27 <DIR> d-------- C:\DOCUME~1\Philip\Application Data\Sun
2007-01-10 00:26 <DIR> d-------- C:\Program Files\Java
2007-01-10 00:25 <DIR> d-------- C:\Program Files\Common Files\Java
2007-01-10 00:19 <DIR> d-------- C:\Program Files\Common Files\NSV
2007-01-09 15:00 <DIR> d-------- C:\~MSSETUP.T
2007-01-09 14:59 <DIR> d-------- C:\Program Files\Maxis
2007-01-03 22:05 299,008 --a------ C:\WINDOWS\uninst.exe
2007-01-03 22:05 <DIR> d-------- C:\Program Files\EA SPORTS


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-02-01 19:04 -------- d-------- C:\DOCUME~1\Philip\Application Data\avg7
2007-01-31 20:08 -------- d-------- C:\Program Files\imtoo
2007-01-31 18:27 -------- d--h----- C:\Program Files\installshield installation information
2007-01-28 16:37 -------- d-------- C:\DOCUME~1\Philip\Application Data\adobeum
2007-01-27 09:26 -------- d-------- C:\Program Files\google
2007-01-25 18:37 9394 --ahs---- C:\WINDOWS\system32\kgygaavl.sys
2007-01-22 16:24 -------- d-------- C:\Program Files\grisoft
2007-01-22 16:24 -------- d-------- C:\Program Files\audacity
2007-01-20 19:05 -------- d-------- C:\Program Files\winamp
2007-01-18 16:12 -------- d-------- C:\Program Files\Common Files\installshield
2007-01-15 13:24 -------- d-------- C:\Program Files\divx
2007-01-13 01:01 -------- d-------- C:\DOCUME~1\Philip\Application Data\mozilla
2007-01-12 01:24 49 --a------ C:\DOCUME~1\Philip\Application Data\internaldb41.dat
2007-01-12 01:24 337 --a------ C:\DOCUME~1\Philip\Application Data\internaldb1942.dat
2007-01-11 23:37 24576 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-01-11 23:37 20480 --a------ C:\DOCUME~1\Philip\Application Data\internaldb4827.dat
2007-01-11 23:36 9216 --a------ C:\DOCUME~1\Philip\Application Data\internaldb8467.dat
2007-01-11 23:36 23 --a------ C:\DOCUME~1\Philip\Application Data\inifile41.ini
2007-01-11 23:36 0 --a------ C:\DOCUME~1\Philip\Application Data\internaldb6334.dat
2007-01-11 23:36 0 --a------ C:\DOCUME~1\Philip\Application Data\internaldb5436.dat
2007-01-11 14:14 -------- d---s---- C:\DOCUME~1\Philip\Application Data\microsoft
2006-12-18 19:30 -------- d-------- C:\DOCUME~1\Philip\Application Data\google
2006-12-05 15:17 56 -r-hs---- C:\WINDOWS\system32\39fc8183dc.sys
2006-12-05 15:14 36734 --a------ C:\WINDOWS\system32\oggdsuninst.exe
2006-12-05 15:13 -------- d-------- C:\Program Files\xvid
2006-12-05 15:13 -------- d-------- C:\Program Files\morgan
2006-12-03 22:18 816672 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-12-03 13:59 -------- d-------- C:\Program Files\ces edupack 2006
2006-11-30 19:13 2572 --a------ C:\WINDOWS\windvdbootrecdoe.sys
2006-11-09 20:17 34368 --a------ C:\DOCUME~1\Philip\Application Data\gdipfontcachev1.dat
2006-11-08 05:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-11-07 21:03 6049280 --------- C:\WINDOWS\system32\ieframe.dll
2006-11-07 21:03 50688 --------- C:\WINDOWS\system32\msfeedsbs.dll
2006-11-07 21:03 458752 --------- C:\WINDOWS\system32\msfeeds.dll
2006-11-07 21:03 413696 --a------ C:\WINDOWS\system32\vbscript.dll
2006-11-07 21:03 231424 --a------ C:\WINDOWS\system32\webcheck.dll
2006-11-07 21:03 180736 --------- C:\WINDOWS\system32\ieui.dll
2006-11-07 21:03 156160 --a------ C:\WINDOWS\system32\msls31.dll
2006-11-07 03:27 382976 --a------ C:\WINDOWS\system32\iedkcs32.dll
2006-11-07 03:27 229376 --a------ C:\WINDOWS\system32\ieaksie.dll
2006-11-07 03:26 71680 --a------ C:\WINDOWS\system32\admparse.dll
2006-11-07 03:26 55296 --a------ C:\WINDOWS\system32\iesetup.dll
2006-11-07 03:26 54784 --a------ C:\WINDOWS\system32\ie4uinit.exe
2006-11-07 03:26 43008 --a------ C:\WINDOWS\system32\iernonce.dll
2006-11-07 03:26 152064 --a------ C:\WINDOWS\system32\ieakeng.dll
2006-11-07 03:26 13312 --a------ C:\WINDOWS\system32\ieudinit.exe
2006-11-07 03:26 123904 --a------ C:\WINDOWS\system32\advpack.dll
2006-11-07 03:25 161792 --a------ C:\WINDOWS\system32\ieakui.dll
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
@=""
"SoundMan"="SOUNDMAN.EXE"
"ATIPTA"="\"C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe\""
"SynTPEnh"="\"C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe\""
"AGRSMMSG"="AGRSMMSG.exe"
"WinampAgent"="\"C:\\Program Files\\Winamp\\winampa.exe\""
"AVG7_CC"="\"C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe\" /STARTUP"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
"DWQueuedReporting"="\"C:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\dwtrig20.exe\" -t"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
"DWQueuedReporting"="\"C:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\dwtrig20.exe\" -t"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\
63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\
6d,73,73,74,79,6c,65,73,00
"InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\
73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0
Usnsvc REG_MULTI_SZ usnsvc\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\Z]
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1ce0e042-0620-11db-a3a7-0016ecb88c46}]
Shell\AutoRun\command winshell110.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2ded31f3-fe09-11da-a4f2-806d6172696f}]
Shell\AutoRun\command D:\BSetup.EXE

