Explore topic-wise InterviewSolutions in .

i have xp sp2.
i have avg free, adaware and norton internet scan.
i have recently got something which is making IE widnows pop up alot with advertising.
i scanned with all 3 prgrams and found spyware and ad-ware. i deleted them all then scanned again with adaware which found more. i deleted them then scanned again and found more!!!!!!!!!!
what do i do???
my pc experience is limited
any help appreciated,
boooI suggest you print this out to help you follow my advice.

***********************

Make sure you have exposed all Hidden Files & Folders.

To enable the viewing of Hidden files follow these steps:

1. Close all programs so that you are at your desktop.
2. Double-click on the My Computer icon.
3. Select the Tools menu and click Folder Options.
4. After the new window appears select the View tab.
5. Put a checkmark in the checkbox labeled Display the contents of system folders.
6. Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
7. Remove the checkmark from the checkbox labeled Hide file EXTENSIONS for known file types.
8. Remove the checkmark from the checkbox labeled Hide protected operating system files.
9. Press the Apply button and then the OK button and close My Computer.

***********************

Download Combofix from here ...

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

>> Double click on combofix.exe & follow the prompts.

>> When finished it will produce a log for you. POST that log in your next reply. We'll have a look at it.

Note >> Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


***********************

Download Ewido/AVG Anti Spyware from here ….

http://www.ewido.net/en/

It has a fully working 30 day trial period.

Install it and update it to the latest definitions.

Do NOT use it yet.


Now boot to safe mode. Here’s a “how to” if you’re not sure ..

http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406


When in safe mode run a full system scan with AVGAS and let it fix what it wants to.

REMEMBER TO SAVE THE SCAN REPORT and also remember where you saved it.

Reboot to normal mode and use the computer as you would usually do.

[FOOTNOTE > this is a good program to use as an “on demand” scanner even after the trial period is over. Keep it updated and use it to scan your computer from time to time].

*******************

Rehide your Hidden files & folders by carrying out the reverse operation to that described at the start of this post and use the computer as you would normally do.

*******************

If this doesn’t succeed in fixing the problem download a self-extracting copy of HijackThis from here …….

http://downloads.malwareremoval.com/hijackthis_sfx.exe

Save it to your Desktop.

Double-click on the file hijackthis_sfx.exe file and it will self-extract into its own folder ……

C:\Program Files\HijackThis

Go to this folder and run the hijackthis.exe file.

From the menu click on "Do a system scan and save a LOGFILE".

Copy and paste the AVG AS scan report, the Combofix report and the HJT logfile to this thread (you will need to break it up into several posts).

More specific removal instructions will follow.



OJ"Asher" - 2007-05-21 14:21:47 Service Pack 2
ComboFix 07-05.21.6.V - Running from: "C:\Program Files\Mozilla Firefox\"


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\dfiedfgk.dll
C:\WINDOWS\system32\kgfdeifd.ini
C:\WINDOWS\system32\gfhkj.bak1
C:\WINDOWS\system32\gfhkj.bak2
C:\WINDOWS\system32\gfhkj.ini2
C:\WINDOWS\system32\gfhkj.tmp
C:\WINDOWS\system32\gfhkj.bak1
C:\WINDOWS\system32\gfhkj.bak2
C:\WINDOWS\system32\gfhkj.ini2
C:\WINDOWS\system32\gfhkj.tmp
C:\WINDOWS\system32\jkhfg.dll
C:\WINDOWS\system32\nnnoomn.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\wbadfhjsuw.exe
C:\WINDOWS\system32\wbadfhjsuw.dat
C:\WINDOWS\system32\wbadfhjsuw_nav.dat
C:\WINDOWS\system32\wbadfhjsuw_navps.dat
C:\WINDOWS\system32\nvs2.inf


((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-21 ))))))))))))))))))))))))))))))))))


2007-05-18 19:09d--------C:\DOCUME~1\Asher\APPLIC~1\Lavasoft
2007-05-18 19:08d--------C:\Program Files\Lavasoft
2007-05-18 11:36d--------C:\DOCUME~1\Asher\APPLIC~1\dvdcss
2007-05-11 19:39d--h-----C:\WINDOWS\PIF
2007-05-08 13:14d--------C:\Program Files\DivX
2007-05-07 23:4998,304--a------C:\WINDOWS\system32\CmdLineExt.dll
2007-05-07 23:35d--------C:\Program Files\Alcohol Soft
2007-05-07 23:33639,224--a------C:\WINDOWS\system32\drivers\sptd.sys
2007-05-07 23:18d--------C:\DOCUME~1\Asher\APPLIC~1\FarStone
2007-05-07 23:155,501--a------C:\WINDOWS\system32\rtclcmg32.dll
2007-05-07 23:13d--------C:\Program Files\temp
2007-05-07 13:1716,512--a------C:\WINDOWS\system32\drivers\ASPI32.SYS
2007-05-07 13:17d--------C:\Program Files\Xilisoft
2007-05-05 22:02d--------C:\Program Files\QuickTime
2007-05-02 15:53d--------C:\Program Files\RenWiz
2007-05-02 15:52d--------C:\DOCUME~1\Asher\APPLIC~1\GetRightToGo
2007-05-01 23:29d--------C:\Program Files\Album Cover Art Downloader
2007-05-01 23:29d--------C:\DOCUME~1\Asher\APPLIC~1\albumart
2007-05-01 23:01d--------C:\DOCUME~1\ALLUSE~1\CloudBrain
2007-05-01 18:18d---s----C:\Program Files\Xfire
2007-05-01 18:18d--------C:\DOCUME~1\Asher\APPLIC~1\Xfire
2007-04-30 17:1249,152--a------C:\WINDOWS\system32\AIMDL.exe
2007-04-30 17:1220,481--a------C:\WINDOWS\system32\SystemsHook.dll
2007-04-30 17:12192,512--a------C:\WINDOWS\system32\ssresources.dll
2007-04-30 17:12d--------C:\Program Files\XAimer
2007-04-29 20:35d--------C:\DOCUME~1\ALLUSE~1\APPLIC~1\MumboJumbo
2007-04-26 14:52d--------C:\DOCUME~1\Asher\APPLIC~1\Ahead
2007-04-26 14:49d--------C:\Program Files\Nero
2007-04-26 14:49d--------C:\DOCUME~1\ALLUSE~1\APPLIC~1\Nero
2007-04-26 14:182,297,552--a------C:\WINDOWS\system32\d3dx9_26.dll
2007-04-26 08:46d--------C:\DOCUME~1\Asher\APPLIC~1\vlc
2007-04-26 08:44d--------C:\Program Files\VideoLAN
2007-04-25 23:04d--------C:\Program Files\otron.net
2007-04-25 22:56d--------C:\Program Files\Microsoft Visual Studio .NET 2003
2007-04-25 22:53d--------C:\WINDOWS\system32\URTTEMP
2007-04-25 12:17d--------C:\Program Files\GameSpy Arcade
2007-04-24 23:35d--------C:\Program Files\Airbear Software
2007-04-24 19:10d--------C:\Program Files\Shockwave.com
2007-04-23 21:312,192,640--a------C:\WINDOWS\system32\kernel1.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-20 17:02:29--------d-----wC:\Program Files\Norton Security Scan
2007-05-20 15:24:40--------d-----wC:\Program Files\Common Files\Symantec Shared
2007-05-18 09:25:38--------d-----wC:\Program Files\Spyware Doctor
2007-05-15 15:40:25--------d--h--wC:\Program Files\InstallShield Installation Information
2007-05-15 14:56:10--------d-----wC:\DOCUME~1\Asher\APPLIC~1\Skype
2007-05-08 12:14:541,290----a-wC:\WINDOWS\mozver.dat
2007-05-05 20:46:39--------d-----wC:\Program Files\Apple Software Update
2007-05-01 16:58:07--------d-----wC:\Program Files\MagicISO
2007-04-29 15:28:11--------d-----wC:\Program Files\Windows Media Connect 2
2007-04-26 13:54:29--------d-----wC:\Program Files\Common Files\Ahead
2007-04-26 13:46:13--------d-----wC:\Program Files\Ahead
2007-04-26 13:23:18--------d-----wC:\Program Files\XviD
2007-04-25 21:56:57--------d-----wC:\Program Files\Microsoft.NET
2007-04-24 22:17:47--------d-----wC:\Program Files\Intel
2007-04-24 22:13:18--------d-----wC:\Program Files\Google
2007-04-20 11:46:55--------d-----wC:\DOCUME~1\Asher\APPLIC~1\Apple Computer
2007-04-20 11:46:39--------d-----wC:\Program Files\iTunes
2007-04-20 11:46:27--------d-----wC:\Program Files\iPod
2007-04-20 09:35:16--------d-----wC:\Program Files\MSN Messenger
2007-04-19 19:19:46--------d-----wC:\Program Files\KellySoftware
2007-04-19 18:56:0429,696----a-wC:\WINDOWS\mickey32.dll
2007-04-19 18:56:04232,784----a-wC:\WINDOWS\Matrix Code.scr
2007-04-19 18:56:042,285,222----a-wC:\WINDOWS\Matrix Code.exe
2007-04-19 17:10:08--------d-----wC:\Program Files\Skype
2007-04-19 17:10:08--------d-----wC:\Program Files\Common Files\Skype
2007-04-19 17:06:30--------d-----wC:\DOCUME~1\Asher\APPLIC~1\PC Tools
2007-04-19 16:54:56--------d-----wC:\DOCUME~1\Asher\APPLIC~1\Real
2007-04-19 16:54:46--------d-----wC:\Program Files\Common Files\xing shared
2007-04-19 16:54:42--------d-----wC:\Program Files\Common Files\Real
2007-04-19 16:54:32--------d-----wC:\Program Files\Real
2007-04-19 16:02:35--------d-----wC:\DOCUME~1\Asher\APPLIC~1\Google
2007-04-18 13:45:11163,644----a-wC:\WINDOWS\system32\drivers\secdrv.sys
2007-04-18 11:09:29--------d-----wC:\Program Files\LimeWire
2007-04-17 20:58:06--------d-----wC:\Program Files\Messenger
2007-04-17 18:39:07--------d-----wC:\Program Files\BitComet
2007-04-17 18:28:272,560----a-wC:\WINDOWS\system32\BitCometRes.dll
2007-04-16 21:55:14--------d-----wC:\Program Files\The Creative Assembly
2007-04-16 21:55:14--------d-----wC:\Program Files\Common Files\InstallShield
2007-04-16 21:52:58614----a-wC:\WINDOWS\eReg.dat
2007-04-16 21:46:30--------d-----wC:\Program Files\EA Games
2007-03-20 00:34:27--------d-----wC:\Program Files\Delux
2007-03-17 13:43:01292,864----a-wC:\WINDOWS\system32\winsrv.dll
2007-03-16 00:56:100-c--a-wC:\WINDOWS\nsreg.dat
2007-03-15 16:54:3912,219,983------wC:\AVG7QT.DAT
2007-03-14 23:01:59502,272----a-wC:\WINDOWS\system32\winlogon.exe
2007-03-14 22:56:05192,627----a-wC:\WINDOWS\Bug MANAGER Uninstaller.exe
2007-03-14 22:56:05--------d-----wC:\Program Files\Fitbug Limited
2007-03-14 22:56:05--------d-----wC:\Program Files\Common Files\Thraex Software
2007-03-14 22:54:48499,712----a-wC:\WINDOWS\system32\msvcp71.dll
2007-03-14 22:54:48348,160----a-wC:\WINDOWS\system32\msvcr71.dll
2007-03-14 16:31:130-c--a-wC:\WINDOWS\PowerReg.dat
2007-03-14 16:28:28--------d-----wC:\Program Files\Infogrames Interactive
2007-03-13 22:04:56--------d-----wC:\Program Files\Microsoft Works
2007-03-13 21:39:46--------d-----wC:\Program Files\C-Media 3D Audio
2007-03-13 19:31:55--------d-----wC:\Program Files\microsoft frontpage
2007-03-13 19:31:330--sha-rC:\MSDOS.SYS
2007-03-13 19:31:330--sha-rC:\IO.SYS
2007-03-13 19:31:330----a-wC:\CONFIG.SYS
2007-03-13 19:31:330----a-wC:\AUTOEXEC.BAT
2007-03-13 19:30:24--------d--h--wC:\Program Files\WindowsUpdate
2007-03-13 19:29:35--------d-----wC:\Program Files\Common Files\MSSoap
2007-03-13 19:29:27--------d-----wC:\Program Files\Movie Maker
2007-03-13 19:28:3521,640----a-wC:\WINDOWS\system32\emptyregdb.dat
2007-03-13 19:28:19--------d-----wC:\Program Files\Online Services
2007-03-13 19:28:11--------d-----wC:\Program Files\MSN Gaming Zone
2007-03-13 19:28:02--------d-----wC:\Program Files\Windows NT
2007-03-08 15:36:28577,536----a-wC:\WINDOWS\system32\user32.dll
2007-03-08 15:36:2840,960----a-wC:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28281,600----a-wC:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:481,843,584----a-wC:\WINDOWS\system32\win32k.sys
2007-02-05 20:17:02185,344----a-wC:\WINDOWS\system32\upnphost.dll


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{18AA4575-67E5-4807-92AF-A4923D98E974}=C:\WINDOWS\system32\byxyvtu.dll []
{39F7E362-828A-4B5A-BCAF-5B79BFDFEA60}=C:\Program Files\BitComet\tools\BitCometBHO_1.1.3.28.dll [2007-03-29 15:31]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-08-31 20:33]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 11:35]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 11:32]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 11:36]
"Cmaudio"="cmicnfg.cpl" []
"Bug Manager"="C:\Program Files\Fitbug Limited\Bug Manager\BugManager.exe" [2007-02-21 12:24]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 15:30]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 15:30]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-04-19 17:54]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-04-20 14:52]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 19:05]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-05-18 19:26]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2007-03-19 01:11]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 19:04]
"BitComet"="C:\Program Files\BitComet\BitComet.exe" [2007-04-03 19:04]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"=C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{18AA4575-67E5-4807-92AF-A4923D98E974}"="C:\WINDOWS\system32\byxyvtu.dll" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxyvtu]
byxyvtu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdauxservice]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdcoreservice]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Asher^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=C:\Documents and Settings\Asher\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=C:\WINDOWS\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Asher^Start Menu^Programs^Startup^Xfire.lnk]
path=C:\Documents and Settings\Asher\Start Menu\Programs\Startup\Xfire.lnk
backup=C:\WINDOWS\pss\Xfire.lnkStartup


Contents of the 'Scheduled Tasks' folder
2007-05-18 21:55:17 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-05-18 14:21:46 C:\WINDOWS\tasks\Norton Security Scan.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-21 14:26:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\Documents and Settings\Asher\My Documents\Downloads\Finished Downloads\Hack and crack\Every *censored* Windows Keygens\WinXP Windows XP activation (works with pro, home and home upgrd.)\WinXP Windows XP activation Crack (works with pro, home and home upgrd.)\1Installer.exe 294912 bytes
C:\Documents and Settings\Asher\My Documents\Downloads\Finished Downloads\Hack and crack\Every *censored* Windows Keygens\WinXP Windows XP activation (works with pro, home and home upgrd.)\WinXP Windows XP activation Crack (works with pro, home and home upgrd.)\INSTRUCTIONS.txt 352 bytes
C:\Documents and Settings\Asher\My Documents\Downloads\Finished Downloads\Hack and crack\Every *censored* Windows Keygens\WinXP Windows XP activation (works with pro, home and home upgrd.)\WinXP Windows XP activation Crack (works with pro, home and home upgrd.)\pop-up.bat 216 bytes
C:\Documents and Settings\Asher\My Documents\Downloads\Finished Downloads\Hack and crack\Every *censored* Windows Keygens\WinXP Windows XP activation (works with pro, home and home upgrd.)\WinXP Windows XP activation Crack (works with pro, home and home upgrd.)\reset2.exe 61440 bytes
C:\Documents and Settings\Asher\My Documents\Downloads\Finished Downloads\Hack and crack\Every *censored* Windows Keygens\WinXP Windows XP activation (works with pro, home and home upgrd.)\WinXP Windows XP activation Crack (works with pro, home and home upgrd.)\winlogon.exe 417792 bytes
C:\Documents and Settings\Asher\My Documents\Downloads\Finished Downloads\Hack and crack\Hackers Pack\Windows Genuine Advantage Program\How to bypass windows Genuine Advantage Check on Windows XP\How to bypass windows Genuine Advantage Check on Windows XP_files\index.1.jpg 86016 bytes
C:\Documents and Settings\Asher\My Documents\Downloads\Finished Downloads\Hack and crack\Hackers Pack\Windows Genuine Advantage Program\How to bypass windows Genuine Advantage Check on Windows XP\How to bypass windows Genuine Advantage Check on Windows XP_files\index.2.jpg 32768 bytes
C:\Documents and Settings\Asher\My Documents\Downloads\Finished Downloads\Hack and crack\Hackers Pack\Windows Genuine Advantage Program\How to bypass windows Genuine Advantage Check on Windows XP\How to bypass windows Genuine Advantage Check on Windows XP_files\Thumbs.db 12288 bytes

scan completed successfully
hidden files: 8


********************************************************************

Completion time: 2007-05-21 14:30:30 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-21 14:30

--- E O F ---
You haven't posted a fresh HJT log neither have you reported back as to how your system is working now. You need to do both please.

Two things worry me.

Firstly, you seem to be using P2P file sharing software. Whilst the P2P program you use (e.g. Limwewire) may not be infected with malware the files you download may very well be. There is little or no point in us fixing your computer if you go online only to get reinfected again. We are all wasting our time.

My recommendation is that you stop using P2P for the time being at least. Teach yourself more about it and how to check that downloaded files are clean.

A couple of useful articles for you to read ...

http://www.spywareinfo.com/articles/p2p/

http://p2p.malwareremoval.com/


Of more importance, though, the your copy of Windows and other software on this system. I have a suspicion you are not using a legit copy of the Windows operating system and/or other software on this computer is warez/cracked.

Please confirm the position and let us know which software on this computer is warez/cracked.

Thanks.


OJfirst off, i was going to include the scan report. (its massive, i have nearly 400 infected files) do you still want me to post it?

my windows xp is not genuine because i was not given a xp cd and i had to renstall so i downloaded a .torrent.

i do have some cracked software
here they are:
XP SP2
Renwiz file renamer
xilisoft DVD burner
Nero 7 ultra ediition
I can't help you any further because I understand it is the policy of this site not to fix illegal copies of software. This is also my own personal philosophy.

