Can you tell me if my computer is ok? HJT log

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Dark Master

Thread Starter
Joined
Jul 14, 2006
Messages
19
It takes an age for my computer to boot up... I've scanned for spyware w/spybot & viruses with zone alarm, found some, removed it, I have tried downloading all the windows updates and they did not help. My computer often opens websites at random and has put a couple of extra icons on my desktop just by starting the internet, windows defender BETA has been no help either. Are you able to help??

Here is my HJT Log

Logfile of HijackThis v1.99.1
Scan saved at 02:28:36, on 15/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\ZoneLabs\isafe.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\Peer 2 Peer\BitDownloadedGames,Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
F2 - REG:system.ini: Shell=Explorer.exe,
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,aqnsplq.exe
O1 - Hosts: // Created By BPS Popup Shield.
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [adstart] "iexplore.exe" "-embedding http://iesettingsupdate"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1152387261824
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1152388014214
O17 - HKLM\System\CCS\Services\Tcpip\..\{8F25DF78-E9F1-4656-BAF0-1BEFF945BABE}: NameServer = 83.146.21.6 212.158.248.5
O20 - AppInit_DLLs: repairs303169590.dll
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\System32\ZoneLabs\isafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Windows Update Manager (UpdateManager) - Unknown owner - C:\WINDOWS\update\updmgr.exe
O23 - Service: Windows Update Manager Tool (UpdateManagerTool) - Unknown owner - C:\WINDOWS\update\updmangr.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
 

Blink182

Banned
Joined
Jul 8, 2006
Messages
602
G'day Dark Master! :p

Welcome to TSG!:D

Now i aint no log reader, but i think there is some malicious in there. But i am going to wait for a proper log person reader thingy.
 

Dark Master

Thread Starter
Joined
Jul 14, 2006
Messages
19
Hi brendandonhu,

I ran the Qoofix file that you recommended. It said that there were no problems, but here is my new HJT log.

Oh and thanks in advance for your help

Logfile of HijackThis v1.99.1
Scan saved at 12:23:45, on 15/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\ZoneLabs\isafe.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\BitComet\BitComet.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\Computer Maintenance\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
O1 - Hosts: // Created By BPS Popup Shield.
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [adstart] "iexplore.exe" "-embedding http://iesettingsupdate"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1152387261824
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1152388014214
O17 - HKLM\System\CCS\Services\Tcpip\..\{8F25DF78-E9F1-4656-BAF0-1BEFF945BABE}: NameServer = 83.146.21.6 212.158.248.5
O20 - AppInit_DLLs: repairs303169590.dll
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\System32\ZoneLabs\isafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Windows Update Manager (UpdateManager) - Unknown owner - C:\WINDOWS\update\updmgr.exe
O23 - Service: Windows Update Manager Tool (UpdateManagerTool) - Unknown owner - C:\WINDOWS\update\updmangr.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
 
Joined
Jul 8, 2002
Messages
14,681
Save The Avenger to your Desktop

Copy the contents of the following box to your clipboard:

Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs

Files to delete:
C:\Windows\system32\repairs303169590.dll

Registry values to delete:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | adstart
Run The Avenger and click OK
Select Input script manually and click the magnifying glass icon
In the View/edit script box, right-click and choose Paste
Click Done. Press the button with a picture of a green light
Choose Yes when prompted to execute the script and click Yes when asked to reboot your computer
Post the contents of the file C:\Avenger.txt along with a new HijackThis log
 

Dark Master

Thread Starter
Joined
Jul 14, 2006
Messages
19
Here is the Avenger contents.

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\jvjncbwi

*******************

Script file located at: \??\C:\WINDOWS\system32\pabnvggr.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\Windows\system32\repairs303169590.dll not found!
Deletion of file C:\Windows\system32\repairs303169590.dll failed!

Could not process line:
C:\Windows\system32\repairs303169590.dll
Status: 0xc0000034

Registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs replaced with dummy successfully.
Registry value HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|adstart deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Now here is the new HJT log