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b7ba19e6-16ce-11db-9eeb-0016ecc05df1}]
Shell\AutoRun\command winshell110.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c671c1e1-f10c-11da-9074-806d6172696f}]
Shell\AutoRun\command D:\BSetup.EXE



~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20070131-214935-794
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} - http://awbeta.net-nucleus.com/FIX/WinATS.cab
backup-20070131-214935-374
O23 - Service: FHSZOXEJVN - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Philip\LOCALS~1\Temp\FHSZOXEJVN.exe
backup-20070131-214935-178
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
backup-20070131-214935-377
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
backup-20070131-214935-849
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
backup-20070131-214935-559
O9 - Extra button: Paddy Power Poker - {40B2063F-DB01-4962-BE63-59435C01283C} - C:\PROGRA~1\PADDYP~1\client.exe
backup-20070131-214935-164
O4 - HKCU\..\Run: [Windows Firewall] C:\WINDOWS\System32\drivers\svchost.exe
backup-20070131-214934-924
O2 - BHO: RunBus Class - {4865F155-CE00-4E93-A414-147844D7C81A} - C:\WINDOWS\system32\tcblwjaj.dll (file missing)
backup-20070131-214935-384
O4 - HKCU\..\Run: [Chckup] C:\WINDOWS\system32\Netverchk.exe

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\MP Scheduled Scan.job

Completion time: 07-02-01 20:37:49



Logfile of HijackThis v1.99.1
Scan saved at 20:52:49, on 01/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http:\\proxy.ucd.ie\proxy.pac
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.pcservicecall.co.uk
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

#9 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:47 AM

Posted 01 February 2007 - 05:02 PM

Yes, you can go ahead and enable Windows Defender now if you wish.

I need to get a sample of two of the files on your computer, I'm not sure if they are bad or not.

Please download the Suspicious File Packer from here:
http://www.safer-networking.org/files/sfp.zip
Unzip it to the desktop but do not run it.

Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.

Open the program you just downloaded.
Paste the following bold part into the Suspicious File Packer window:

C:\WINDOWS\system32\winpfz32.sys
C:\WINDOWS\system32\slimwser.exe


Allow SFP to pack the file. This will generate a CAB archive on your desktop.

Reboot back into normal mode now.

Go to this page.
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, click the browse button next to the second field and browse to the CAB archive that was been created on your desktop.
The cab file will be called requested-files[*].cab (the * stands for the date and hour).
Then click the Send File button below.
Please let me know when you have submitted the files in your next reply.

Open notepad and copy and paste the following text in the quote box into the window:

@echo off
dir "C:\WINDOWS\system32\SearchTool" >> look.txt
start look.txt

Save this as fix.bat
Choose to save as all files.
This is how the batch must look afterwards: Posted Image
Doubleclick fix.bat and let the program run.
A small black dos window will flash, this is normal.

A text file will open, please paste that back here in your next reply.
Do not worry about Kaspersky for the moment, we can try another scanner.

David

#10 big--phil

big--phil
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ireland
  • Local time:07:47 AM

Posted 02 February 2007 - 08:13 AM

Hi, i sent the file you were looking for and here is the other one, thanks.:thumbsup:

Volume in drive C has no label.
Volume Serial Number is 7CC3-4B7A

Directory of C:\WINDOWS\system32\SearchTool

12/01/2007 02:36 <DIR> .
12/01/2007 02:36 <DIR> ..
11/01/2007 23:36 46,903 uninstallSE.exe
1 File(s) 46,903 bytes
2 Dir(s) 11,702,431,744 bytes free

#11 big--phil

big--phil
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ireland
  • Local time:07:47 AM

Posted 02 February 2007 - 08:33 AM

Also i was just wondering do you recommend installing "Spybot - search&destroy" and "SpywareBlaster"?

thanks.

#12 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:47 AM

Posted 02 February 2007 - 01:19 PM

Great work! :thumbsup:

I've had a look at the two files you uploaded, and have uploaded them to various antivirus programs. For the slimwser.exe, out of the 20 antivirus companies I scanned the file at, only Prevx picked it up as being a malicious file, so thankfully we caught it before it did any damage to the system. The other file came back as clean, but having looked into the strings of the file, it is doing no good for your system at all, and I want you to remove it regardless. Also, the batch file I got you to run, has shown me the contents of the folder I questioned, and it appears to be part of the SmartShopper adware family, so we're going to remove that too.

Open hijackthis, click 'config' (bottom right) Choose the tab 'misc Tools' on top.
Choose 'delete a file on reboot'. In the field, copy and paste the filepath a few lines below.
Click open. Hijackthis will tell you that this file will be deleted on next reboot and if you want to reboot now.
When asked if you want to reboot now, say No.:
C:\WINDOWS\system32\winpfz32.sys

Do the same for the following file, and hit yes when asked to reboot:
C:\WINDOWS\system32\slimwser.exe

The SmartShopper adware that found its way into your computer was installed in exactly the same hour you installed Limewire on your PC. Coincidence? I probably think so. You are using peer-to-peer programs. These are what we call an optional removal. However, anytime you are running any type of peer-to-peer application, you are more prone to infection by malware, and this is probably how you became infected in the first place. The choice to remove them is entirely up to you, but I would strongly recommend that you do.
If you do not want to, please at least refrain from using any peer-to-peer programs for the remainder of my fix. For more information about infections as a result of p2p programs, take a look here: http://p2p.malwareremoval.com/

After the reboot, navigate and open this folder:
C:\WINDOWS\system32\SearchTool <--folder
Look for uninstallSE.exe and doubleclick it.
After running it, if it hasn't been removed, delete the SearchTool folder.

Then, run HijackThis.
On the first menu, click Open the Misc Tools Section
Click Open Uninstall Manager
Click Save List - Save it anywhere.
A notepad will pop-up after it's saved, please copy everything in that Notepad and paste it here.