In any event, any fix we would suggest would be unlikely to work as it is the pirated software that is causing your trouble. We fix it ... you go online and get infected again.

Like I've said before we are all wasting our time.

First you should get yourself a legal copy of windows and stop using the other cracked programs.

We can help you after that.


OJyou said it didnt come with a cd where did you get the computer?? a manufacture?? a private custom shop? you might be able to get a cd to reformat withDue to lack of feedback, I am closing this topic. If you are the original poster and you would like this topic to be re-opened for any reason, PM me or another moderator and it can be arranged.

If you are not the original poster and you require help, please start a New Topic with information about your computer and your problem.

I have a trojan on my windows me computer & I need help getting it off. My Avast antivirus will not quaranteen it either.

It's~~ Win32:OnLineGames-QC (Trj)

C:\RESTORE\TEMP A0027125.CPY

Thanks in advance!Two things to try...

1. Scan in Safe Mode.

2. Turn off System Restore, reboot your computer, and turn System Restore back on.

What other protection do you have?What do you suggest for extra protection on an old computer like this?It depends on your OS and computer specs, but some of my general suggestions (from a canned speech) are...


To help protect your computer in the future, I recommend that you get the following free programs:

• SpywareBlaster to help prevent spyware from installing in the first place.
  
• SpywareGuard to catch and block spyware before it can execute.
  
• SiteAdvisor to GIVE you reports on which sites are safe and which ones aren't. Be sure to actually read the reports and use your on disretion, because it's not always accurate.
  
  

• Kerio Personal Firewall
  
• ZoneAlarm
  
• Comodo Firewall
  

• AVG Anti-Virus

• Microsoft Windows Update
  

• AdAware SE Personal
  
• Spybot Search & Destroy
  
• AVG Anti-Spyware
  
• SUPERAntiSpyware
  

HI. recently i my firefox203.WOULD not appear,yet opera and ie7 did,all scaners showed nothing- avast, avg, avg root, xsoft se ,adaware se, virgin pc guard,and symetec 108 search assitant remover found nothing.then SPYWARE TERMINATER found 108search,and attika somthing .after 2 scans it removed them and order was restored.can you tell me why i keep getting these infections as i dont KNOW where there coming from.
thanks for your time..........cheers..........They are coming from web sites you are visiting.
Thanks for your time contrex....Quote

Thanks for your time contrex....

HI all, ive just built myself a new computer, its pretty flash and im pretty happy with it. My problem is, i keep contracting spyware and stuff in large amounts. im running adaware, avast, spybot search and destroy. its to the point where if i do an adaware SCAN each hour im almost guaranteed to have picked up some more. i have no idea what is causing it. ive posted a hijack this log below, appreciate any help i can get. I have no idea what it is that is attracting so much spyware to my computer, im not downloading or anything. Thanks.

Logfile of HijackThis v1.99.1
Scan saved at 11:40:30 PM, on 22/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Brendon\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.ninemsn.com.au/0SEENAU/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.ninemsn.com.au/0SEENAU/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gibblets.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.ninemsn.com.au/0SEENAU/SAOS01?FORM=TOOLBR
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: ASUS WiFi-AP Solo.lnk = ?
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 CONTROL Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
I don't see anything malicious in this log. I am a bit curious about the following entry, though...

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gibblets.com/

Are you familiar with this Gibblets site? If not, then this is something we should address.



Do you recall any of the the spyware that has been picked up by your scanners? Are you sure they weren't just Tracking Cookies? Next time you perform a scan, perhaps you can POST a log of the results. Perhaps it's not as worrisome as you think it is.

Also, do you have a firewall? If not, you should definitely get one. I'd be happy to give you some suggestions.




You may want to look into getting SpywareBlaster and SpywareGuard on this computer. However, don't install these programs until after I see a log from at least one of your malware scanners. Mainly for curiosity's sake.also to aide get superantispyware


EDIT: oh my my head is a weird shape now like an eggthanks for the replys, yeah gibblets.com is a gaming forum that i frequent so there is no worries there at all.

you were right on the money with the scans as well. they are in fact tracking cookies, the thing is that i dont understand (as i dont no a lot about spyware) is how can i be getting 7 - 10 tracking cookies after half an hour of browsing trusted sites?

however last week i didnt do a scan for the week and when i did one i found over 95 critical objects that was all sorts of stuff, however at this point i have removed all of those and it seems that only tracking cookies are hitting me at this point.

i dont have a firewall at this point, ive heard good things about comodo.... any thoughts on this?ive been doing a bit of reading and wondered, is it better to remove avast, put on avg and also the avg antispyware??? if i did this, should i still run ad aware and spybot search n destroy in conjunction with these?Although you know the sites to be trustworthy, they probably still have ads. And that's where the tracking cookies often come from. And the sites themselves might be downloading them on your computer for whatever purposes. It's really nothing to be worried about. They're just little text files that keep track of a little bit of information. If you use Spyware Blaster, that will block a lot of the cookies from unwanted sites. The majority of the ones that do get on your system will be no cause for concern.

Avast vs. AVG is mainly a matter of preference/opinion. Personally, I greatly prefer AVG and I would suggest switching over to it. But that's up to you. Try it out and see if you like it or not. Either WAY, I would advise getting the Anti-Spyware. It's very, very useful and has a load of features. And yes, you can still use Ad-Aware and Spybot. Just make sure you don't use them at the same time; let them take turns.

I personally haven't used Comodo, but I also hear good things about it. It's worth looking into and it's certainly better than just using your Windows Firewall (which you'll want to disable when installing a new one). ZoneAlarm tends to be more popular, but some people have bad luck with it slowing down their computers. Just try them (one at a time) and see which suits you best.These two tutorials will take you through all you need to help keep a stand alone computer safe (the link to all free downloads are given) .....

http://www.help2go.com/Tutorials/Protect_Your_PC/Avoid_Web_Browser_Hijackers.html

http://www.castlecops.com/t7736-So_how_did_I_get_infected_in_the_first_place.html


In addition you can download Superantispyware and/or (IF you are on Windows 2000 or XP) AVG Anti Spyware. They are both excellent scanners and malware removers but the free versions, after the trial periods, don't have any "real time" protection.

Superantispyware > http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE

AVG Anti Spyware >
http://www.ewido.net/en/



OJthanks heaps for all your help guys. taken a load off my mind. i built a fairly expensive rig so i wanted it to all run smoothly. thanks again.Definitely understandable. I felt the same way when I first got my current computer, which is what got me interested in malware removal. I'm glad we could help put your mind at ease.Especially with a "self build" like Blink has ... no support to fall back on!


OJthat one con of custom computers but its well worth it to have one...

also if you use forefox you will get less tracking cookies and your online browsering will be betterAs this issue appears to be resolved, I am closing this topic. If you are the original poster and you would like this topic to be re-opened for any reason, PM me or another moderator and it can be arranged.

If you are not the original poster and you require help, please start a New Topic with information about your computer and your problem.

Quote from: HELPER on May 24, 2007, 03:01:50 PM

hmm, then what was i thinking of?

What i meant was popular sites like addictinggames.com or somethingoh then most LIKELY not.. just TRACKING cookiesYou could get one of Sierra's games. They're free, good, and don't have viruses.
I RECOMMEND Ground Control, but Tribes 2 is pretty good.ok cuz i WENT to this SITE and i got trojan.peacomm and 13 other backdoor trojans.
cant remember what site it was.This was helpful

Remember everyone ... below is the link to the "first fix" for flash drive infections. Save yourselves a whole lot of grief .....

http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe


OJCongrats, I see a clean log.

You'll want to clean out your System Restore. This is to remove any infected files that have been backed up by Windows. Please follow these steps...

1. Go to Start > Programs > Accessories > System Tools > System Restore
2. Click on System Restore Settings.
3. CHECK Turn off System Restore and click OK.
4. Restart your computer.
5. Follow steps 1 and 2 to return to the settings, uncheck Turn off System Restore, and click OK.
6. Create a new restore point and close the program.

System Restore will now be active again. If you would like to learn more about System Restore, go here.


Make sure you keep both Windows and Java up-to-date. And of course, you'll want to update your anti-virus and scan once a week in SAFE Mode while you're sleeping or out doing something.

To learn more about how to protect yourself while on the internet read this article by Tony Klein: So how did I get infected in the first place?

And, of course, be very careful the next time you decide to use someone's flash drive. It's like sharing a needle. Terrible comparison, I know, but it's true. If you've been following along, you should have some good programs on your computer. Read unlovedwarrior's signature and get anything mentioned that you don't already have. If you have any other questions, feel free to ask.As this issue appears to be resolved, I am closing this topic. If you are the original poster and you would like this topic to be re-opened for any reason, PM me or another MODERATOR and it can be arranged.

If you are not the original poster and you require help, please start a New Topic with information about your computer and your problem.

I recently got this use computer, It has no Virus protection at all. I just got done upgrading it to window vista home. I having install any virus protection yet. Some how my friend downloaded something on the net and now my computer is affective by a virus. My computer keeps showing: "RESTART and log off, restart and log off" repeated when I log in. How do I fix this problem. Can anyone help.look at my signature and see which of those programs will run in vista.. run scans in safe modeLike unlovedwarrior said, CHECK out some of those programs and see which ones you can GET to work in Vista. I suggest AVG Free. Update it and scan with it in Safe Mode. Let it clean whatever it wants and when it's done, restart your computer and POST a HijackThis log.thanks guys I will TRY this.Ccleaner will work, superantispyware will, i think the AVGs also will work not sure about the adaware and spybotQuote from: thaokou on May 29, 2007, 12:01:04 PM

Some how my friend downloaded something on the net and now my computer is affective by a virus.

Right, i'm on Comodo. I was going to ask, are Window's Firewalls not adequate then? It's just, having security programs gets me concerned about everything. I end up monitoring them for ages just to see what actually happens, and then these particular firewalls need you to allow all sorts of programs to connect, which is just alot of hassle for the less computer literates in my household. I always thought a firewall was just that ... a device that prevented hackers and bad things from getting onto your PC, never knew they were this sophisticated.

Windows XP SP2, IE-7why the poll??

what PROTECTIONS do you have??
when did this start??
what sites does this happen or or is it when u first open IE??Isn't that a MySQL error? It shouldn't have anything to do with your computer...

What exactly are you doing when you get these errors?
And like unlovedwarrior asked, what sites does this happen on? Some links would be helpful.All valid replies here (I think the poll was a posting error).

I've only ever seen this once before on another site where I'm a member. On that occasion the HJT log revealed other malware in and COMBOFIX sorted it all out (including the OP's ORIGINAL error message).

Combofix may also HELP here if nothing else works but no promises.


OJdoes it happen in Firefox?? Don't mind this POST; it's just a bit of general maintenance.

Before i do anything i how do i find out my ISP Dont want to delete incase it is mine.You don't know your ISP? Who do you send your payments to? Ha.

Well, in any case...deleting that entry won't interfere with your internet. Some infections just tend to change the IP address in order to redirect you to their site when you visit certain pages. However, since the address in your log points to RIPE, I wouldn't be too concerned. Whether you fix it or not, you should be fine.WELL THAT WAS FUN!! HAHA heres the 1st log
I FORGOT to save the hijack this scan i just deleted the files you told me to sorry , i have done one in normal mode





Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"C:\\Program Files\\Ahead\\SIPPS\\Phone.exe"="C:\\Program Files\\Ahead\\SIPPS\\Phone.exe:*:Disabled:Phone"
"C:\\Program Files\\BitTornado\\btdownloadgui.exe"="C:\\Program Files\\BitTornado\\btdownloadgui.exe:*:Enabled:btdownloadgui"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Kontiki\\KService.exe"="C:\\Program Files\\Kontiki\\KService.exe:*:Enabled:Delivery Manager Service"
"C:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"="C:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe:*:Enabled:TrueVector Service"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"C:\\Program Files\\BitLord2\\BitLord.exe"="C:\\Program Files\\BitLord2\\BitLord.exe:*:Enabled: "
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:æTorrent"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Common Files\\AOL\\1179284815\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1179284815\\ee\\aolsoftware.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\1179284815\\ee\\aim6.exe"="C:\\Program Files\\Common Files\\AOL\\1179284815\\ee\\aim6.exe:*:Enabled:AIM"
"C:\\Documents and Settings\\Owner\\Local Settings\\Temp\\Rar$EX00.141\\GeonX.exe"="C:\\Documents and Settings\\Owner\\Local Settings\\Temp\\Rar$EX00.141\\GeonX.exe:*:Enabled: "
"C:\\Program Files\\DC++\\DCPlusPlus.exe"="C:\\Program Files\\DC++\\DCPlusPlus.exe:*:Enabled:DC++"
"C:\\Documents and Settings\\Owner\\Local Settings\\Temp\\Rar$EX05.844\\DCPlusPlus.exe"="C:\\Documents and Settings\\Owner\\Local Settings\\Temp\\Rar$EX05.844\\DCPlusPlus.exe:*:Enabled:BCDC++"
"C:\\Program Files\\Common Files\\AOL\\1179371629\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1179371629\\ee\\aolsoftware.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\1179371629\\ee\\aim6.exe"="C:\\Program Files\\Common Files\\AOL\\1179371629\\ee\\aim6.exe:*:Enabled:AIM"
"C:\\WINDOWS\\system32\\dplaysvr.exe"="C:\\WINDOWS\\system32\\dplaysvr.exe:*:Enabled:Microsoft DirectPlay Helper"
"C:\\Documents and Settings\\Owner\\Local Settings\\Temp\\Rar$EX00.406\\TSearch.exe"="C:\\Documents and Settings\\Owner\\Local Settings\\Temp\\Rar$EX00.406\\TSearch.exe:*:Enabled:TSearch Application"
"C:\\Documents and Settings\\Owner\\Favorites\\Desktop\\internet explore.exe"="C:\\Documents and Settings\\Owner\\Favorites\\Desktop\\internet explore.exe:*:Enabled:Internet Explorer"
"C:\\Documents and Settings\\Owner\\Local Settings\\Temp\\Rar$EX05.547\\TSearch.exe"="C:\\Documents and Settings\\Owner\\Local Settings\\Temp\\Rar$EX05.547\\TSearch.exe:*:Enabled:TSearch Application"
"C:\\Program Files\\ICQ\\Icq.exe"="C:\\Program Files\\ICQ\\Icq.exe:*:Enabled:ICQ"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"C:\\Program Files\\ICQ6\\ICQ.exe"="C:\\Program Files\\ICQ6\\ICQ.exe:*:Enabled:ICQ6"
"C:\\Program Files\\Real\\RealProducerPlus\\realprod.exe"="C:\\Program Files\\Real\\RealProducerPlus\\realprod.exe:*:Enabled:RealProducer Plus"
"C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\winBF.tmp.exe"="C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\winBF.tmp.exe:*:Enabled:winBF.tmp"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"

Remaining Files:
---------------
Hijackthis scan>>>>




Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 22:34:09, on 02/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Documents and Settings\Owner\My Documents\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.icq.com/start
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Uniblue RegistryBooster2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [Uniblue SpyEraser] "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O16 - DPF: {F84E0B64-1E86-4640-8094-5B38CEB28C1E} (SkyFex Client Object) - https://skyfex.com/download/SkyFexClient.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4B80BF6E-4C18-457B-89FD-3FF1D5092F16}: NameServer = 212.139.132.21 212.139.132.20
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
END of file - 4244 bytes
Well, Tony, it looks pretty clean to me. And I hope it stays that way! I recommended some protection programs to you before and if you did indeed download them, then I feel no need to lecture you there. You said you installed a firewall? I don't see any mention of one in your log; is it enabled? I can recommend some good free firewalls if you want.

You need to update your programs regularly and scan in Safe Mode at least once a week. And most importantly, you should stay away from those warez sites! They're nothing but trouble for you. And if you continue to get infected from them, I'm obligated by the policy here to no longer assist you because it creates a lot of unnecessary work. And, well, that sort of ACTIVITY is generally frowned upon here.

If you don't already have it, I would suggest getting SpywareBlaster on that computer. It doesn't run in the background, so it won't slow down your computer. All it does is make some changes to the registry to help prevent spyware from getting downloaded onto your computer. This, of course, won't protect you from everything; it just helps a bit.

If you have any questions, feel free to ask and I'll do my best to answer.I dont think i will be going into those sites no more

To much hassle than its worth to be honest......

Cheers for ya help chris. As always you come through mate. Top jobSorry and yes i have spywareblahster just clicked it haha .... have a look at my post in networking . Not sure if thats your area but it certainlly aint mine lol haha. cheers againI'm glad I could help you out here. And I'll be sure to take a look at your post, but I'll warn you, it's not my area either. Ha.As this issue appears to be resolved, I am closing this topic. If you are the original poster and you would like this topic to be re-opened for any reason, PM me or another moderator and it can be arranged.

If you are not the original poster and you require help, please start a New Topic with information about your computer and your problem.


EDIT: Tony, expect a PM from me soon. There are still a couple of things I want to go over with you.

I have just downloaded uniblue pack , it comes with SPY eraser regisrty booster and speed me up , i just wanted to know what people think of the programs in general , some 1st class opions would be cool. Well, it appears to be legit, but I've never used it. All I can say is that I personally wouldn't trust it. But that's just me.Yh it seems ok it picked up tons of errors on its error fixing tool like over 1500 haha , it said it fixed them all , theres also a spyware blocker on my taskbar now which is very cool , its posted all over torrent sites , with tons of seeds , so it has to be good..The first search i did for it guaranteed me i'd find chicks in New York...

Take that for what it's worth.

If you check our database for protection programs you will find excellent suggestions...most of them Free.

No need to experiment.HAHA best program EVER , the search brings up hot chicks in new york woohoo haha , im gunna stick with it for a while seems to be doing all right.

I have 6 anti-virus programs installed so far , i think? im going all out for 10... so those virus's will find it harder to leek into my system.Keep in mind that there's a difference between anti-spyware and anti-virus. It's generally ALRIGHT to have multiple anti-spyware programs. But it's usually best to only have one anti-virus. You can have more than one, but be SURE to disable the ones you don't use as often.Uniblue has some excellent software...

I've used some of their products...although it's not free...which is what most of you are looking for here...it is tried, tested and true.I have the full installs of everything to do with uniblue...

well i noticed that the other day my mouse started to click randomly very fast but then stoped. Today however it has been non stop eg i went to click firefox icon and 99 windows will pop up so my pc will just crash and then when i try to get task manager up it minamize automaticly. So i though i could have been a virus so i scanned using avast, came up with nothing so try bt yahoo spyware scan nothing there, then it was really pissing me off so i went and tried ad-ware and then spyware doctor and bother did not fix the problem. I have just tried system restore as a last resort but no luck there, any on got an idea of what is going on?

Windows Xp Sp2
AMD Athlon 64 X2 dual 4200+ 2.21 GHz
1 GB ram

Edited to remove excessive blank space. — CBMattHow long has this been happening?
Did you make any changes prior to this?
What kind of mouse do you have? USB or PS/2? Wireless?

I have to go for now, but go ahead and answer my questions and post a HijackThis log, and I or someone else will get back to you as soon as possible.Try a brand new mouse...they're not that expensive...

BTW is it a PS2 wireless or other ...you didn't specify.Its a PS2 mouse
I made no changes to the mouse only installed some software, photoshop
it only started happening the other day but has got worse today

Logfile of HijackThis v1.99.1
Scan saved at 21:47:40, on 26/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUMENTS and Settings\Mark\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bt.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF READER Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 205 ADSL Router\Adsl\dslagent.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra CONTEXT menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper2007261.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1176808814578
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177266063750
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows/Initial/VideoEggPublisher.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

Have you tried another mouse or are you convinced this is a mouse virus ? ?Sorry for the wait, hot4u.

First...I see that you have HijackThis running from your desktop. You have it in a permanent location, which is good because it makes important backups that you may end up needing. However, to help you avoid clutter and to help ensure that the backups stay safe, I would like you to move it to a special location.

• Double-click on My Computer to open it and navigate to C:\Program Files.
  
• Right-click on the empty (white) space and go to New > Folder.
  
• Name the folder something like HJT and move HijackThis into that new folder.
  
• If you would still like to run HijackThis from the desktop for convenience, right-click on HijackThis and click on Create Shortcut. This will create a shortcut to the program; move the shortcut to the desktop.

I was curious about it, but who am I to question the powers that be.yes, congrats again to ALL new mods (sorry ... I didn't realise Chris wasn't the only one).

I've just noticed ... good to see I'm "hopeful". Very apt ... I am generally hopeful.


OJ Quote from: Calum on May 27, 2007, 05:10:43 AM

It's not just me then.
I think Nathan had to handle the other moves too.
We can't tell, there is no INDICATION of who started topics.

The wiki template looks nice but there are a few problems with it.
Perhaps the normal template may be a good idea.

Hello, I have looked around for a Bootable CD with Virus Scan capabilities and havent found anything yet. I tried to create a Bart PE Bootable CD with Norton AV, but it doesnt work.

Does anyone have any SUGGESTIONS on how to create a Bootable CD with Antivirus functionality, or any products out there that support this with latest virus DEFINITIONS?

Currently to repair infected Hard Drives I have to boot off of a clean HD and put the infected HD in as a slave drive to scan and repair. It would be so much easier if I COULD boot off a CD to repair the HD of viruses.

McAfee use to have this function bundled into their CD, but it would only scan against an old definition. I am using Norton Antivirus Corporate Edition 8.1 currently.

Thanks..

DaveHere is a pretty good AV program with a fast scanner. You can ALSO create a recovery disk with it (with virus scan capabilities).

www.pandasoftware.com

I'm running Windows XP and Internet Explorer browser. My question is

Hi if anyone has any advice I would be very greatfull. Last year I purchased and downloaded Norton Antivrus 2006 from the internet. It has NEVER worked properly. I am unable to update the virus definition. I am able to activate the live updat software although the program does not update. Before I purchased Norton 2006 I used the computer at my University and installed the University's copy of norton 2005. Know everytime I try to update my 2006 program it tries to update from the old University. Any idea's ?My view (and I'm sure also the view of many others here) is that Norton is bloated and a resource hog. Not only that but it doesn't seem to stop all the malware it should.

FIRST .... download a replacement FREE antivirus program (AND a free firewall if you need one) from the following list ...

Free AV

AVG > http://free.grisoft.com/doc/1

Avast > http://www.avast.com/eng/avast_4_home.html

Antivir > http://www.free-av.com/antivirus/allinonen.html

**Comodo > http://www.antivirus.comodo.com/ [AV in beta only as at 13.5.07]

AntidoteLite >
http://www.vintage-solutions.com/English/Antivirus/Super/index.html

Clamwin > http://www.clamwin.com/



Free F/W …..

Zone Alarm > http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp?dc=12bms&ctry=US&lang=en&lid=nav_za

Sygate > http://www.simtel.net/product.download.mirrors.php?id=53687

Sunbelt Firewall (formerly Kerio) > http://www.sunbelt-software.com/Home-Home-Office/Sunbelt-Personal-Firewall/

**Comodo > http://www.comodo.com/products/free_products.html

m0n0wall > http://m0n0.ch/wall/
(I’ve heard good things about monowall but it takes some setting up, I believe)

Smoothwall > http://www.smoothwall.org/

Tiny Personal > http://www.webmasterfree.com/tpfw.html

Outpost > http://www.agnitum.com/products/outpostfree/download.php


SECOND .... come offline, disable Norton completely.

THIRD ..... install the new antivirus and firewall.

FORTH ..... go back online to .....

>> activate/register your new antivirus and firewall

>> go here an use the Norton Removal Tool to get rid of Norton from your machine.

http://service1.symantec.com/support/tsgeninfo.nsf/docid/2005033108162039?OpenDocument&seg=hm&lg=en&ct=us

Let us know how you get on.



OJget avg its really nice firewall wise ive only used zonealarm.OJ...add Jetico to your free firewall list. SMALL footprint but effective.

Scored 2nd highest in the last test reports i saw.

Take Care.Yeah ... I was forgetting that one. So much to remember, so few active brain cells....

I will indeed add it to my list.

Get it here ... http://www.jetico.com/index.htm#/jpfirewall.htm

Thanks for reminding us.


OJQuote from: oddjob on MAY 24, 2007, 03:31:08 PM

Yeah ... I was forgetting that one. So much to remember, so few active brain cells....

I'm running Windows XP and Internet Explorer browser.

I installed Norton Antivirus 2007 about a month ago and have noticed several things about it that I don't like compared to the 2006 version.

I constantly experiance a small pop-up from Symantec in the lower right of my screen stating: "A recent attempt on your computer has been blocked". When I check for details I usually find that it has flagged the same incident repeatedly until another occurs. Furthermore, there is really very little to do about such incidents if they are being blocked, thus the pop-up becomes very annoying. It will occur no matter where I am at (on any page) but sometimes will appear only on the desk top. I know this because I've moved the page slightly to observe that corner of the desk top screen. My question is; how do I disable it? I've addressed the issue to Symantec Tech Support but I cannot seem to get them to fully understand the nature of my problem. Any suggestions?

Another thing I've noticed about the 2007 version is that I cannot request a full scan, only a partial scan. I assume that the full scan is done on predetermined schedule. Am I missing here?

Thank you; any suggestion appreciated.have you played with the options?

full scan
I had norton anti 07 for about a week , then GOT read of it , the program itself , is not great , they have spent to much time making it look flashy rather than improve there services on the program itself , i had no problem doing a full scan on it though, that is odd , but the POP UPS i had them, it blocked most of my connection so i couldnt get online , i would check your config in the tools menu and unblock and block certain things that you want norotn you allow you access to your internet i had that mesage , RECENT ATTACK every 5 mins , i found out it was a p2p client trying to connect while i was downloading allthough i wont use p2ps anymore ...... im not a fan of norton to be honest.....Free alternatives:

Avast

AVG

Norton RemovalThank guys; I found the full scan, it's not exactally "in your face". I still can't seem to get rid of the pop-up. I think I'll dump NAV2007.

Just one more dumb question: Is there anything I should consider or do to clean up after I uninstall? travel here to completely remove the norton virus..

and get a another antivirus like avgThanks allwelcome
Quote

I constantly experiance a small pop-up from Symantec in the lower right of my screen stating: "A recent attempt on your computer has been blocked". When I check for details I usually find that it has flagged the same incident repeatedly until another occurs. Furthermore, there is really very little to do about such incidents if they are being blocked, thus the pop-up becomes very annoying. It will occur no matter where I am at (on any page) but sometimes will appear only on the desk top. I know this because I've moved the page slightly to observe that corner of the desk top screen. My question is; how do I disable it? I've addressed the issue to Symantec Tech Support but I cannot seem to get them to fully understand the nature of my problem. Any suggestions?

3) Click Intrusion Detection and then click Configure.

Can you tell me what options are available in your Norton Antivirus 2007...apparently I'm using Norton Internet Security 2007 and got the two confused...my bad...

Open your product and look for the Options link....it's there somewhere on the first page you see when the program opens.

Look for and select Antivirus alerts.

Just disable the alerts and save your settings.

If worse comes to worse...you can tell me what you see and I'll walk you through it.

Not sure if this should be posted here or in Off Topic:

Quote

There is a reason NORTON is known as the Norton virus, and there is an entire FAQ article dedicated to its removal.
This advice is not the best, to say the least.
Please ignore it.

Oh, and I see you've beaten my highscore at Simon... You do realize this won't be tolerated, right?

But the comment quoted was in response to advice to buy Norton to get rid of one Trojan, which I thought was pretty poor when free software could do the job.

Quote from: patio on JUNE 04, 2007, 07:37:55 PM

Ranked second in the latest comprehensive leak/block test i read...have you tried it? ?

I QUIT trusting CNet for reviews after they told me how great WINME was gonna be. Needless to say that was awhile ago.

patio so far i like it but it keeps asking the same stuff over and over again even if i allow premently

why is it that i can connect to the internet via wifi yet my AVG antivirus and avg anti-spyware could not connect to the UPDATE servers? i wrote them, they did not respond yet. is it in my settings? or is my server hindering me from doing this? thank you.i have just downloaded the updates manually (and not via the avg icon) but i could not open the file because it is in the *.bin format. can you suggest what free downloadable program i could effectively use? thank you.How long has this been happening? It's possible that the servers were just down when you tried; it happens fairly often (just now HAPPENED to me). If you would LIKE to update AVG Anti-Virus manually, update just like you normally would. But this time, click on Folder instead of Internet and navigate to the .bin file you downloaded.

As for Anti-Spyware...you might just have to keep trying until you get through. As far as I know, they don't have manual update downloads for this program; only Anti-Virus.great_jaspah .......Re your AVG updates.....

AVG anti-virus should update automatically every day ...... assuming your pc is on at the time SPECIFIED for the update.

AVG Antispyware ........ Must be updated manually, unless you have the paid for version . I just did a antispyware update manually , I just clicked the update icon, was connected and d/l the updates .

Is it possible your system is infected ?

dl65

This one might be a little tricky, but we're gonna try to get this thing.

First, open up Task Manager and end the following processes...
shellker.usr
NICCONFIGSVC.usr
ssonsvr.usr
client.usr
YahooMessenger.usr
mdm.usr
pccntmon.usr
ANYTHING ELSE THAT ENDS WITH .USR.


Now, for your log...
Your HijackThis is in a temporary location. If you leave it there, it (along with its important backups) can and will eventually be deleted. Please navigate to its current location (CURRENT LOCATION) and it move to a NEW permanent folder at C:\Program Files\HJT.

Once we start, you won't have access to this post anymore, so I recommend that you print out this post or save it to a Notepad file. Open HijackThis and scan again. Check the following entries, but don't do anything to them yet...

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.usr
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.usr" -atboottime

O16 - DPF: {E4F874A0-56ED-11D0-9C43-00A0C90F29FC} (ActiveBar Class) - http://srvcm01hq/cm/cabs/actbar.cab

Now, CLOSE all windows (including this one) besides HijackThis, then click Fix Checked. Close HijackThis and reboot into Safe Mode and enable hidden files and folders.

Navigate to and delete the following file(s) if present...

C:\Program Files\Dell\QuickSet\Quickset.usr
C:\Program Files\QuickTime\qttask.usr
C:\Windows\USR_Shohdi_Photo_USR.exe
C:\Windows\system\USR_Shohdi_Photo_USR.rsu
NOTE: If you don't find either of the two Shohdi files, perform a system-wide search for them.

Once you've done all of this, reboot into Normal Mode.


You might want to take a look at this removal procedure I found on the Sophos site...
Quote

1. Download an emergency copy of SAV32CLI. On an uninfected Windows computer, run this file to extract the contents into a SAV32CLI folder on a medium that can be write-protected. Add any RELEVANT IDEs to this folder and write-protect the disk (on a CD/R or CD/RW close the session).
2. Restart the computer in Safe Mode. Go to Start|Shut Down. Select 'Restart' from the dropdown list and click 'OK'. Windows will restart. Press F8 when you see the following text at the bottom of the screen "For troubleshooting and advanced startup options for Windows 2000, press F8". In the Windows 2000 Advanced Options Menu select the third option 'Safe Mode with Command Prompt'.
3. At the infected computer, place the CD in the CD drive (D: in this example).
At the command prompt type
D:

to access the CD drive. Type:
CD SAV32CLI

Then type:
SAV32CLI -REMOVE -P=C:\LOGFILE.TXT

to remove the virus.
4. Before leaving Safe Mode, edit any registry entries mentioned in the virus analysis recovery instructions.
5. Replace the infected files with 'clean' versions from the original installation media or a clean PC.
6. If problems persist, contact support.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"RunStartupScriptSync"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"RunLogonScriptSync"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"=1 (0x1)
"NoTaskGrouping"=1 (0x1)
"NoWelcomeScreen"=1 (0x1)

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and PASTE it in the box that opens:

Files to delete:
C:\WINDOWS\USR_Shohdi_Photo_USR.exe
C:\WINDOWS\ua2.dll

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt Post that.

2007-05-01 12:12d--------C:\Documents and Settings\Administrator\Shared
2007-05-01 12:12d--------C:\Documents and Settings\Administrator\Incomplete
2007-05-01 12:12d--------C:\DOCUME~1\ADMINI~1\Shared
2007-05-01 12:12d--------C:\DOCUME~1\ADMINI~1\Incomplete
2007-04-30 22:32d--hs----C:\RECYCLER
2007-04-30 22:06d--------C:\Program Files\LimeWire
2007-04-30 22:06d--------C:\Documents and Settings\Administrator\.limewire
2007-04-30 22:06d--------C:\DOCUME~1\ADMINI~1\.limewire
2007-04-30 21:53d--------C:\DOCUME~1\ADMINI~1\APPLIC~1\InstallShield
2007-04-30 21:4625,600--a------C:\WINDOWS\system32\drivers\usbser.sys
2007-04-30 21:46d--------C:\Program Files\Avanquest update
2007-04-30 21:45d--------C:\Program Files\Motorola Phone Tools
2007-04-30 21:45d--------C:\DOCUME~1\ALLUSE~1\APPLIC~1\BVRP Software
2007-04-30 21:4424,192--a------C:\WINDOWS\system32\drivers\usbsermptxp.sys
2007-04-30 21:4424,192--a------C:\Documents and Settings\Administrator\usbsermptxp.sys
2007-04-30 21:4424,192--a------C:\DOCUME~1\ADMINI~1\usbsermptxp.sys
2007-04-30 21:4422,768--a------C:\Documents and Settings\Administrator\usbsermpt.sys
2007-04-30 21:4422,768--a------C:\DOCUME~1\ADMINI~1\usbsermpt.sys
2007-04-30 20:22262,144--a------C:\DOCUME~1\ALLUSE~1\ntuser.dat
2007-04-30 20:19d--------C:\Program Files\MSXML 4.0
2007-04-30 19:1357,472--a------C:\WINDOWS\system32\drivers\redbook.sys
2007-04-30 19:133,072--a------C:\WINDOWS\system32\drivers\audstub.sys
2007-04-30 19:12870,784--a------C:\WINDOWS\system32\ati3d1ag.dll
2007-04-30 19:1274,240--a------C:\WINDOWS\system32\usbui.dll
2007-04-30 19:12516,768--a------C:\WINDOWS\system32\ativvaxx.dll
2007-04-30 19:1242,240--a------C:\WINDOWS\system32\drivers\VIAAGP.SYS
2007-04-30 19:1227,165--a------C:\WINDOWS\system32\drivers\fetnd5.sys
2007-04-30 19:12229,376--a------C:\WINDOWS\system32\ati2cqag.dll
2007-04-30 19:12201,728--a------C:\WINDOWS\system32\ati2dvag.dll
2007-04-30 19:121,888,992--a------C:\WINDOWS\system32\ati3duag.dll
2007-04-30 19:121,540,608--a------C:\WINDOWS\system32\drivers\ati2mtag.sys
2007-04-30 19:118,192-ra------C:\WINDOWS\system32\kbdhept.dll
2007-04-30 19:116,656-ra------C:\WINDOWS\system32\kbdhela3.dll
2007-04-30 19:116,144-ra------C:\WINDOWS\system32\kbdtuq.dll
2007-04-30 19:116,144-ra------C:\WINDOWS\system32\kbdtuf.dll
2007-04-30 19:116,144-ra------C:\WINDOWS\system32\kbdhela2.dll
2007-04-30 19:116,144-ra------C:\WINDOWS\system32\kbdgkl.dll
2007-04-30 19:115,632-ra------C:\WINDOWS\system32\kbdmon.dll
2007-04-30 19:115,632-ra------C:\WINDOWS\system32\kbdkyr.dll
2007-04-30 19:115,632-ra------C:\WINDOWS\system32\kbdhe319.dll
2007-04-30 19:115,632-ra------C:\WINDOWS\system32\kbdhe220.dll
2007-04-30 19:115,632-ra------C:\WINDOWS\system32\kbdhe.dll
2007-04-30 19:115,632-ra------C:\WINDOWS\system32\kbdazel.dll
2007-04-30 19:11dr-------C:\Program Files
2007-04-30 19:11d--hs----C:\WINDOWS\Installer
2007-04-30 19:11d--------C:\Program Files\Common Files\SpeechEngines
2007-04-30 19:11d--------C:\Program Files\Common Files\ODBC
2007-04-30 19:109,936--a------C:\WINDOWS\system\LZEXPAND.DLL
2007-04-30 19:109,008--a------C:\WINDOWS\system\VER.DLL
2007-04-30 19:1085,020--a------C:\WINDOWS\system32\dgsetup.dll
2007-04-30 19:1082,944--a------C:\WINDOWS\system\OLECLI.DLL
2007-04-30 19:108,704--a------C:\WINDOWS\system32\batt.dll
2007-04-30 19:1074,752--a------C:\WINDOWS\system32\storprop.dll
2007-04-30 19:107,168-ra------C:\WINDOWS\system32\kbdcz.dll
2007-04-30 19:1069,584--a------C:\WINDOWS\system\AVICAP.DLL
2007-04-30 19:1069,120--a------C:\WINDOWS\NOTEPAD.EXE
2007-04-30 19:1068,768--a------C:\WINDOWS\system\MMSYSTEM.DLL
2007-04-30 19:106,656-ra------C:\WINDOWS\system32\kbdycl.dll
2007-04-30 19:106,656-ra------C:\WINDOWS\system32\kbdsl1.dll
2007-04-30 19:106,656-ra------C:\WINDOWS\system32\kbdsl.dll
2007-04-30 19:106,656-ra------C:\WINDOWS\system32\kbdpl.dll
2007-04-30 19:106,656-ra------C:\WINDOWS\system32\kbdhu.dll
2007-04-30 19:106,656-ra------C:\WINDOWS\system32\kbdcz2.dll
2007-04-30 19:106,656-ra------C:\WINDOWS\system32\kbdcz1.dll
2007-04-30 19:106,656-ra------C:\WINDOWS\system32\kbdcr.dll
2007-04-30 19:106,656-ra------C:\WINDOWS\system32\KBDAL.DLL
2007-04-30 19:106,144-ra------C:\WINDOWS\system32\kbdlv1.dll
2007-04-30 19:106,144-ra------C:\WINDOWS\system32\kbdlv.dll
2007-04-30 19:106,144-ra------C:\WINDOWS\system32\kbdest.dll
2007-04-30 19:105,632-ra------C:\WINDOWS\system32\kbdro.dll
2007-04-30 19:105,632-ra------C:\WINDOWS\system32\kbdpl1.dll
2007-04-30 19:105,632-ra------C:\WINDOWS\system32\kbdlt1.dll
2007-04-30 19:105,632-ra------C:\WINDOWS\system32\kbdlt.dll
2007-04-30 19:105,632-ra------C:\WINDOWS\system32\kbdhu1.dll
2007-04-30 19:105,120--a------C:\WINDOWS\system\SHELL.DLL
2007-04-30 19:1032,816--a------C:\WINDOWS\system\COMMDLG.DLL
2007-04-30 19:1024,661--a------C:\WINDOWS\system32\spxcoins.dll
2007-04-30 19:1024,064--a------C:\WINDOWS\system\OLESVR.DLL
2007-04-30 19:1019,200--a------C:\WINDOWS\system\TAPI.DLL
2 of .....