Then, please run Panda's ActiveScan.
Once you are on the Panda site click the Scan your PC button
A new window will open, click the Check Now button.
Enter your personal details.
Click the big Scan Now button.
It will ask to install various content - please allow this.
It will start downloading the files it requires for the scan, which may take a while.
When download is complete, click on Local Disks to start the scan.
When the scan completes, click the See Report button.
Click Save Report and save the file to your Desktop, so you can post this log in your next reply.

So, a new Hijackthis log, uninstall list and Panda log in the next reply please!

Edited by D-Trojanator, 02 February 2007 - 01:20 PM.


#13 big--phil

big--phil
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ireland
  • Local time:07:47 AM

Posted 05 February 2007 - 05:15 PM

Hey, thanks again, i got all the files you weree looking for. I havent uninstalled limewire but I have stopped using it and im goin to decide later as to keep it or not but thanks for the advice, here are the files:

Ad-Aware SE Personal
Adobe Flash Player 9 ActiveX
Adobe Reader 7.0.8
Agere Systems AC'97 Modem v2157D
Apple Software Update
ArcSoft VideoImpression 1.6
a-squared Free 2.1
Athlon 64 Processor Driver
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
Audacity 1.2.4
AVG Anti-Spyware 7.5
AVG Free Edition
CES EduPack 2006
Collaboration Tools Release Wildfire Datecode 2003250
CommAid
Commandos 2: Men of Courage
Direct Show Ogg Vorbis Filter (remove only)
DivX Codec 3.1alpha release
Google Toolbar for Internet Explorer
Groove
HijackThis 1.99.1
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows XP (KB888795)
Hotfix for Windows XP (KB891593)
Hotfix for Windows XP (KB893357)
Hotfix for Windows XP (KB895953)
Hotfix for Windows XP (KB895961)
Hotfix for Windows XP (KB896256)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB899337)
Hotfix for Windows XP (KB899510)
Hotfix for Windows XP (KB902841)
Hotfix for Windows XP (KB906569)
Hotfix for Windows XP (KB910728)
Hotfix for Windows XP (KB912024)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB928388)
Hotfix for Windows XP (KB929120)
J2SE Runtime Environment 5.0 Update 10
LimeWire 4.12.6
MathType 5
Microsoft .NET Framework 1.0 Hotfix (KB887998)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional with FrontPage
Microsoft User-Mode Driver Framework Feature Pack 1.0
Morgan Stream Switcher
Mozilla Firefox (2.0.0.1)
MP3PowerEncoder
MS Access 97 SP2
MSXML 4.0 SP2 (KB927978)
Nero Suite
NTI Backup NOW! 3
NTI CD & DVD-Maker Gold
OCA Client history tool install
PowerDVD
Pro/ENGINEER Release Wildfire Datecode 2003250
Pro/MECHANICA Release Wildfire Datecode 2003250
QuickTime
Realtek AC'97 Audio
REALTEK Gigabit and Fast Ethernet NIC Driver
Roxio Burn Engine
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB926255)
Shockwave
SimCity 3000 UK Edition
Synaptics Pointing Device Driver
Trust WB-1200p Mini Webcam
Tweak-SE plug-in for Ad-Aware SE
Uninstall Startup Inspector
Update for Windows Media Player 10 (KB910393)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB912945)
Update for Windows XP (KB916595)
Update for Windows XP (KB920342)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update Rollup 2 for Windows XP Media Center Edition 2005
VideoEgg Publisher
VideoLAN VLC media player 0.8.1
Winamp (remove only)
Windows Defender
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890546
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891220
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Media Center Edition 2005 KB908246
Windows XP Media Center Edition 2005 KB925766
WinRAR archiver
XviD MPEG-4 Video Codec



Incident Status Location

Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\pfuos77p.default\cookies.txt[.adtech.de/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\pfuos77p.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\pfuos77p.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\pfuos77p.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\pfuos77p.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\pfuos77p.default\cookies.txt[.perf.overture.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\pfuos77p.default\cookies.txt[.overture.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\pfuos77p.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\pfuos77p.default\cookies.txt[.systemdoctor.com/]
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\pfuos77p.default\cookies.txt[.errorsafe.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\pfuos77p.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\pfuos77p.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\pfuos77p.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\pfuos77p.default\cookies.txt[.bluestreak.com/]
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\pfuos77p.default\cookies.txt[.adopt.hbmediapro.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\pfuos77p.default\cookies.txt[.zedo.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\pfuos77p.default\cookies.txt[.com.com/]
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\pfuos77p.default\cookies.txt[.toplist.cz/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\pfuos77p.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\pfuos77p.default\cookies.txt[.888.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\pfuos77p.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\pfuos77p.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\pfuos77p.default\cookies.txt[.apmebf.com/]
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\pfuos77p.default\cookies.txt[.qksrv.net/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\pfuos77p.default\cookies.txt[.hitbox.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Philip\Application Data\Mozilla\Firefox\Profiles\pfuos77p.default\cookies.txt[.advertising.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Philip\Cookies\philip@ad.yieldmanager[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Philip\Cookies\philip@atdmt[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Philip\Cookies\philip@doubleclick[1].txt
Adware:Adware/Beginto Not disinfected C:\Documents and Settings\Philip\My Documents\Philip\Misc\Sysclean_SafeBackup_January_12_2007_12_38.zip[Documents and Settings/Philip/Local Settings/Temp/smoB.tmp]
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\1001 Sex Positions and more.rtf.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\2.347.821 Cracks & Serials Archive.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\2007 Dictionary English - France.doc.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\3D Studio Max All-Versions crack-serial-keygen.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\3D Studio Max.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\ACDSee 10.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\ACDSee 9.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\ACDSee Photo Manager crack-serial-keygen.exe.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Ad-aware Pro Crack.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Ad-aware Professional.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Ad-aware.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Adobe Photoshop 10 crack.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Adobe Photoshop 10 full.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Adobe Premiere 10.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Adome Photoshop cs2 crack-serial-keygen.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Ahead Nero 7 Ultra Edition ENHANCED.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Ahead Nero All-Versions crack-serial-keygen.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Alcohol 120% All-Versions crack-serial-keygen.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Antivirus.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Avast Antivirus crack-serial-keygen.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\BitComet.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\BitTorrent.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Britney sex xxx.jpg.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Britney Spears and Eminem porn.jpg.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Britney Spears blowjob.jpg.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Britney Spears cumshot.jpg.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Britney Spears bleep.jpg.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Britney Spears full album.mp3.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Britney Spears porn.jpg.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Britney Spears Sexy archive.doc.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Britney Spears Song text archive.doc.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Britney Spears.jpg.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Britney Spears.mp3.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Cracks & Warez Archive.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Dark Angels Nude new.pif
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\DivX 6.0 Final (Full).exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\DivX 7.0 Final (Full).exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\DivX Codec.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Doom 3 release 2.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\DVD Cloning.doc.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\E-Book Archive2.rtf.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Email Password Cracker.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Email Password Hacker.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Eminem blowjob.jpg.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Eminem full album.mp3.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Eminem Poster.jpg.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Eminem sex xxx.jpg.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Eminem Sexy archive.doc.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Eminem Song text archive.doc.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Eminem Spears porn.jpg.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Eminem.mp3.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\eMule Turbo Booster (download 8x faster).exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\eMule.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\FrontPage XP crack-serial-keygen.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Full album all.mp3.pif
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Gimp 1.8 Full with Key.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Harry Potter 1-6 book.txt.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Harry Potter 5.mpg.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Harry Potter all e.book.doc.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Harry Potter e book.doc.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Harry Potter game.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Harry Potter.doc.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Hotmail Password Cracker.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Hotmail Password Hacker.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\How to hack new.doc.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\iMesh Turbo Booster (download 8x faster).exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\iMesh.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Internet Explorer 8 setup.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Kaspersky Antivirus 2007 crack-serial-keygen.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Kazaa Lite 4.0 new.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Kazaa new.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Kazaa Turbo Booster (download 8x faster).exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Kazaa.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Keygen 4 all new.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Learn Programming 2004.doc.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Lightwave 9 Update.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\LimeWire Turbo Booster (download 8x faster).exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\LimeWire.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Macromedia Dreamweaver All-Versions crack-serial-keygen.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Macromedia Fireworks All-Versions crack-serial-keygen.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Macromedia Flash All-Versions crack-serial-keygen.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Magix Video Deluxe 5 beta.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Male and Female Perfect Diet.doc.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Matrix.mpg.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Microsoft Office 2003 Crack best.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Microsoft Windows Vista crack-serial-keygen.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Microsoft WinXP Crack full.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Mirc All-Versions crack-serial-keygen.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Morpheus Turbo Booster (download 8x faster).exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Morpheus.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\MS Service Pack 6.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Nod32 Antivirus System crack-serial-keygen.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\NOD32.FiX.v2.1-nsane.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Norton Antivirus 2005 beta.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Norton AntiVirus 2006 crack-serial-keygen.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Norton AntiVirus 2007 crack-serial-keygen.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\notepad.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Panda Antivirus crack-serial-keygen.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Partitions Magic 10 beta.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Pinnacle Studio 10 crack-serial-keygen.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Porno Screensaver britney.scr
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\RFC compilation.doc.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Ringtones.doc.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Ringtones.mp3.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Saddam Hussein Execution.3gp.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Saddam Hussein Execution.avi.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Saddam Hussein Execution.gif.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Saddam Hussein Execution.jpg.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Saddam Hussein Execution.mpg.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Saddam Hussein Execution.wmv.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Screensaver2.scr
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Serials edition.txt.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Sex.exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Shareaza Turbo Booster (download 8x faster).exe
Virus:Trj/Downloader.MPL Disinfected C:\Program Files\LimeWire\Shared\Shareaza.exe