2007-04-30 19:10176,157--a------C:\WINDOWS\system32\dgrpsetu.dll
2007-04-30 19:1015,360--a------C:\WINDOWS\TASKMAN.EXE
2007-04-30 19:1013,312--a------C:\WINDOWS\system32\irclass.dll
2007-04-30 19:10126,912--a------C:\WINDOWS\system\MSVIDEO.DLL
2007-04-30 19:1011,264--a------C:\WINDOWS\system32\drivers\irenum.sys
2007-04-30 19:10109,456--a------C:\WINDOWS\system\AVIFILE.DLL
2007-04-30 19:10103,424--a------C:\WINDOWS\system32\EqnClass.Dll
2007-04-30 19:10dr-------C:\DOCUME~1\ALLUSE~1\Documents
2007-04-30 19:08d--hs----C:\System Volume Information
2007-04-30 19:08d--------C:\WINDOWS\system32\CatRoot23 of........

2007-04-30 19:08d--------C:\WINDOWS\system32\CatRoot
2007-04-30 19:08d--------C:\Documents and Settings
2007-04-30 19:03dr-hsc---C:\WINDOWS\system32\dllcache
2007-04-30 19:03dr--s----C:\WINDOWS\Fonts
2007-04-30 19:03dr-------C:\WINDOWS\Web
2007-04-30 19:03d--h-----C:\WINDOWS\inf
2007-04-30 19:03d--------C:\WINDOWS\WinSxS
2007-04-30 19:03d--------C:\WINDOWS\twain_32
2007-04-30 19:03d--------C:\WINDOWS\system32\wins
2007-04-30 19:03d--------C:\WINDOWS\system32\wbem
2007-04-30 19:03d--------C:\WINDOWS\system32\usmt
2007-04-30 19:03d--------C:\WINDOWS\system32\spool
2007-04-30 19:03d--------C:\WINDOWS\system32\ShellExt
2007-04-30 19:03d--------C:\WINDOWS\system32\Setup
2007-04-30 19:03d--------C:\WINDOWS\system32\ras
2007-04-30 19:03d--------C:\WINDOWS\system32\oobe
2007-04-30 19:03d--------C:\WINDOWS\system32\npp
2007-04-30 19:03d--------C:\WINDOWS\system32\mui
2007-04-30 19:03d--------C:\WINDOWS\system32\inetsrv
2007-04-30 19:03d--------C:\WINDOWS\system32\IME
2007-04-30 19:03d--------C:\WINDOWS\system32\icsxml
2007-04-30 19:03d--------C:\WINDOWS\system32\ias
2007-04-30 19:03d--------C:\WINDOWS\system32\export
2007-04-30 19:03d--------C:\WINDOWS\system32\drivers\etc
2007-04-30 19:03d--------C:\WINDOWS\system32\drivers\disdn
2007-04-30 19:03d--------C:\WINDOWS\system32\drivers
2007-04-30 19:03d--------C:\WINDOWS\system32\dhcp
2007-04-30 19:03d--------C:\WINDOWS\system32\config
2007-04-30 19:03d--------C:\WINDOWS\system32\3com_dmi
2007-04-30 19:03d--------C:\WINDOWS\system32\3076
2007-04-30 19:03d--------C:\WINDOWS\system32\2052
2007-04-30 19:03d--------C:\WINDOWS\system32\1054
2007-04-30 19:03d--------C:\WINDOWS\system32\1042
2007-04-30 19:03d--------C:\WINDOWS\system32\1041
2007-04-30 19:03d--------C:\WINDOWS\system32\1037
2007-04-30 19:03d--------C:\WINDOWS\system32\1033
2007-04-30 19:03d--------C:\WINDOWS\system32\1031
2007-04-30 19:03d--------C:\WINDOWS\system32\1028
2007-04-30 19:03d--------C:\WINDOWS\system32\1025
2007-04-30 19:03d--------C:\WINDOWS\system32
2007-04-30 19:03d--------C:\WINDOWS\system
2007-04-30 19:03d--------C:\WINDOWS\security
2007-04-30 19:03d--------C:\WINDOWS\Resources
2007-04-30 19:03d--------C:\WINDOWS\repair
2007-04-30 19:03d--------C:\WINDOWS\Provisioning
2007-04-30 19:03d--------C:\WINDOWS\PeerNet
2007-04-30 19:03d--------C:\WINDOWS\pchealth
2007-04-30 19:03d--------C:\WINDOWS\mui
2007-04-30 19:03d--------C:\WINDOWS\msapps
2007-04-30 19:03d--------C:\WINDOWS\msagent
2007-04-30 19:03d--------C:\WINDOWS\Media
2007-04-30 19:03d--------C:\WINDOWS\ime
2007-04-30 19:03d--------C:\WINDOWS\Help
2007-04-30 19:03d--------C:\WINDOWS\ehome
2007-04-30 19:03d--------C:\WINDOWS\Driver Cache
2007-04-30 19:03d--------C:\WINDOWS\Debug
2007-04-30 19:03d--------C:\WINDOWS\Cursors
2007-04-30 19:03d--------C:\WINDOWS\Connection Wizard
2007-04-30 19:03d--------C:\WINDOWS\Config
2007-04-30 19:03d--------C:\WINDOWS\AppPatch
2007-04-30 19:03d--------C:\WINDOWS\addins
2007-04-30 19:03d--------C:\WINDOWS
2007-04-30 15:023,840--a------C:\WINDOWS\system32\drivers\BANTExt.sys
2007-04-30 15:02d--------C:\Program Files\Belarc
2007-04-30 13:24d--------C:\1cda015c0c09cfaf43b0a11ba5
2007-04-30 12:04d--------C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet
2007-04-30 10:58d--------C:\Program Files\PowerISO
2007-04-30 10:4832,592--a------C:\WINDOWS\system32\msonpmon.dll
2007-04-30 10:47d--------C:\Program Files\Microsoft Works
2007-04-30 10:46d--------C:\Program Files\MSBuild
2007-04-30 10:41d--------C:\WINDOWS\SHELLNEW
2007-04-30 10:39dr-h-----C:\MSOCache
2007-04-30 10:39d--------C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft Help
2007-04-30 10:37d--------C:\Program Files\DAEMON Tools
2007-04-30 10:29d--h-----C:\WINDOWS\$hf_mig$
2007-04-30 10:29d--------C:\WINDOWS\system32\PreInstall
2007-04-30 09:51d--------C:\DOCUME~1\ADMINI~1\APPLIC~1\Ahead
2007-04-30 09:49d--------C:\Program Files\Nero
2007-04-30 09:49d--------C:\Program Files\Common Files\Ahead
2007-04-30 09:49d--------C:\DOCUME~1\ALLUSE~1\APPLIC~1\Nero
2007-04-30 09:47d--------C:\Program Files\Windows Media Connect 2
2007-04-30 09:44682,232--a------C:\WINDOWS\system32\drivers\sptd.sys
2007-04-30 09:4423,856--a------C:\WINDOWS\system32\spupdsvc.exe
2007-04-30 09:44d--------C:\WINDOWS\system32\LogFiles
2007-04-30 09:44d--------C:\WINDOWS\system32\drivers\UMDF
2007-04-30 09:43d--------C:\DOCUME~1\ADMINI~1\APPLIC~1\uTorrent
2007-04-30 09:40d--------C:\Documents and Settings\Administrator\Contacts
2007-04-30 09:40d--------C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-04-30 09:40d--------C:\DOCUME~1\ADMINI~1\Contacts
2007-04-30 09:39d----c---C:\WINDOWS\system32\DRVSTORE
2007-04-30 09:39d--------C:\Program Files\MSN Messenger
2007-04-30 09:3882,944--a------C:\WINDOWS\system32\drivers\wdmaud.sys
2007-04-30 09:386,400--a------C:\WINDOWS\system32\drivers\splitter.sys
2007-04-30 09:3854,272--a------C:\WINDOWS\system32\drivers\swmidi.sys
2007-04-30 09:3852,864--a------C:\WINDOWS\system32\drivers\DMusic.sys
2007-04-30 09:3827,904--a------C:\WINDOWS\system32\drivers\VIAAGP1.SYS
2007-04-30 09:38172,416--a------C:\WINDOWS\system32\drivers\kmixer.sys
2007-04-30 09:38142,464--a------C:\WINDOWS\system32\drivers\aec.sys
2007-04-30 09:38d--------C:\WINDOWS\system32\ReinstallBackups
2007-04-30 09:37864---------C:\WINDOWS\system32\drivers\alcxinit.dat
2007-04-30 09:37765,952--a------C:\WINDOWS\system\crlds3d.dll
2007-04-30 09:37720,896--a------C:\WINDOWS\system32\Audio3D.dll
2007-04-30 09:37720,896--a------C:\WINDOWS\system32\a3d.dll
2007-04-30 09:377,552--a------C:\WINDOWS\system32\drivers\MSKSSRV.sys
2007-04-30 09:3760,800--a------C:\WINDOWS\system32\drivers\sysaudio.sys
2007-04-30 09:3760,288--a------C:\WINDOWS\system32\drivers\drmk.sys
2007-04-30 09:3755,296--a------C:\WINDOWS\SOUNDMAN.EXE
2007-04-30 09:375,376--a------C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2007-04-30 09:37461,312--a------C:\WINDOWS\system32\drivers\ALCXWDM.SYS
2007-04-30 09:37403,968--a------C:\WINDOWS\system32\drivers\ALCXSENS.SYS
2007-04-30 09:374,992--a------C:\WINDOWS\system32\drivers\MSPQM.sys
2007-04-30 09:374,096--a------C:\WINDOWS\system32\ksuser.dll
2007-04-30 09:37306,688--a------C:\WINDOWS\IsUninst.exe
2007-04-30 09:37208,896---------C:\WINDOWS\alcupd.exe
2007-04-30 09:372,944--a------C:\WINDOWS\system32\drivers\drmkaud.sys
2007-04-30 09:37145,792--a------C:\WINDOWS\system32\drivers\portcls.sys
2007-04-30 09:37139,264---------C:\WINDOWS\alcrmv.exe
2007-04-30 09:37d--h-----C:\Program Files\InstallShield Installation Information
2007-04-30 09:37d--------C:\Program Files\Common Files\InstallShield
2007-04-30 09:37d--------C:\Documents and Settings\Administrator\WINDOWS
2007-04-30 09:37d--------C:\DOCUME~1\ADMINI~1\WINDOWS
2007-04-30 09:36d--------C:\WINDOWS\system32\SoftwareDistribution
2007-04-30 09:323,670,016--ah-----C:\Documents and Settings\Administrator\NTUSER.DAT
2007-04-30 09:323,670,016--ah-----C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-04-30 09:29262,144--ah-----C:\DOCUME~1\NETWOR~1\NTUSER.DAT
2007-04-30 09:29262,144--ah-----C:\DOCUME~1\LOCALS~1\NTUSER.DAT
2007-04-30 09:29d--------C:\WINDOWS\SoftwareDistribution
2007-04-30 09:29d--------C:\WINDOWS\Prefetch
2007-04-30 09:25d--------C:\WINDOWS\system32\xircom
2007-04-30 09:25d--------C:\Program Files\microsoft frontpage
2007-04-30 09:24262,144--ah-----C:\DOCUME~1\DEFAUL~1\NTUSER.DAT
2007-04-30 09:24112,128--a------C:\WINDOWS\system32\mapi32.dll
2007-04-30 09:240-rahs----C:\MSDOS.SYS
2007-04-30 09:240-rahs----C:\IO.SYS
2007-04-30 09:240--a------C:\CONFIG.SYS4 of.....

2007-04-30 09:240--a------C:\AUTOEXEC.BAT
2007-04-30 09:23dr-------C:\WINDOWS\Offline Web Pages
2007-04-30 09:23d--hs----C:\DOCUME~1\ALLUSE~1\DRM
2007-04-30 09:23d--h-----C:\Program Files\WindowsUpdate
2007-04-30 09:23d---s----C:\WINDOWS\Downloaded Program Files
2007-04-30 09:2264,512--a------C:\WINDOWS\system32\acctres.dll
2007-04-30 09:2212,288--a------C:\WINDOWS\system32\nmevtmsg.dll
2007-04-30 09:2211,264--a------C:\WINDOWS\system32\atrace.dll
2007-04-30 09:22d--------C:\WINDOWS\system32\DirectX
2007-04-30 09:2181,920--a------C:\WINDOWS\system32\isign32.dll
2007-04-30 09:2181,920--a------C:\WINDOWS\system32\ils.dll
2007-04-30 09:218,192--a------C:\WINDOWS\system32\bitsprx2.dll
2007-04-30 09:2173,728--a------C:\WINDOWS\system32\icwdial.dll
2007-04-30 09:2173,472--a------C:\WINDOWS\system32\drivers\sr.sys
2007-04-30 09:217,168--a------C:\WINDOWS\system32\bitsprx3.dll
2007-04-30 09:2169,632--a------C:\WINDOWS\system32\msconf.dll
2007-04-30 09:21679,424--a------C:\WINDOWS\system32\inetcomm.dll
2007-04-30 09:2167,584--a------C:\WINDOWS\system32\srclient.dll
2007-04-30 09:2165,536--a------C:\WINDOWS\system32\icwphbk.dll
2007-04-30 09:216,656--a------C:\WINDOWS\system32\wuauserv.dll
2007-04-30 09:2148,128--a------C:\WINDOWS\system32\inetres.dll
2007-04-30 09:21465,176--a------C:\WINDOWS\system32\wuapi.dll
2007-04-30 09:2145,568--a------C:\WINDOWS\system32\safrslv.dll
2007-04-30 09:2143,520--a------C:\WINDOWS\system32\safrcdlg.dll
2007-04-30 09:2143,520--a------C:\WINDOWS\system32\racpldlg.dll
2007-04-30 09:2141,240--a------C:\WINDOWS\system32\wups.dll
2007-04-30 09:21382,464--a------C:\WINDOWS\system32\qmgr.dll
2007-04-30 09:2134,560--a------C:\WINDOWS\system32\mnmdd.dll
2007-04-30 09:2132,768--a------C:\WINDOWS\system32\mnmsrvc.exe
2007-04-30 09:2132,768--a------C:\WINDOWS\system32\isrdbg32.dll
2007-04-30 09:2129,696--a------C:\WINDOWS\system32\safrdm.dll
2007-04-30 09:2128,672--a------C:\WINDOWS\system32\nmmkcert.dll
2007-04-30 09:21274,944--a------C:\WINDOWS\system32\mstask.dll
2007-04-30 09:21274,432--a------C:\WINDOWS\system32\inetcfg.dll
2007-04-30 09:21252,928--a------C:\WINDOWS\system32\msoeacct.dll
2007-04-30 09:21239,104--a------C:\WINDOWS\system32\srrstr.dll
2007-04-30 09:2123,040--a------C:\WINDOWS\system32\fltmc.exe
2007-04-30 09:21194,328--a------C:\WINDOWS\system32\wuaueng1.dll
2007-04-30 09:21190,976--a------C:\WINDOWS\system32\schedsvc.dll
2007-04-30 09:2118,944--a------C:\WINDOWS\system32\qmgrprxy.dll
2007-04-30 09:21173,536--a------C:\WINDOWS\system32\wuweb.dll
2007-04-30 09:21172,312--a------C:\WINDOWS\system32\wuauclt1.exe
2007-04-30 09:21170,496--a------C:\WINDOWS\system32\srsvc.dll
2007-04-30 09:2116,896--a------C:\WINDOWS\system32\fltlib.dll
2007-04-30 09:2116,384--a------C:\WINDOWS\system32\icfgnt5.dll
2007-04-30 09:21128,896--a------C:\WINDOWS\system32\drivers\fltmgr.sys
2007-04-30 09:21127,256--a------C:\WINDOWS\system32\wucltui.dll
2007-04-30 09:21124,184--a------C:\WINDOWS\system32\wuauclt.exe
2007-04-30 09:2112,288--a------C:\WINDOWS\system32\mstinit.exe
2007-04-30 09:21105,984--a------C:\WINDOWS\system32\msoert2.dll
2007-04-30 09:211,343,768--a------C:\WINDOWS\system32\wuaueng.dll
2007-04-30 09:21d---s----C:\WINDOWS\Tasks
2007-04-30 09:21d--------C:\WINDOWS\system32\Restore
2007-04-30 09:21d--------C:\WINDOWS\system32\Macromed
2007-04-30 09:21d--------C:\WINDOWS\srchasst
2007-04-30 09:21d--------C:\Program Files\Movie Maker
2007-04-30 09:21d--------C:\Program Files\Common Files\MSSoap
2007-04-30 09:2073,216--a------C:\WINDOWS\system32\avwav.dll
2007-04-30 09:205,632--a------C:\WINDOWS\system32\write.exe
2007-04-30 09:2044,544--a------C:\WINDOWS\system32\hticons.dll
2007-04-30 09:2035,328--a------C:\WINDOWS\system32\winchat.exe
2007-04-30 09:20227,840--a------C:\WINDOWS\system32\avtapi.dll
2007-04-30 09:2021,640--a------C:\WINDOWS\system32\emptyregdb.dat
2007-04-30 09:2016,384--a------C:\WINDOWS\system32\avmeter.dll
2007-04-30 09:20138,752--a------C:\WINDOWS\system32\sndvol32.exe
2007-04-30 09:20d--------C:\WINDOWS\Registration
2007-04-30 09:20d--------C:\Program Files\Online Services
2007-04-30 09:20d--------C:\Program Files\MSN Gaming Zone
2007-04-30 09:20d--------C:\Program Files\Messenger
2007-04-30 09:1997,792--a------C:\WINDOWS\system32\comrepl.dll
2007-04-30 09:19956,416--a------C:\WINDOWS\system32\msdtctm.dll
2007-04-30 09:1993,696--a------C:\WINDOWS\system32\tscfgwmi.dll
2007-04-30 09:1991,136--a------C:\WINDOWS\system32\mtxoci.dll
2007-04-30 09:199,728--a------C:\WINDOWS\system32\reset.exe
2007-04-30 09:1987,176--a------C:\WINDOWS\system32\rdpwsx.dll
2007-04-30 09:1985,504--a------C:\WINDOWS\system32\catsrvps.dll
2007-04-30 09:1980,384--a------C:\WINDOWS\system32\charmap.exe
2007-04-30 09:1967,072--a------C:\WINDOWS\system32\rdshost.exe
2007-04-30 09:19655,360--a------C:\WINDOWS\system32\mstscax.dll
2007-04-30 09:19625,152--a------C:\WINDOWS\system32\catsrvut.dll
2007-04-30 09:1962,464--a------C:\WINDOWS\system32\rdpclip.exe
2007-04-30 09:19605,696--a------C:\WINDOWS\system32\getuname.dll
2007-04-30 09:1960,416--a------C:\WINDOWS\system32\remotepg.dll
2007-04-30 09:1960,416--a------C:\WINDOWS\system32\colbact.dll
2007-04-30 09:196,144--a------C:\WINDOWS\system32\msdtc.exe
2007-04-30 09:1958,880--a------C:\WINDOWS\system32\msdtclog.dll
2007-04-30 09:1958,880--a------C:\WINDOWS\system32\licwmi.dll
2007-04-30 09:1956,832--a------C:\WINDOWS\system32\sol.exe
2007-04-30 09:1956,320--a------C:\WINDOWS\system32\servdeps.dll
2007-04-30 09:1955,296--a------C:\WINDOWS\system32\freecell.exe
2007-04-30 09:19540,160--a------C:\WINDOWS\system32\comuid.dll
2007-04-30 09:1954,272--a------C:\WINDOWS\system32\stclient.dll
2007-04-30 09:19538,624--a------C:\WINDOWS\system32\spider.exe
2007-04-30 09:195,120--a------C:\WINDOWS\system32\dcomcnfg.exe
2007-04-30 09:19498,688--a------C:\WINDOWS\system32\clbcatq.dll
2007-04-30 09:1944,544--a------C:\WINDOWS\system32\tscupgrd.exe
2007-04-30 09:19426,496--a------C:\WINDOWS\system32\msdtcprx.dll
2007-04-30 09:19407,552--a------C:\WINDOWS\system32\mstsc.exe
2007-04-30 09:1940,840--a------C:\WINDOWS\system32\drivers\termdd.sys
2007-04-30 09:194,096--a------C:\WINDOWS\system32\rdpcfgex.dll
2007-04-30 09:194,096--a------C:\WINDOWS\system32\mtxex.dll
2007-04-30 09:1938,912--a------C:\WINDOWS\system32\cfgbkend.dll
2007-04-30 09:19347,136--a------C:\WINDOWS\system32\hypertrm.dll
2007-04-30 09:19343,040--a------C:\WINDOWS\system32\mspaint.exe
2007-04-30 09:1933,792--a------C:\WINDOWS\system32\regini.exe
2007-04-30 09:19295,424--a------C:\WINDOWS\system32\termsrv.dll
2007-04-30 09:1925,600--a------C:\WINDOWS\system32\comaddin.dll
2007-04-30 09:1925,088--a------C:\WINDOWS\system32\mtxlegih.dll
2007-04-30 09:19225,792--a------C:\WINDOWS\system32\catsrv.dll
2007-04-30 09:1922,016--a------C:\WINDOWS\system32\qwinsta.exe
2007-04-30 09:1921,896--a------C:\WINDOWS\system32\drivers\tdtcp.sys
2007-04-30 09:1920,992--a------C:\WINDOWS\system32\msg.exe

5 of........

2007-04-30 09:1920,480--a------C:\WINDOWS\system32\qprocess.exe
2007-04-30 09:1920,480--a------C:\WINDOWS\system32\mtxdm.dll
2007-04-30 09:19196,864--a------C:\WINDOWS\system32\drivers\rdpdr.sys
2007-04-30 09:1919,968--a------C:\WINDOWS\system32\rdpsnd.dll
2007-04-30 09:19185,344--a------C:\WINDOWS\system32\cmprops.dll
2007-04-30 09:19183,808--a------C:\WINDOWS\system32\accwiz.exe
2007-04-30 09:1917,408--a------C:\WINDOWS\system32\mmfutil.dll
2007-04-30 09:19161,280--a------C:\WINDOWS\system32\msdtcuiu.dll
2007-04-30 09:1916,896--a------C:\WINDOWS\system32\tsshutdn.exe
2007-04-30 09:1916,896--a------C:\WINDOWS\system32\qappsrv.exe
2007-04-30 09:1916,384--a------C:\WINDOWS\system32\tskill.exe
2007-04-30 09:1915,872--a------C:\WINDOWS\system32\rwinsta.exe
2007-04-30 09:1915,872--a------C:\WINDOWS\system32\cdmodem.dll
2007-04-30 09:1915,360--a------C:\WINDOWS\system32\logoff.exe
2007-04-30 09:19147,968--a------C:\WINDOWS\system32\rdchost.dll
2007-04-30 09:19147,456--a------C:\WINDOWS\system32\comsnap.dll
2007-04-30 09:19140,800--a------C:\WINDOWS\system32\sessmgr.exe
2007-04-30 09:1914,848--a------C:\WINDOWS\system32\tsdiscon.exe
2007-04-30 09:1914,848--a------C:\WINDOWS\system32\tscon.exe
2007-04-30 09:1914,848--a------C:\WINDOWS\system32\shadow.exe
2007-04-30 09:19139,528--a------C:\WINDOWS\system32\drivers\rdpwd.sys
2007-04-30 09:19131,584--a------C:\WINDOWS\system32\sndrec32.exe
2007-04-30 09:1913,824--a------C:\WINDOWS\system32\rdsaddin.exe
2007-04-30 09:19126,976--a------C:\WINDOWS\system32\mshearts.exe
2007-04-30 09:19123,392--a------C:\WINDOWS\system32\mplay32.exe
2007-04-30 09:1912,040--a------C:\WINDOWS\system32\drivers\tdpipe.sys
2007-04-30 09:19119,808--a------C:\WINDOWS\system32\winmine.exe
2007-04-30 09:19114,688--a------C:\WINDOWS\system32\calc.exe
2007-04-30 09:19110,080--a------C:\WINDOWS\system32\clbcatex.dll
2007-04-30 09:1911,776--a------C:\WINDOWS\system32\xolehlp.dll
2007-04-30 09:1911,264--a------C:\WINDOWS\system32\icaapi.dll
2007-04-30 09:19102,912--a------C:\WINDOWS\system32\clipbrd.exe
2007-04-30 09:191,267,200--a------C:\WINDOWS\system32\comsvcs.dll
2007-04-30 09:191,161--a------C:\WINDOWS\system32\usrlogon.cmd
2007-04-30 09:19d--------C:\WINDOWS\system32\MsDtc
2007-04-30 09:19d--------C:\WINDOWS\system32\Com
2007-04-30 09:19d--------C:\Program Files\Windows NT


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-04-18 16:12:232,854,400----a-wC:\WINDOWS\system32\msi.dll
2007-04-09 12:27:0731,548----a-wC:\WINDOWS\system32\drivers\scdemu.sys
2007-03-17 13:43:01292,864----a-wC:\WINDOWS\system32\winsrv.dll
2007-03-14 09:27:58972,336----a-wC:\WINDOWS\UNRecode.exe
2007-03-14 09:19:5695,864----a-wC:\WINDOWS\system32\NeroCo.dll
2007-03-14 09:19:26972,336----a-wC:\WINDOWS\UNNeroBackItUp.exe
2007-03-12 03:51:08972,336----a-wC:\WINDOWS\UNNeroMediaHome.exe
2007-03-08 15:36:28577,536----a-wC:\WINDOWS\system32\user32.dll
2007-03-08 15:36:2840,960----a-wC:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28281,600----a-wC:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:481,843,584----a-wC:\WINDOWS\system32\win32k.sys
2007-02-28 10:53:50972,336----a-wC:\WINDOWS\UNNeroVision.exe
2007-02-28 05:41:02972,336----a-wC:\WINDOWS\UNNeroShowTime.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{0F06680B-F18E-4EC3-8D73-FD6D8230B244}=C:\WINDOWS\system32\ddabb.dll []
{72853161-30C5-4D22-B7F9-0BBC1D38A37E}=C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL [2006-10-27 00:48]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" []
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 18:53]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"BearShare"="C:\Program Files\BearShare\BearShare.exe" [2006-07-29 03:48]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-07 22:57]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-04-13 11:09]
"AudioDeck"="C:\Program Files\VIAudioi\SBADeck\ADeck.exe" [2006-09-05 20:28]
"CloneCDElbyCDFL"="C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" [2002-11-02 16:33]
"nwiz"="nwiz.exe" [2006-10-22 12:22 C:\WINDOWS\system32\nwiz.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-04-27 11:25]
"NvMediaCenter"="NvMCTray.dll" [2006-10-22 12:22 C:\WINDOWS\system32\nvmctray.dll]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-05-29 19:50]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 02:24]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoClose"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"="C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [2006-10-27 00:48]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcbxxu]
efcbxxu.dll


Contents of the 'Scheduled Tasks' folder
2007-05-20 05:40:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

********************************************************************

catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-29 23:38:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-05-29 23:39:45 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-29 23:39

--- E O FFirst, I'd like for you to download ERUNT and use it to backup your registry. This is very important!

I have attached a .zip file to this post. Save the file and extract it to your desktop. There are two files within it: remove.reg and remove.bat. Run/execute both files. This will only take a couple of seconds.

Once you have done that, go to Start > Run and type in regedit and click OK. I don't know how familiar you are with Regedit, so I'll try to make this simple. You will be faced with the following directories...
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_CURRENT_CONFIG

Navigate to the following directory...
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer

In the right panel, there will be a set of registry keys. Locate the one named NoClose, right-click on it, and click on Modify. Under the Value Data, change the 1 to a 0. This should restore your Shut Down button. If you encounter any problems, use your ERUNT backup to restore your registry.



Update AVG and scan with it in Safe Mode again. Let it clean whatever it wants. Restart and post back with a new log and an update on how things are going.

[cleaning up - attachment deleted by admin]ok done all that exept the scan atm. so does the shutdown button come up straight away or do i have to reboot?
cause i havnt rebooted yet and it still hasnt shown up Dude you are a legend just rebooted and now i have my shut down button back thanks sooooo much. now how do i get rid of the rebooing problem?I'm glad I could get that working for you. Now let's try to figure out your rebooting problem.

Before you run your anti-virus scan, I want you to download AVG Anti-Rootkit and scan with that also (not at the same time). Its scan won't take as long as the anti-virus.

Also...

QUOTE from: imanidiot on May 29, 2007, 04:00:56 AM

im running avg 7 and adaware se and avg keep coming up with unwanted files so far here is wat follows
C;\WIndows\system32\csifmoml.ddl
ddyhokyt.dll
max1d1641.exe
protector.exe
ntio256.sys
all in the system32 file.
and then there are more in my temp folder

Be on the look out for this trojan that is not the usual pain in the neck. After running my usual Norton System Scan, I was informed of a High risk trojan that is resistant to removal. The name I was given is:

Trojan_Peacomm-symantec_com_files

I'm running Windows XP and Internet Explorer browser. For the last 2 days I've tried every removal program I have (Norton, McAfee, EVEN AVG) and a few free ones from the internet. Nothing works!!! If any ONE has RAN into this befor and has advice on what to do to get rid of the DARN thing, please let me know. I'll make you my new hero. The below page contains information and also a link that should help allow you to remove this infection.

http://www.nosnoopware.com/spyware/remove/trojan.peacomm.htmHeather, check out the above link, and if you're still having trouble, then go ahead and post a HijackThis log for me to take a look at. Make sure you only scan and SAVE a log. Don't make any changes with the program until I tell you to do so.Due to lack of feedback, I am closing this topic. If you are the original poster and you would like this topic to be re-opened for any reason, PM me or another moderator and it can be arranged.

If you are not the original poster and you require help, please start a New Topic with information about your computer and your problem.

My computer has been raided by viruses!

Unfortunately, my good ol' standby NORTON hasn't been able to get rid of them. It keeps opening up IE windows (usually to adfarm.* sites - many of which just give 'page not found' so I guess it's not only a virus, but an outdated one!) and every few hours Norton catches part of the 'Infostealer' virus and quarantines it, but can't seem to find the cause - even when I ran it from Safemode, although that did kill a lot of other problems.

At the end of my rope! Any advice on how I can get rid of this?

Hijackthis log below.

Logfile of HijackThis v1.99.1
Scan saved at 7:58:58 PM, on 5/20/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\system32\CTSVCCDA.EXE
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\system32\CTHELPER.EXE
C:\WINNT\system32\LXSUPMON.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\simplemu\simplemu.exe\SimpleMU.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O3 - Toolbar: @msdxmLC.dll,[emailprotected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Pa&nicware Pop-Up Stopper Pro - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\Program Files\Panicware\Pop-Up Stopper Pro\popuppro.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\system32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINNT\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [runner1] C:\WINNT\retadpu2000219.exe 61A847B5BBF72810329B385473F001F0B3E35B6 638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINNT\system32\aojslnoh.dll",realset
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: StripSaver2.lnk = C:\Program Files\StripSaver2\StripSaver2.exe
O4 - Startup: VirtuaGirl2.lnk = C:\Program Files\Vg\VirtuaGirl2.exe
O4 - Global Startup: hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
O4 - Global Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://cdn.drivecleaner.com/installdrivecleanerstart.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.0.84.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascinstie.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTSVCCDA.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcSandraSrv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

Personally, if I were you, I would ditch Norton and get AVG Free instead. It's usually a lot more effective. And it's free! At the very least, you should install AVG and disable the real-time scan so you can at least have it for backup. You should also get Anti-Spyware from that same site. Update both programs and scan with each one in Safe Mode.

That aside, I'll take a look at your log real quick...LOOKS like you're a MUD gamer, eh? Fun times.

Anyway...you've got a couple of infections, but it doesn't look too terribly bad. You'll definitely want to take care of the DOWNLOADER that's hijacking your browser. First...

I'd like you to print out the following instructions (or save them in a Notepad file if you don't have a printer) because you soon won't have access to this page for a little while...

1. Download VundoFix and save it to your desktop.
2. Run VundoFix and click on Scan For Vundo.
3. Once it's done scanning, click on Remove Vundo.
4. When it prompts you to remove the files, click on Yes.
5. Your desktop will go blank as it's removing files. Don't worry, this is normal.
6. It will prompt you to restart your computer, so click OK.
7. When your computer is turned back on, your problem should be gone.

And then, just for good measure...
1. Download VirtumundoBeGone and save it to your desktop.
2. Reboot into Safe Mode.
3. Once you are in Safe Mode, run VirtumundoBeGone and follow the instructions.
4. Exit when it has finished and reboot back into normal mode. Vundo should now be removed from your computer.


Please re-open HijackThis and scan. Check the boxes next to all the entries listed below, if still present.

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0

O4 - HKLM\..\Run: [runner1] C:\WINNT\retadpu2000219.exe 61A847B5BBF72810329B385473F001F0B3E35B6 638993F4661AA4EBD86D67C56389B284534F310

O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINNT\system32\aojslnoh.dll",realset

O4 - Startup: StripSaver2.lnk = C:\Program Files\StripSaver2\StripSaver2.exe
(VirtuaGirl appears to be legit, but I don't think StripSaver is. I believe it is known to infect computers with ISTBar. I don't see any traces of ISTBar here, but let's play it safe.)

O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)

O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://cdn.drivecleaner.com/installdrivecleanerstart.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab

Now close all windows other than HiJackThis, then click Fix Checked. Close HijackThis. Reboot into safe mode.
(Remember to have this page printed out.)

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

StripSaver
ISTBar or IST Service

Please note any other programs that you don't recognize in that list in your next response.

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these folders (if present):
(Make sure you can view hidden files and folders.)

C:\Program Files\StripSaver2

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these files (if present):
(Make sure you can view hidden files and folders.)

C:\WINNT\retadpu2000219.exe
C:\WINNT\system32\aojslnoh.dll

(Use Pocket KillBox for any stubborn files.)

After that, reboot and post a new HijackThis log here in a reply.



Also, you should go here and click on Free Java Download. You will be given instructions on what to do next.Thanks for the advice - AVG caught a bunch of stuff that Norton was ignoring completely, good call.

And MUSH gamer, but close enough.

Followed instructions - although at the last bit, retadpu and aojslnoh didn't seem to exist, maybe they got caught and destroyed. I hope.