#14 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:47 AM

Posted 05 February 2007 - 05:45 PM

Good work Phil! :thumbsup:

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.

I want you to clean your cache and cookies from your internet explorer.
There are a few infected files which need to be removed from your system.

Close all instances of Internet Explorer .
Go to your control panel and open "Internet Options".
Click on the "General" tab.
Click the "Delete Cookies" button, then the "Delete Files" button.
When prompted, place a tick in the "Delete all offline content" box and click OK.

Also, please clean other Temporary files and Empty the Recycle Bin

Go to start and click on the "run" button.
Type the following in the fox --> cleanmgr and click ok.
Let it scan your system for files to remove.
Make sure only Temporary Files, Temporary Internet Files, and Recycle Bin are checked.
Press OK to remove them.

I also want you to clean your cache and cookies from your firefox browser.
There are a few infected files which need to be removed from your system.

Open the firefox browser.
Click on the "tools" button and click on "options".
Click "privacy" in the menu on the left side window.
Open the History, Cookies and Cache tabs individually.
Choose the "clear" button on each.
Click OK to close the Options window

I think that the Panda scan you did has disinfected all the viruses that came through Limewire but I want to double check to make sure. After doing the above, please navigate to: C:\Program Files\LimeWire\Shared, and look for any of the following two files:

2.347.821 Cracks & Serials Archive.exe
2007 Dictionary English - France.doc.exe


If you find either, please let me know.
If you don't then that's even better, but still let me know.

Then reboot a final time, and let me know how the PC is running!

#15 big--phil

big--phil
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ireland
  • Local time:07:47 AM

Posted 05 February 2007 - 07:25 PM

Ok, i did the final checks and my computer seems to be totally back to normal and working well. Thank you very very much for all your help and patience. :thumbsup:

Here my hijackthis log just in case:

Logfile of HijackThis v1.99.1
Scan saved at 00:18:29, on 06/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\HijackThis\HijackThis.exe
C:\WINDOWS\system32\dllhost.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http:\\proxy.ucd.ie\proxy.pac
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.pcservicecall.co.uk
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Groove Installer Service (GrooveInstallerService) - Groove Networks, Inc. - C:\Program Files\Groove Networks\Groove\Bin\GrooveInstallerService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

Thanks :flowers:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users