Logfile of HijackThis v1.99.1
Scan saved at 2:13:59 PM, on 5/22/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\system32\CTSVCCDA.EXE
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\system32\CTHELPER.EXE
C:\WINNT\system32\LXSUPMON.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: ZIBho Class - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - C:\Program Files\Kontiki\bin\bh304181.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Pro\CCHelper.dll
O3 - Toolbar: @msdxmLC.dll,[emailprotected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Pa&nicware Pop-Up Stopper Pro - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\Program Files\Panicware\Pop-Up Stopper Pro\popuppro.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\system32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINNT\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
O4 - Global Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.0.84.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascinstie.cab
O20 - Winlogon Notify: ATINotify - logonnfy.dll (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTSVCCDA.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcSandraSrv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

get superantispyware and spybot search and destroy and ccleaner(install without the yahoo toolbar)

run Ccleaner

update the other two go into safe mode scan and report back with anything found...


you also might want to go to start run enter "msconfig" without "" and go to startup and uncheck anything that doesnt need to be started up when the computer does to help speed it up a bit then click apply then ok then restartNot sure why this was excluded from my instructions, but could you please locate the vundofix.txt file in the VundoFix folder and post the contents here?

As for those files...copy/paste the file paths in Pocket KillBox just make sure they really aren't there.

Also, be sure to visit the Java site to ensure that you have the latest version installed on your computer.

Your log looks clean, but I'd still like to make sure we're getting everything. How's your computer running? Still getting pop-ups? Don't mind this post; it's just a bit of general maintenance.Due to lack of feedback, I am closing this topic. If you are the original poster and you would like this topic to be re-opened for any reason, PM me or another MODERATOR and it can be arranged.

If you are not the original poster and you require help, please start a New Topic with information about your computer and your problem.

virus vbscript solow deleted my productID


WINDOWS Registry Editor VERSION 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion]
"ProductId"=""

how i get back my productId?

i'm using winxp sp2



If I remember correctly, you don't have a genuine copy of Windows...

This could be why your computer seems to get so many infections.erm.... i got 3 pc, 1 sp3 "pirate"1 vista and 1 sp2

i am using sp2 now , this is original. so... pls dont always said that i' using un genuis window. that hurt k? I'll admit that I have my doubts, but I'm a nice guy, so I'm willing to give you a chance.

XP isn't the only OS that has SP2, but I'm assuming XP is what you have. Correct?


1. Run the CLEANER and Issues tools on CCleaner (install without Yahoo! toolbar).

2. If you don't already have it, download/install AVG Free, update it, and scan in Safe Mode.

3. Download ComboFix and save it to your desktop. Run the program and read its disclaimer (it's fairly short) and make sure you really pay attention to what it says. Follow the prompts and when finished, it will produce a log at C:\ComboFix.txt. Go ahead and post that here. Note: Don't click on the window while it's running; this may cause stalls.

4. Post a HijackThis log along with a list of your protection programs.Quote from: insertusername on May 26, 2007, 05:34:49 AM

erm.... i got 3 pc, 1 sp3 "pirate"1 vista and 1 sp2

i am using sp2 now , this is original. so... pls dont always said that i' using un genuis window. that hurt k?

erm.... i got 3 pc, 1 sp3 "pirate"1 vista and 1 sp2

i am using sp2 now , this is original. so... pls dont always said that i' using un genuis window. that hurt k?

hi, a few days ago a dowloaded a free trial of AVG. when it was done with setup, it restarted and froze at log in screen. i restart my comp. and it freezes at log in screen when it says starting up. I have left it over night at that screen and have tried rebooting numerous times. I went into safe mode and ran AVG. it found 2 trojan dropper's and lots of tracking cookies. AVG "HEALED" the trojans but did not delete them. so i manualy deleted them. i ran the scan and nothing came up. so i then tried booting normaly and it still freezes. looking through some of the forums, i tried hijack this.

im running on XP prof. here is the hijackthis log. please help, thanks

Logfile of HijackThis v1.99.1
Scan saved at 12:15:08 AM, on 6/16/2007
Platform: WINDOWS XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\JOSE ESTRADA\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: MESSENGER - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: F-Secure Anti-Virus 2006 (BackWeb Plug-in - 4476822) - Unknown owner - C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE (file missing)
O23 - Service: fsbwsys - Unknown owner - C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\pavsrv51.exe
O23 - Service: Panda Network Manager (PNMSRV) - Panda Software International - c:\program files\panda software\panda antivirus + firewall 2007\firewall\PNMSRV.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PsImSvc.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\TPSrv.exe

You have HijackThis running from your desktop. You have it in a permanent location, which is good because it makes important backups that you may end up needing. However, to help you avoid clutter and to help ensure that the backups stay safe, I would like you to move it to a special location such as C:\Program Files\HJT.

Also, your Java is out of date. You'll want to correct this quickly, as it will help provide further protection for you. To do so, go here and click on Free Java Download. You will be given instructions on what to do next.

You definitely need to correct those two things. Other than that, your log looks clean to me (there is one other issue I will address in a minute, however). I think the problem is your Panda. You're trying to run Panda and AVG at the same time, which is causing them to "*censored* heads" and may be the reason why you're having trouble. If you want to use AVG, try disconnecting from the internet and disabling Panda. See if this makes a difference. Or you could simply try uninstalling AVG.



Also...there's this entry in your log...

O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe

SpyHunter is technically legit, but it hasn't always been that way. And although it is legit now, its protection is horribly substandard. If you wish to learn more, click here. You may want to consider removing this program and using an alternative such as SUPERAntiSpyware.ok thanks. but since i cant log in I am in safe mode and can not delete panda. or can i?Yes, you can. In FACT, being in Safe Mode should actually make it easier. But you don't have to delete it; just try disabling it. Unless you don't want Panda anymore and would like to switch to AVG. In that case, you may delete it.You could also try DLoading and installing AVG Anti-Spyware ( FORMERLY Ewido ) and run it in safemode...Due to lack of feedback, I am closing this topic. If you are the original poster and you would like this topic to be re-opened for any reason, PM me or another moderator and it can be arranged.

If you are not the original poster and you require help, please start a New Topic with information about your computer and your problem.

My Lacie backup hard disk drive has free space of 200GB but i can copy/transfer a file of 10GB to it. What should I do? Is it a kind of virus called worms? Which software should I use? HelpI dont understand the question. What do you mean you can transfer 10GB to it?
If you want to back something up on your 200GB hard disk, you can PRETTY much just use Copy and Paste....Your operating SYSTEM may have limitations on copy/move file sizes...without this and other omportant info here we are just guessing...Due to lack of feedback, I am closing this topic. If you are the original poster and you would like this topic to be re-opened for any REASON, PM me or another moderator and it can be arranged.

If you are not the original poster and you REQUIRE help, please start a New Topic with information about your computer and your problem.

can anyone help? when I click on a link from agoogle search it does not go to that link but jumps to something all together different.It certainly sounds like your browser has been hijacked...

Post a list of what protection programs you have and when they were run last...Sounds like you've got yourself a HIJACKER. Go ahead and post a HijackThis log for us to TAKE a look at. Also, please list all protection programs you have installed on your COMPUTER.

EDIT: Ha, darn you, patio.lol..... sorry had to THROW that in.....I don't even type that fast Chris...are you multi-tasking again ? ? ?

As a matter of fact, I was in the middle of reading Death Note when I posted that. Ha.Due to lack of feedback, I am closing this topic. If you are the original poster and you would like this topic to be re-opened for any reason, PM me or another moderator and it can be arranged.

If you are not the original poster and you REQUIRE help, please start a New Topic with information about your computer and your problem.

I wish to the Firewall for restrict the Viruses and Threats to ENTER in my System ...
How that works and is there any other alternatives for that.
Wish to protect my network from Worms,trojens and some therats.....
They distrubs the entirew network and data proccessing through it....
So distrub and fed up of it PLZ help

Will these procedure of solution distrubs the Network..... or any policies used in it...?There is no substitute for a good up to date anti virus program. A firewall can prevent many intrusions and many out going connectios, but can do nothing for an infection, and some types of virus can disable a firewall. Good anti virus software is an absolute MUST have.what protections do you have?? are you having any current infection problems??

more info about your computer(s) and/or network

what OS they are running etcA firewall is very important to have, but like 2k_dummy says, you ABSOLUTELY must have anti-virus (as well as anti-spyware) protection programs. Just ONE program isn't enough.CAN YOU HELP ME PLEASE I HAVE GOT AVSYSTEM CARE ON MY PC AND ITS REALLY STARTING TO DO MY HEAD IN PLEASE HELP MEwhip, please start a new thread to receive help.

i know this is probably an odd and not so popular topic, but how do they quarantine viruses with protection software? also why would that method not be implemented into the ''latest and GREATEST'' operating systems... that would make things a lot simpler, and you can't say microsoft doesn't have the know how to make an un-rivalled antivirus protection program...furthermore, if these were implemented into OSs then wouldn't there also be an easy way to just update the virus protection. that saves everybody the trouble of using programs such as norton.. *shudders*Protection programs quarantine an infection by moving it to a folder where it is disabled and remains inactive so it can't cause harm. In many cases, the file is renamed. It's technically still an infected file, but it is rendered harmless. Many programs also allow you to monitor activity of quarantined FILES to ensure they stay that way.

I can't really say why this isn't implemented in OS'es. Perhaps they find it to be something that would be too difficult. Also, it might take up too many resources. Another thing to consider is that the people who run these protection programs need to be very dedicated. Viruses are always changing and finding new ways to run undetected, so it's probably best that this matter is taken care of by a third party.

If protection was included like how you describe, I'd imagine that updating would be easier and more convenient. However, I would be CONCERNED with how GOOD the definitions would be. I mean, just take a look at Windows Firewall for XP. It's better than nothing at all, but other programs provide so MUCH more. Microsoft likes to give us the basics and let us add on more if we wish.



I'm going to go ahead and move this to the virus section.

Hello,i have a new dell xps 210,vista primium.It has PCTATLETAIL,
since day one XOFTSPY,SE detects it but dose not remove it,not
even in safe mode. I have AVG,AVG SPY,SPYWARETERMINATER,AD AWARE SE,
SPYWARE DOCTOR,SPYWAREDETECTOR,ADVANCED WINDOWS CARE V2,
AVAST,SPYBOT SEARCH+DESTROY,CCleaner..i have ran them all in safe mode
with no luck..im just an average user,any advise please.
thanks for your time............
Is this your COMPUTER or do you share it with others?
Who else uses this computer?

PC Tattletale is a monitoring program that has to be manually installed. This program was likely added intentionally. You may want to talk about this with your parents, sibling(s), or anyone else who has access to your computer.Thanks,CBMatt no i got it myself about 2 weeks ago it had mcavee
security suite on it trial 30 days but that was useless so i got a free firewall of pc doctor for vista,that wouldnt install properly,so im just on vista firewall
now.So i think maybe it got through Macavee,no one else uses this but me??
Is there a prog i COULD buy££ to get rid as it seems very stuborne....
thanks for your time..............paul420 ......Quote

Thanks,CBMatt no i got it myself about 2 weeks ago

Thanks,CBMatt no i got it myself about 2 weeks ago

I'm back again, this time it's for a friends pc. I ran the AVG anti-spyware & ant-virus in safe mode ont his comp also. I removed the things it has found & was wondering what I Should remove from this pc. For the record the help here as been great, really appriciate it.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 7:03:59 PM, on 6/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\GUARD.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\OWNER\Desktop\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\5.bin\MWSSRCAS.DLL
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\OWNER\Application Data\Mozilla\Profiles\default\hzi7rf0d.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\OWNER\Application Data\Mozilla\Profiles\default\hzi7rf0d.slt\prefs.js)
O2 - BHO: (no name) - {00A6FAF1-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: IEPlugin Class - {CF7C3CF0-4B15-11D1-ABED-709549C10000} - blank (file missing)
O2 - BHO: (no name) - {E9147A0A-A866-4214-B47C-DA821891240F} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZSzeb045YYCA_ZNxdm81347US
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\PROGRA~1\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\PROGRA~1\ICQLite\ICQLite.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Euchre by pogo - http://euchre.pogo.com/applet-5.8.3.26/euchre/euchre-ob-assets.cab
O16 - DPF: Greenback Bayou by pogo - http://greenback.pogo.com/applet-5.8.3.26/greenback/greenback-ob-assets.cab
O16 - DPF: Phlinx by pogo - http://flinger.pogo.com/applet-5.8.3.26/flinger/flinger-ob-assets.cab
O16 - DPF: Pirate's Gold by pogo - http://solitaire23.pogo.com/applet-5.8.3.26/piratesgold/piratesgold-ob-assets.cab
O16 - DPF: Pop Fu by pogo - http://popfu.pogo.com/applet-5.8.3.26/popfu/popfu-ob-assets.cab
O16 - DPF: Squelchies by pogo - http://squelchies.pogo.com/applet-5.8.3.20/squelchies/squelchies-ob-assets.cab
O16 - DPF: Sweet Tooth TM by pogo - http://solitaire09.pogo.com/applet-5.8.4.18/sweettooth/sweettooth-ob-assets.cab
O16 - DPF: Texas Hold'em Poker by pogo - http://game2.pogo.com/applet-5.8.3.20/holdem/holdem-ob-assets.cab
O16 - DPF: Word Whomp by pogo - http://whomp.pogo.com/applet-5.8.3.26/wordwhomp/wordwhomp-ob-assets.cab
O16 - DPF: Word Whomp Whackdown by pogo - http://whackdown.pogo.com/applet-5.8.3.26/whackdown/whackdown-ob-assets.cab
O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/games/clients/y/xt0_x.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: Yahoo! Cribbage - http://download.games.yahoo.com/games/clients/y/it0_x.cab
O16 - DPF: Yahoo! Dice - http://download.games.yahoo.com/games/clients/y/dct2_x.cab
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et0_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBInitialSetup1.0.0.8.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} - http://mirror.worldwinner.com/games/v44/pool/pool.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/1495bbd3df574863ef19/netzip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1156484890421
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {8FA9D107-547B-4DBC-9D88-FABD891EDB0A} (shizmoo Class) - http://playroom.icq.com/odyssey_web11.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4264/mcfscan.cab
O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://www.paltalk.com/prod/RegDload.CAB
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: .NET Framework Service (.NET CONNECTION Service) - - (no file)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: iolo DMV Service (ioloDMV) - Unknown owner - C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
--
End of file - 11096 bytes
JATreace ..... Ok , lets see what we can do to improve things......

Run the cleaner PART of Ccleaner. removing anything found.
Then......

Is the Yahoo toolbar required? Remove it if not needed.


Go into control panel add/remove ..... and remove........
C:\Program Files\MyWebSearch\SrchAstt\5.bin\MWSSRCAS.DLL

Once it's gone , Mark for removal with hijackthis.......

O2 - BHO: (no name) - {00A6FAF1-072E-44cf-8957-5838F569A31D} - (no file)

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) If this was my machine it would go.

O2 - BHO: IEPlugin Class - {CF7C3CF0-4B15-11D1-ABED-709549C10000} - blank (file missing)

O2 - BHO: (no name) - {E9147A0A-A866-4214-B47C-DA821891240F} - (no file)

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBInitialSe tup1.0.0.8.cab


If these entries still remain after removing Mywebsearch...... mark them as well.........

O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZSzeb045YYCA_ZNxdm81347US

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBInitialSe tup1.0.0.8.cab


ok once you have marked these items for removal ....... click fix checked and reboot.
Now post a fresh hijackthis log and let us know how things are running.


dl65






Thanks again dl, this pc is running pretty quick again. Here's the new log.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 11:21:20 AM, on 6/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\lexpps.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\5.bin\MWSSRCAS.DLL
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\OWNER\Application Data\Mozilla\Profiles\default\hzi7rf0d.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\OWNER\Application Data\Mozilla\Profiles\default\hzi7rf0d.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\PROGRA~1\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\PROGRA~1\ICQLite\ICQLite.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Euchre by pogo - http://euchre.pogo.com/applet-5.8.3.26/euchre/euchre-ob-assets.cab
O16 - DPF: Greenback Bayou by pogo - http://greenback.pogo.com/applet-5.8.3.26/greenback/greenback-ob-assets.cab
O16 - DPF: Phlinx by pogo - http://flinger.pogo.com/applet-5.8.3.26/flinger/flinger-ob-assets.cab
O16 - DPF: Pirate's Gold by pogo - http://solitaire23.pogo.com/applet-5.8.3.26/piratesgold/piratesgold-ob-assets.cab
O16 - DPF: Pop Fu by pogo - http://popfu.pogo.com/applet-5.8.3.26/popfu/popfu-ob-assets.cab
O16 - DPF: Squelchies by pogo - http://squelchies.pogo.com/applet-5.8.3.20/squelchies/squelchies-ob-assets.cab
O16 - DPF: Sweet Tooth TM by pogo - http://solitaire09.pogo.com/applet-5.8.4.18/sweettooth/sweettooth-ob-assets.cab
O16 - DPF: Texas Hold'em Poker by pogo - http://game2.pogo.com/applet-5.8.3.20/holdem/holdem-ob-assets.cab
O16 - DPF: Word Whomp by pogo - http://whomp.pogo.com/applet-5.8.3.26/wordwhomp/wordwhomp-ob-assets.cab
O16 - DPF: Word Whomp Whackdown by pogo - http://whackdown.pogo.com/applet-5.8.3.26/whackdown/whackdown-ob-assets.cab
O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/games/clients/y/xt0_x.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: Yahoo! Cribbage - http://download.games.yahoo.com/games/clients/y/it0_x.cab
O16 - DPF: Yahoo! Dice - http://download.games.yahoo.com/games/clients/y/dct2_x.cab
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et0_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} - http://mirror.worldwinner.com/games/v44/pool/pool.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/1495bbd3df574863ef19/netzip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1156484890421
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {8FA9D107-547B-4DBC-9D88-FABD891EDB0A} (shizmoo Class) - http://playroom.icq.com/odyssey_web11.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4264/mcfscan.cab
O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://www.paltalk.com/prod/RegDload.CAB
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: .NET Framework Service (.NET Connection Service) - - (no file)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 9133 bytes
JATreace ..... Oops, I forgot to tell you to mark this one for removal.
use hijackthis to fix.
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\5.bin\MWSSRCAS.DLL

when you have fixed this entry....... run ccleaner again....... removing anything found and then reboot ......... then run hijackthis ..... there is no need to post a new log unless the R3 entry that you fixed is still there .


let us know the outcome.

dl65

I have been having really bad problems with two pcs lately and i posted a thread on the hardware section called "a challenge for you".
I have just been through my emails and i am having some really suspicious ones telling me to view an e card that a family member has sent.
They were from smsale.hk, isbro.hk and eoclam.hk.
I am convinced this is some sort of malware. Has anyone ever heard of these and how much damage can they do? As i said, i have been having problems with two pcs (problems booting) and i was just wondering if they could be linked.
I believe these all relate to a surge in fake greeting cards & phishing expeditions by botnets.

Quite what damage they may do I'm not sure. Best to start with a general clean out of your computer system and a check of the HJT log.

I suggest you print this out to help you follow my advice.

***********************

Make sure you have exposed all Hidden Files & Folders.

To enable the viewing of Hidden files follow these steps:

1. CLOSE all programs so that you are at your desktop.
2. Double-click on the My Computer icon.
3. Select the Tools menu and click Folder Options.
4. After the new window appears select the View tab.
5. Put a checkmark in the checkbox labeled Display the contents of system folders.
6. Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
7. Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
8. Remove the checkmark from the checkbox labeled Hide protected operating system files.
9. Press the Apply button and then the OK button and close My Computer.

***********************

Please download and install Superantispyware here ….

http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE

• Load SUPERAntiSpyware and click the Check for Updates button.
• Once the update has finished, exit SUPERAntiSpyware. Please do NOT run a scan yet!

• Open SUPERAntiSpyware and click the Scan your Computer button.
• Check Perform Complete Scan and then click Next.
• SUPERAntiSpyware will now scan your computer and when it’s finished it will list all the infections it has found.
• Make sure that they all have a check next to them, and then click Next.
• Click FINISH and you will be taken back to the main interface.
• It could be possible that it will ask you to reboot your computer in order to DELETE some files after reboot.
• I'll need a log afterwards of what has been found.
• To get the log, click Preferences and then click the Statistics/Logs tab. Click the dated log and press View Log and a text file will appear.
• Please post the results of the SUPERAntiSpyware log in your next reply.

Suddenly I am pulling up pages on internet and half the print is encrypted and the REST is not.
Also in upper Right corner instead of being able to CLOSE with the little "x" like usual the BOX now has an "r" and the minimize box has a "0" in it.

When I try to OPEN up my Microsoft Word PROGRAM to type a letter it tells me my "Tahoma font" is missing but if I try to type an email and look up in FONTS, the Tahoma font is there.

HELP.
Ok We can't really help you if we haven't got any info like:
What OS do you have?
What protection do you have?
Did you made any recent changes to your computer?
Did you updated you protection at a regular basis?
give us as much info as you have.

Jonas

I am noticing RANDOM problems with my PC. When I play World of Warcraft, It will half of the time Crash saying that there is a missing file. Sometimes, other random programs will crash(MSN, Firefox, anything else) will also crash. Now I am using Norton 2007, and I also scanned on Housecall, and they both said that my PC is all good. I also use Spybot, Adaware, CCleaner to grab EVERYTHING else.

What could be the problem? Any other ideas on what to do?The exact error messages would be necessary to advise. Has it always been this way? If not, what has changed?

You could check your RAM with the free DOWNLOAD at www.memtest86.com

Then check the hard drive with the free diagnostics from the appropriate hard drive maker's site.The error messages im getting is the so and so program is non responsind and has to be closed, do u want to send Microsoft the error data so we can help u,

its been like this for a little while now, maybe a few months
The specific error messages are very important including the missing file. What if you UNINSTALL and reinstall the game?

How long has this Windows INSTALLATION been loaded? What version? What service pack?

sister called and stated when she turn on computer a MESSAGE APPEARED (virus detected in system) how do u remove a virus? what do i TELL her? computer 4 months old. (help)We would need some info like what program is giving this message, the exact error message, the virus if named, and what type of virus and spyware protection is loaded.

She could go the online scan at www.trendmicro and see if that will remove it.

As ALWAYS, good information gets good advice.

Only problem is it appears impossible to highlight the first documentt without opening it so I can't get to the point where I'm scrolling down and HIGHLIGHTING all the docs that i want to delete!

Change that in FOLDER options.Have done this (chose single click to select option, apply, OK)) but it makes no difference. As soon as click on file, it opens :-? rather than just highlights.


Quote

When the computer starts tap F8 several times BEFORE you get to the Windows splash screen. THat will get you into safe mode. Try all of your scans while there and then delete the files as usual.

I seemed to have solved it. The AVG clean appears to have done the trick and I[highlight] have purchased the antispyware which is compatible with mcAfee[/highlight]. The thousands of docs have been deleted (the scan revealed 50 items of malware). Fingers crosssed and thanks VERY much for all your help.

Panda Activescan
Ewido/AVG Online Scan

Ive found this program RUNNING on my computer under svchost.exe , and it seem to me that there were tomany programs running under svchost its USING more than 20 megs of ram.

I google'd it to see if it was a bad, and the first few results said it was a Trojan downloader, but i cant seem to get rid of it and I'm not sure if it is bad or not.

Ive run AVG , spybot , Adaware, and CCleaner none of which pick it up as being anything, has any one else seen this program before?

I think it might just be part of Diskmanager if its not a virusDo a search open Explorer and use the file search utility to look for this. If it is automatically started when you boot your computer, then click start, goto run, and type 'msconfig' and click the startup tab and then look for the program and uncheck.I dose automatically start when i start my computer , but its not in any of the start up areas that i know off.

it is not shown as a SERVICE or as a process in task manager.

i did find the EXE its in the System 32 folder, should i simply delete it in safe mode?http://www.bleepingcomputer.com/startups/dmserver.exe-1381.htmlSERVER not found

Firefox can't find the server at www.bleepingcomputer.com.It would appear that that web site is down, is it generally a reliable site for process information,

i don't generally have much problem with "Mal Ware" on my PC , so i don't have much experience with it other than the common utilitiesThat file could also be part of Trendmicro, have you ever had it installed?
http://esupport.trendmicro.com/support/viewxml.do?ContentID=en-121747

Panda Activescan
Ewido/AVG Online ScanNope i don't think so.

i hate it when i cant find out when and ware a program thats running on my computer came from , its very annoying.

Ive not run those online scans yet , but ill GIVE them a lash now
i try to avoid installing strange things.

Thank you all for you suggestions, i think ill just delete the program and see what happens ^.^, there are a few other things running under svchost that I'm not to sure about. i only found these programs because im trying to get better performance out of my PC and it seemed to me that it was using too much ramQuote

i think ill just delete the program and see what happens

My pc and net are running slow, so I ran spy/adware & virus scanners and found soy/adware & viruses. I ran HJT & PandaScan for another forum at www.techsupportforum.com but they would not help at all. I would greatly appiciate it if some one could tell me what to remove for the HJT log & tell me waht to do for the viruses. Here are my logs.

Hijackthis:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 12:30:38 PM, on 03/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IOLO\Common\Lib\ioloDMVSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\system32\S3tray2.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe
C:\WINDOWS\system32\lexpps.exe
C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\My Documents\HiJackThis_v2.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qca7.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\6.bin\MWSSRCAS.DLL (file MISSING)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update MANAGER\sgtray.exe" /r
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\6.bin\m3SrchMn.exe" /m=0
O4 - HKLM\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [Windows Sz Host] winshvc.exe
O4 - HKCU\..\Run: [WeatherEye] C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\RunServices: [Windows Sz Host] winshvc.exe
O4 - HKUS\S-1-5-21-1936128508-2687675847-3651399767-1008\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook (User 'Krista and Jessica')
O4 - HKUS\S-1-5-21-1936128508-2687675847-3651399767-1008\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Krista and Jessica')
O4 - HKUS\S-1-5-21-1936128508-2687675847-3651399767-1008\..\Run: [Skype] "C:\Documents and Settings\Krista and Jessica\Local Settings\Application Data\Skype\Phone\Skype.exe" /nosplash /minimized (User 'Krista and Jessica')
O4 - HKUS\S-1-5-21-1936128508-2687675847-3651399767-1008\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Krista and Jessica')
O4 - S-1-5-21-1936128508-2687675847-3651399767-1008 Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (User 'Krista and Jessica')
O4 - S-1-5-21-1936128508-2687675847-3651399767-1008 User Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (User 'Krista and Jessica')
O4 - Startup: csrss.lnk = ?
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...rch.jhtml?p=ZS
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\poker.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://karenfuldansgirl.spaces.live....d/MsnPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/.../GAME_UNO1.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1137297261718
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://209.91.143.201/activex/AxisCamControl.cab
O16 - DPF: {94EB57FE-2720-496C-B33F-D9353C6E23F7} (F-Secure Online Scanner 2.1) - http://www.cogeco.ca/en/ols21/fscax.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.com/games/download...ameManager.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.com/online2/pogo/c...ploader_v6.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...69/mcfscan.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories CACHE daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iolo DMV Service (ioloDMV) - Unknown owner - C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 9456 bytes

PandaScan:


Incident Status Location

Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\Internet Explorer\MSIMG32.dll
Potentially unwanted tool:application/mywebsearch Not disinfected c:\windows\system32\f3PSSavr.scr
Adware:adware/sahagent Not disinfected c:\windows\system32\SHAgentNew.dll
Virus:trj/spabot.e Disinfected Operating system
Adware:adware/ncase Not disinfected c:\windows\msbbau.dat
Adware:adware/cws.yexe Not disinfected c:\windows\system32\Services
Potentially unwanted tool:application/funweb Not disinfected c:\program files\FunWebProducts
Adware:adware/wupd Not disinfected Windows Registry
Spyware:spyware/betterinet Not disinfected Windows Registry
Adware:adware/wintools Not disinfected Windows Registry
Adware:adware/savenow Not disinfected Windows Registry
Dialer:dialer.bqw Not disinfected hkey_current_user\software\microsoft\internet explorer\main\conc
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\krista and [emailprotected][1].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\krista and [emailprotected][2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\krista and [emailprotected][1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\krista and [emailprotected][1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\krista and [emailprotected][1].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\krista and [emailprotected][2].txt
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\krista and [emailprotected][1].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\krista and [emailprotected][1].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\krista and [emailprotected][2].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\krista and [emailprotected][4].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\krista and [emailprotected][5].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\krista and [emailprotected][8].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\krista and [emailprotected][2].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\krista and [emailprotected][2].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\krista and [emailprotected][2].txt
Spyware:Cookie/Entrepreneur Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\krista and [emailprotected][1].txt
Spyware:Cookie/fe.lea.lycos Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\krista and [emailprotected][1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\krista and [emailprotected][1].txt
Spyware:Cookie/Bettersearch Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\krista and [emailprotected][1].txt
Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\krista and [emailprotected][1].txt
Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\krista and [emailprotected][2].txt
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\krista and [emailprotected][1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\krista and [emailprotected][1].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\krista and [emailprotected][1].txt
Spyware:Cookie/WinFixer Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\krista and [emailprotected][2].txt
Spyware:Cookie/Advnt Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\krista and [emailprotected]1[1].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\krista and [emailprotected][2].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\krista and [emailprotected][1].txt
Spyware:Cookie/seeqA Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\krista and [emailprotected][1].txt
Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\krista and [emailprotected][1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\krista and [emailprotected][1].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\[emailprotected][2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\[emailprotected][1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\[emailprotected][2].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\[emailprotected][1].txt
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\[emailprotected][2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\[emailprotected][1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\[emailprotected][1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\[emailprotected][1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\[emailprotected][2].txt
Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\[emailprotected][2].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\[emailprotected][2].txt
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\[emailprotected][2].txt
Spyware:Cookie/Linksynergy Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\[emailprotected][1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\[emailprotected][1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\[emailprotected][1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\[emailprotected][2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\[emailprotected][1].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\[emailprotected][2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\[emailprotected][2].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Krista and Jessica\Local Settings\Temp\Cookies\krista and [emailprotected][1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Krista and Jessica\Local Settings\Temp\Cookies\krista and [emailprotected][2].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Krista and Jessica\Local Settings\Temp\Cookies\krista and [emailprotected][1].txt
Virus:Trj/Downloader.LTL Not disinfected C:\Documents and Settings\Krista and Jessica\Local Settings\Temp\s1i8[¦%%\br_rt.dll]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Owner\Cookies\[emailprotected][2].txt
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Owner\Cookies\[emailprotected]t[1].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Owner\Cookies\[emailprotected][2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt
Potentially unwanted tool:Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MSN Messenger\msimg32.dll
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MSN Messenger\riched20.dll
Spyware:Spyware/SafeSurf Not disinfected C:\WINDOWS\10-47488c40c3cddfee98fc3b173f6d7beb.exe
Virus:Trj/Downloader.LTL Disinfected C:\WINDOWS\18-979cccfcc7622e89302a49c23b6fa37a.exe
Adware:Adware/Beginto Not disinfected C:\WINDOWS\system32\SmartShopper\uninstallSE.exewhat programs have you used??I've used Lavasoft adware, Uniblue spyware Scanner, Trend Micro online virus scan, PandsSoft online virus scan. They have all found things & I have removed what each has found but when I scan again there's still things there.look at my signature.. dl those programs update them and reboot into safe mode do the scans one at a time remove what they found.. post logs if available.. reboot in m=normal mode and report back on the state of the computeroh now that I see them I've also used Ccleaner and AVG spyware & virus scanners.JATreace ...... I just had a quick look at the old hijackthis log you posted and it doesnt look GOOD .
This is what I would start by doing...........
Go into the control panel / add/remove programs ...... and look for Web Search Tool bar ...... and remove it ....... Then while still in add/remove programs..... look for Win-Tools Easy installer ...and remove it.

Now exit control panel........
Next ..... open up your installed anti virus program and make sure its updated ...... ( Don't run it )
Then open up AVG antispyware and manually update it . ( Don't run it )

Next , Turn off your system restore ...........

Next ...... run the lastest version of CClearner ...... run both the "cleaner" as well as the "Issues" ....remove whatever either of them finds.

Now reboot into safe mode and once safe mode has loaded , open your installed anti-virus program and run it ........ Remove anything it finds.

Next , while still in safe mode , open AVG antispyware and run it .
Remove anything it finds.

It might be a idea to print out what has been suggested so you dont miss a step.

When that's complete reboot back into normal mode and run hijackthis again and post new logfile here. ( the old one is many days old )

we'll leave the light on for your return..........

dl65



Alirhgt new log after running the virus & spyware scans in safte mode and removing the things that were listed. Also the Web Search Tool-Bar isn't any spyware I know that, it's for MSN it adds more smileys and things for it & as for the Win-Tools Easy Installer I did not find that.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:02:40 AM, on 19/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\system32\S3tray2.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\mIRC\mirc.exe
C:\Documents and Settings\Owner\My Documents\HiJackThis_v2.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qca7.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [Windows Sz Host] winshvc.exe
O4 - HKCU\..\Run: [WeatherEye] C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\RunServices: [Windows Sz Host] winshvc.exe
O4 - Startup: csrss.lnk = ?
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZS
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\poker.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - http://karenfuldansgirl.spaces.live.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137297261718
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - http://209.91.143.201/activex/AxisCamControl.cab
O16 - DPF: {94EB57FE-2720-496C-B33F-D9353C6E23F7} - http://www.cogeco.ca/en/ols21/fscax.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} - https://disney.go.com/games/downloads/gamemanager/DIGGameManager.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://games.pogo.com/online2/pogo/chuzzle/popcaploader_v6.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4769/mcfscan.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 7895 bytes
JATreace ....... Glad to see you return , with a new hijackthis log.

Did you do the scan in safe mode with AVG Antispyware ? I ask because I see no mention of it anywhere.

Here's what I would remove using hijackthis (mark for removal)

R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)

O4 - HKCU\..\Run: [Windows Sz Host] winshvc.exe (added by a worm)

O4 - HKCU\..\RunServices: [Windows Sz Host] winshvc.exe (added by a worm)

O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZS

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

Hopefully you had turned off your system restore

Now click "Fix checked"

Reboot ....see how things are running and post a fresh hijackthis log.


dl65 New HTL log, yes I ran AVG anti-spyware & AVG anti-virus both in safemode. Seems to be running a bit better now, I just need to clean out the other user accounts on the computer. Should I so seperate HTL logs & scans for each user account on the computer?

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 2:20:48 PM, on 23/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\system32\S3tray2.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\lexpps.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Owner\My Documents\HiJackThis_v2.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qca7.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [WeatherEye] C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-21-1936128508-2687675847-3651399767-1006\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook (User 'Kayla')
O4 - HKUS\S-1-5-21-1936128508-2687675847-3651399767-1006\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Kayla')
O4 - HKUS\S-1-5-21-1936128508-2687675847-3651399767-1006\..\RunServices: [Windows Sz Host] winshvc.exe (User 'Kayla')
O4 - Startup: csrss.lnk = ?
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\poker.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - http://karenfuldansgirl.spaces.live.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137297261718
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - http://209.91.143.201/activex/AxisCamControl.cab
O16 - DPF: {94EB57FE-2720-496C-B33F-D9353C6E23F7} - http://www.cogeco.ca/en/ols21/fscax.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} - https://disney.go.com/games/downloads/gamemanager/DIGGameManager.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://games.pogo.com/online2/pogo/chuzzle/popcaploader_v6.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4769/mcfscan.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 6884 bytes
JATreace ......... Is the last logfile ..... the one that was generated by signing in as the admin , or another user ?....... The admin is the one to use .


dl65 Yea I used the admin account. I noticed though each account held it's own temp files and cookies etc. is why I asked.JATreace ....... This one must be fixed with hijackthis....
So please mark for removal .....
O4 - HKUS\S-1-5-21-1936128508-2687675847-3651399767-1006\..\RunServices: [Windows Sz Host] winshvc.exe (User 'Kayla')

once you have let hijackthis remove it , Reboot and see how things are.
Another loffile from admin should confinrm that.

dl65

I use Windows XP.

I've found four Key loggers but Spyware Doctor won't remove them without a purchase. How can I get rid of them without paying? Or at least some way of finding out where they're stored.

Spybot S&D doesn't find them.

they are:
Smart Keystroke recorder - 27 infections
Actual Spy - 15 infections
Stealth Keylogger - 31 infections
Key Logger King pro - 3 infectionssuperantispyware should find them... spybot should have found actual spy ive dled it and tested it.. is your spybot up to date?? did you run the scans in safe mode?Tried running a full system scan of Superantispy in safe mode but my PC keeps shutting itself off a few seconds in. After restarting I ran a quick scan in normal Windows and it came up with two low risk ad aware files, but no key loggers. I updated definitions before starting.

My SB S&D defs are up to date too.
okay, so I checked again and my SB defs weren't up to date - I thought it was an auto update thing. After rescanning with SB it found all four culprits but again, right near the end the PC shut itself off.
Could you please direct me to a reliable online scanner that's capable of recognizing these and works with Firefox?Does Spyware Doctor tell you where the files are? Did you try to manually remove them in Safe Mode?

Give Panda ActiveScan a try. When it's done scanning, POST the log here along with a HijackThis log.also try CLEANING out your tower with a can of compressed air to hopefully help with the shutting down(might be over heating it happened to a computer i worked on once)

P.S. spybot has never been auto update to my knowing but i could be wrongHave you tried AVG Anti-Spyware ? ?I got lucky with one of the SB scans and managed to get rid of them. I also seemed to have fixed the shut down problem. There was a thick layer of dust covering the fan vent, I had to pick it out with a spoon .... My family is very CHEAP.

thanks for the helpwelcome happy computingAs this issue appears to be RESOLVED, I am closing this topic. If you are the original poster and you would like this topic to be re-opened for any reason, PM me or another moderator and it can be arranged.

If you are not the original poster and you require help, please start a New Topic with information about your computer and your problem.

You need to FIND out what program or malware is trying to access the internet, Hijackthis will show you the likely suspects.

Zonealarm is convoluted bloatware... end of story.
Get Sygate and it will ALSO tell you what tries to access the internet.
http://www.comcen.com.au/~fed/sygate.zip

Do not update this version as later versions of Sygate were buggy and Symantec have since bought out Sygate so it will either be disolved, absorbed or turned into bloatware like Zonealarm.

Switch off the XP firewall.

NB:I've heard some good things about Komodo(?) firewall but I haven't tried it yet.Hey all,

Thanks for all the help. The thing that seemed to help the most was the Zone-alarm as it helped me see what was trying to access the Internet. I was able to clean up a lot of stuff and get the hourglass to stop. Still not sure what did it!

I know I still have some garbage floating around on my machine but I'm functional now and the hourglass isn’t ticking me off so I'm just PRESSING forward.

Much of this is a bit over my head and it's very upsetting that one cant just by a clean machine off the shelf. Cars, COMPUTERS, tractors, DVD players, ETC should simply work without the consumer becoming an expert in all the detailed functions of the machine...for some reason computer makers refuse to make machines that simply work without a bunch of extra garbage and security holes throughout. Perhaps they are incapable of doing so.

They should be called computer manufacturer "practices" much like the medical and legal professions.


Thanks again!

SFC is System File Checker. You can run it from the command line or under the tools tabs in system information. If this doesn't find the problem try running the Internet Explorer Repair Tool.You winsock may have been damaged by your VIRUS removal. This is kind of common.

I am assuming you are using Windows XP, if not this fix will not help you.

First create a new system restore point by going into START->all programs->accesories->system tools and click system restore.

Follow the instructions to create a new restore point so we can undo the changes if this doesn't work.

Then download and run Winsock Xp Fix from this link: http://www.snapfiles.com/get/winsockxpfix.html

It should offer to do a registry backup, do so.

After using the tool, reboot and reconnect to the net and try to surf again.He's running ME Serrik.Thanks, guess I missed that in the length of the thread.

But it could still be a damaged winsock or TCP/IP stack which is common after virus removals, especially ones that try to hijack your computer as they usually stick extra crap into your TCP/IP which gets YANKED out or left disfunctional with removal.Thank you everone who has tried to assist me over recent weeks. Yesterday the computer connected to the web after I went through everything that had been suggested for a second time. I cannot be certain what caused the success but, of COURSE, I am delighted with the outcome regardless of the exact cure.

Best wishes to all you kind people for 2007.

Peter Edward. Thanks for posting back with your success. This had gone on for a while (ALMOST 2 months!)

hello

for some reason recently Zone firewall on my laptop was turned off and I have to turn it on each time I log on my computer. Any ADVICE is appreciated. thankswhen did this START happening

what protections do u have??


unlovedwarriorHello

now my laptop seems to be working fine and Zone firewall was not turned off. I have Symantec Antivirus and ADWARE program. I remember something. I was on WIRELESS for a while and I plugged in the Kensington firewall as it is said to be protecting your laptop when you are on wireless. MAYBE that caused the Zone Firewall to be turned off. Am I right?

thanks

robinmost likely

After installing the latest updates in Spyware Terminator today it stopped some other security working. ie AVG Anti Virus, Spyware Blaster, RemoveIt. (I never tried the others I have INSTALLED)
I uninstalled Spyware Terminator and all is now well. Just posting this in case someone else has the same problem.
Quote

Note on SpywareTerminator: We originally listed Spyware Terminator on this page out of concerns that Crawler, the company behind the product, had established CONNECTIONS with IBIS, a well known adware distributor responsible for such adware programs as Wintools, Websearch, & Huntbar. Although we FOUND no problems in our initial testing with Spyware Terminator, and while the vendor itself announced that it was exiting the adware business (1), we decided out of caution to impose a three month probation period before we would consider re-testing and, if warranted, de-listing the the product from the Rogue/Suspect list. During that three month probation period we monitored the behavior of IBIS and Crawler. At the end of the three month probation period we re-tested Spyware Terminator, again finding no problems serious enough to justify listing the program on this page. As the vendor involved has not been involved in the distribution of adware for many months, and as the program itself exhibits no problems serious enough to warrant MENTION on this page, we have decided to de-list Spyware Terminator from the Rogue/Suspect list and can no longer regard the program to be "rogue/suspect."

My current protection ARSENAL:

AVG Free
AdAware
Spybot Search and Destroy
Ewido ( now AVG Anti-Spyware )
A-Squared
Jetico Firewall.

All of the above are completely free and i have never had an INSTANCE of anything getting through in 3 1/2 years on this machine.

There are still safe surfing habits to FOLLOW and once in awhile i run one of the online scans just to check but this setup seems to be pretty MUCH BULLETPROOF...

patio. 8-)

not really crippling (anymore), but I have this weird virus that permanently disabled my SYSTEM Restore and doesn't let me right-click in Windows Exporer or on the desktop...ALSO killed my Search function after a while...there were other PROBLEMS at first, but they disappeared after about a day...

and whatever it is, PC-cillin can't find it. :-/ Neither can Ad-Aware.DLoad and update and RUN AVG Anti-Spyware (formerly Ewido ) in safemode with system restore turned off...

Note you will lose all your restore points but chances are they are infected and you wouldn't want them anyway.

patio. 8-)since i can't turn system restore on, that shouldn't be a problem. But you still NEED to make sure it is off...are there multiple "off"s? :-? All I know is I can't change the setting (currently deactivated) i just get an error...

Hello,

I was WONDERING is the SYMANTEC Firewall/VPN 100 APPLIANCE is any good to protect your network(firewall and Antivirus\antispyware) can you give me some feedback ??

Thanks

Al968

Me and my Dad decided to take a free 30 day trial of spyware killer pro from cosmi. We are both running win xp pro, I.E, and both have avg, zone alarm, ewido, spybot and a2. My Dad downloaded spywarekiller pro first and it detected about 7 adware/dialers ETC. We were quite shocked as all scans from the other spyware removers showed pc to be clean. After installing it, his homepage had been changed to msn.com but we thought nothing of it.
We then downloaded spywarekiller pro to my pc and it detected 47 dialers/adware/spyware etc. Also my homepage is now reset to msn. Something doesnt seem right to me. My ewido, spybot and a2 scans were all fine before i used it aswell. Could there really have been all that crap on my pc that was undetected by the other programs??
Would also really appreciate someone taking a look at my hjt log if they would be so kind. would i be able to post it here plz?shell27..... I would be a bit suspicous of that program , particularly if it rendered useless ...... Ewido , A Squared and SpyBot ......

And yes you can post the logfile here ....use more than one post if necessary.
Do you have a log of what it was that this app removed?

dl65
It is impossible to copy the scan results and there are too many to list so here are a few I have noted down:
About blank from coolwebsearch. HKEY-CURRENT-USER: software\microsoft\windows\currentversion\internet settings\zone map\domains\clickspring.net

About blank from coolwebsearch. HKEY-CURRENT-USER: software\microsoft\windows\currentversion\internet settings\zone map\domains\slotchbar.com

VX2.Netpal. HKEY-LOCAL-MACHINE: software\microsoft\internet explorer\ ActiveXcompatibility\(6085fb5b-c28)-8e5d-d2792ea30d2f)

Alexa. HKEY-USERS: s-1-5-18\software\microsoft\internet explorer\extensions\cmdmapping.

There is also Searchex, linkgrabber99, hightraffic, DyfuCA-internet explorer broser helper object,clearsearch, browser aid, ezsearching, lmlserver ie plugin, freescratchandwin, flyswat, iemonit, f—site, peoplepctoolbar, winfixer2005, aureate, dialer.

It CLAIMS that most of these are in my registry, however pc has had no pop ups or other symptoms of spyware. Will post my hjt log next.
Logfile of HijackThis v1.99.1
Scan saved at 18:49:03, on 07/01/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running PROCESSES:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exeC:\WINDOWS\System32\wfxsnt40.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\System32\WFXSVC.EXE
C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\SiteAdvisor\SiteAdv.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\SDScanner.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Documents and Settings\Michelle\Local Settings\Temp\Temporary Directory 16 for hijackthis.zip\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.orange.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\saIE.dll
O2 - BHO: (no name) - {60D3AAEB-AA39-4AE0-B2F9-E4AF0613A2A3} - C:\PROGRA~1\Cosmi\SPYWAR~1\pop\ABG_PL~1.DLL
O2 - BHO: Windows LIVE Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O3 - Toolbar: SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\saIE.dll
O4 - HKLM\..\Run: [Lexmark X84-X85 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe
O4 - HKLM\..\Run: [Lexmark X84-X85 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exeO4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.ukO16 - DPF: {0A43D7AC-D6C1-4622-B309-BF975F427C0E} (FrontdoorFD Profile Manager Class) - https://internetbankingplus1.firstdirect.com/ibplus/frontdoorFD.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/win/djvuplugin/en_US/DjVuControl_en_US.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/088ba1460d2d485a2f06/netzip/RdxIE601.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers/pinstall/pinstall.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/shpo/default/shapo.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} -http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7B58503B-3CDE-443F-9EF1-7F6E40F3AAF4}: NameServer = 195.92.195.95 195.92.195.94
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\System32\WFXSVC.EXE
Decided to remove spyware killer from my pc through change and remove programs then searched for cosmi to make sure it had gone but another file was lurking there in the program files so i deleted that aswell, but while i was in change and remove programs, i noticed " Cxp plug-in". I have never noticed this there before. Any ideas?
Also ran avg antispyware and it found a few cookies and Lookme adware. I will post my avg report below. Really annoyed about this because site advisor reckons cosmi is ok and spykiller pro has had some good reviews. C:\WINDOWS\Downloaded Program Files\pinstall.dll -> Adware.LookMe : Cleaned.
C:\Documents and Settings\Michelle\Cookies\[emailprotected][1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Michelle\Cookies\[emailprotected][1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Michelle\Cookies\[emailprotected][2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Michelle\Cookies\[emailprotected][1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Michelle\Cookies\[emailprotected][2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Michelle\Cookies\[emailprotected][1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Michelle\Cookies\[emailprotected][1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Michelle\Cookies\[emailprotected][1].txt -> TrackingCookie.Adbrite : Cleaned.
C:\RECYCLER\NPROTECT\00036934.ZIP/{9F0F3568-57BE-4BC2-BB96-A6076FAFA2C7} -> TrackingCookie.Adtech : Cleaned.
C:\RECYCLER\S-1-5-21-2000478354-1563985344-854245398-1003\Dc118 -> TrackingCookie.Adtech : Cleaned.
C:\RECYCLER\S-1-5-21-2000478354-1563985344-854245398-1003\Dc155\SpyWare Killer Pro\scanner\Quarantine\{47E78F28-A675-47CA-BED0-FAD46F153A5A}.zip/{56C8F4F1-23C4-4971-95B1-CC47DAD2FA83} -> TrackingCookie.Adtech : Cleaned.
C:\RECYCLER\S-1-5-21-2000478354-1563985344-854245398-1003\Dc48 -> TrackingCookie.Adtech : Cleaned.
C:\Documents and Settings\Michelle\Cookies\[emailprotected][2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Michelle\Cookies\[emailprotected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Michelle\Cookies\[emailprotected][1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Michelle\Cookies\[emailprotected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Michelle\Cookies\[emailprotected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Michelle\Cookies\[emailprotected][2].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\Michelle\Cookies\[emailprotected][1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Michelle\Cookies\[emailprotected][1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Michelle\Cookies\[emailprotected][1].txt -> TrackingCookie.Overture : Cleaned.
C:\RECYCLER\NPROTECT\00036934.ZIP/{A009A698-43D5-41B9-BD9C-5817F2C8D7E2} -> TrackingCookie.Overture : Cleaned.
C:\RECYCLER\S-1-5-21-2000478354-1563985344-854245398-1003\Dc130 -> TrackingCookie.Overture : Cleaned.
C:\RECYCLER\S-1-5-21-2000478354-1563985344-854245398-1003\Dc155\SpyWare Killer Pro\scanner\Quarantine\{47E78F28-A675-47CA-BED0-FAD46F153A5A}.zip/{7F06AB49-A258-4C3E-95FF-3C958EECD7E8} -> TrackingCookie.Overture : Cleaned.
C:\RECYCLER\S-1-5-21-2000478354-1563985344-854245398-1003\Dc49 -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Michelle\Cookies\[emailprotected][2].txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\Michelle\Cookies\[emailprotected][2].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Michelle\Cookies\[emailprotected][1].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\RECYCLER\NPROTECT\00036934.ZIP/{E0FA0E10-A692-4893-9B8B-08544227D173} -> TrackingCookie.Serving-sys : Cleaned.
C:\RECYCLER\S-1-5-21-2000478354-1563985344-854245398-1003\Dc54 -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Michelle\Cookies\[emailprotected][2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Michelle\Cookies\[emailprotected][1].txt -> TrackingCookie.Valuead : Cleaned.
shell27.....ok ....... Lets see .......
whoa ...... [highlight]Why dont you have SP2 installed ? [/highlight]
Moving on .....
C:\Program Files\Cosmi\SpyWare Killer Pro\scanner\SDScanner.exe ...... Kill this using the program manager ..... ( Didn't you say you had removed this program ?

Mark for removal :
O2 - BHO: (no name) - {60D3AAEB-AA39-4AE0-B2F9-E4AF0613A2A3} - C:\PROGRA~1\Cosmi\SPYWAR~1\pop\ABG_PL~1.DLL

There are several others which you should check , if you know them then leave them as is .
O16 - DPF: {0A43D7AC-D6C1-4622-B309-BF975F427C0E} (FrontdoorFD Profile Manager Class) - https://internetbankingplus1.firstdirect.com/ibplus/frontdoorFD.cab [highlight] this looks like your online banking .[/highlight]

O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers/pinstall/pinstall.cab ...... [highlight]Is this something you know and trust ?[/highlight]
O17 - HKLM\System\CCS\Services\Tcpip\..\{7B58503B-3CDE-443F-9EF1-7F6E40F3AAF4}: NameServer = 195.92.195.95 195.92.195.94 ...... [highlight]Is this your server ? if it is ok , if it's not , remove it .[/highlight]

ok ....... remove the ones you selected and have a look at things .
Let us know

You should D/L and install Spybot again ......... and run it and fix anything it finds. ( make sure you get all the updates )

dl65 o.k, will send you im regarding sp2.
The tcpip line is my server, and the others are ok. I posted the hjt log before i removed spykiller and my new hjt log shows no trace of it now. When i connected to internet this morning, my homepage has been switched to msn.com again despite me changing it in internet options.
My new hjt log has the following item that wasn't there before:
R3- default URL searchhook is missing
Could this be the problem?
Also, Do you have any idea what the cxp plug-in could be?
Thanks for your help.shell26...... How about POSTING a new hijackthis logfile . Also please include which home page you use.

dl65



PS ....... That CXP plugin is for Netscape , I think , do you have it loaded ?

did a search tonight on my PC & found the following notepad document FILED under:
C:\Documents and Settings\Myname\Recent

ONLINE Transmission Summary ¬z³: "1 online banking account updated. DOWNLOADED TRANSACTIONS EReceived 0 new transaction(s) for account AMERICAN Express (Compaq).

I don't do online banking. I did install 2006 turbotax recently but did not file electronically. the previous owner of this computer used to pay bills online but that was s4everal years ago. should i be worried about the notepad document above showing up in C:\Documents and Settings\Myname\Recent
? thanks!ummm did you reformat when you got this machine?? or did you at least scan for malware when you got this machine??If not, you should go do so now, heh. i ran norton antivirus scan last night on ha rd driv e & no threats were found. also ran ccleaner last night. are these sufficient for what i found in a wordpad document last night located at:C:\Documents and Settings\Myname\Recent

Online Transmission Summary ¬z³: "1 online banking account updated. DOWNLOADED TRANSACTIONS EReceived 0 new transaction(s) for account American Express (Compaq).


also, sometimes recently when i am typing in my user name to access hotmail, i see some up and down lines kindda like: l ll lll ll l and then a few seconds later I see my username i typed in---should i be concer NED about this? thanksthats just the page waiting to load..


get avg antispyware free spybot search and destroy and free superantispyware from www.superantispyware.com

You guys have been so much HELP with my last question.
I just ran a scan with my AVG and im getting these:


user 32.dll change C:\windows\system32\user32dll

The other one is:

ntoskrnl.exe change C:\windows\system32\ntoskrnl.exe


They don't end up in the virus vault after the scan and
i can't seem to get rid of it. I had the same problem before
but this is a new computer.

Thanks again for the read. Here is my hijack log



Logfile of HijackThis v1.99.1
Scan saved at 8:22:53 PM, on 4/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\PROGRA~1\Grisoft\AVG7\avgwb.dat
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\HP_Owner\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search PAGE = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1173913335437
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe





DeeC ....... I don't think your machine is infected ......... I just found this on the AVG forum site.........

QUOTE

There are many valid reasons for those files to show changed, a Windows update, file system check that replaced them if corrupted, and others. As long as AVG doesn't say they are infected it is ok. If it continues to show changed, delete the FOLLOWING file(s) in the C:\ directory and AVG will create a new one(s)...

AVG7DB_F.DAT
AVG7QT.DAT

thanks..I think

Yea, I guess I didn't realize they sign their posts with an eye roll.
Thought he was being sarcastic.

DeeC ...... LOL ........ I always sign my posts with my username and the

If I wanted to be sarcastic, you would know........


dl65