Logfile of HijackThis v1.99.1
Scan saved at 15:58:08, on 15/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\ZoneLabs\isafe.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\Computer Maintenance\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
O1 - Hosts: // Created By BPS Popup Shield.
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Microsoft (R) Windows Update Manager] C:\WINDOWS\update\updmgr.exe
O4 - HKLM\..\Run: [Microsoft (R) Windows Update Manager Tool] C:\WINDOWS\update\updmangr.exe
O4 - HKLM\..\Run: [adstart] "iexplore.exe" "-embedding http://iesettingsupdate"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1152387261824
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1152388014214
O17 - HKLM\System\CCS\Services\Tcpip\..\{8F25DF78-E9F1-4656-BAF0-1BEFF945BABE}: NameServer = 83.146.21.6 212.158.248.5
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\System32\ZoneLabs\isafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Windows Update Manager (UpdateManager) - Unknown owner - C:\WINDOWS\update\updmgr.exe
O23 - Service: Windows Update Manager Tool (UpdateManagerTool) - Unknown owner - C:\WINDOWS\update\updmangr.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
 
Joined
Jul 8, 2002
Messages
14,681
Save KillBox to your Desktop

Run HijackThis and click Do a system scan only
Put a checkmark next to each of the following entries that appear:

O4 - HKLM\..\Run: [Microsoft (R) Windows Update Manager] C:\WINDOWS\update\updmgr.exe
O4 - HKLM\..\Run: [Microsoft (R) Windows Update Manager Tool] C:\WINDOWS\update\updmangr.exe
O4 - HKLM\..\Run: [adstart] "iexplore.exe" "-embedding http://iesettingsupdate"

Click Fix Checked and exit HijackThis


Run KillBox and select Delete on Reboot
Copy this list of file locations to your clipboard:

C:\WINDOWS\update\updmgr.exe
C:\WINDOWS\update\updmangr.exe
Go to File>>Paste from clipboard. Click All Files
Press the button with a red circle with an X in it, then Yes when prompted to restart your computer
WARNING: Your computer will be restarted. Any unsaved work in open applications will be lost.​

Post a new HijackThis log and let me know if you're still having any problems.
 

Dark Master

Thread Starter
Joined
Jul 14, 2006
Messages
19
Hi Brendan,

Here is the latest HJT log. I think that I have still got problems because my comp still opens random pages on me and is slower than I think it should be, but it is better than it was (y) Thanks again for all your help :D

Logfile of HijackThis v1.99.1
Scan saved at 01:25:24, on 18/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\ZoneLabs\isafe.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner\Desktop\Computer Maintenance\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
O1 - Hosts: // Created By BPS Popup Shield.
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: web compressor - {23FB5ADD-DA37-4a40-9FC0-B0E2384CDE92} - C:\WINDOWS\System32\nsl1D.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {6786A6AD-28D4-4EC2-8F59-0E70CAFF1C08} - C:\WINDOWS\System32\jkhhg.dll
O2 - BHO: (no name) - {ADC205B0-2C68-408C-A22B-96AAD69B99FD} - C:\Program Files\SpeedTouch\hosekuz.dll (file missing)
O2 - BHO: Banner Rotator - {D117A61F-92C3-4450-A0C8-F425B14D4127} - C:\WINDOWS\system32\adrotate.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [adstart] "iexplore.exe" "-embedding http://iesettingsupdate"
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O20 - Winlogon Notify: Explorer - C:\WINDOWS\system32\heink.dll (file missing)
O20 - Winlogon Notify: Extensions - C:\WINDOWS\system32\dbquery.dll (file missing)
O20 - Winlogon Notify: jkhhg - C:\WINDOWS\System32\jkhhg.dll
O20 - Winlogon Notify: RunOnceEx - C:\WINDOWS\system32\hWl.dll (file missing)
O20 - Winlogon Notify: winkqu32 - winkqu32.dll (file missing)
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\System32\ZoneLabs\isafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Windows Update Manager (UpdateManager) - Unknown owner - C:\WINDOWS\update\updmgr.exe (file missing)
O23 - Service: Windows Update Manager Tool (UpdateManagerTool) - Unknown owner - C:\WINDOWS\update\updmangr.exe (file missing)
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
 
Joined
Jul 8, 2002
Messages
14,681
Well there are a number of things that were not there before, you should install an antivirus program like AVG if you don't already have one: http://free.avg.com
An antispyware program like Ewido would also help: http://ewido.net

Please download VundoFix.exe to your Desktop
Double-click VundoFix.exe and click the Scan for Vundo button
Once it's done scanning, click the Remove Vundo button. Click Yes when prompted to remove the files found
Your Desktop may go blank for a moment. Click OK when prompted to shut down your computer
Turn your computer back on
Please post the contents of C:\vundofix.txt

Save The Avenger to your Desktop

Copy the contents of the following box to your clipboard:

Registry keys to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\jkhhg
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RunOnceEx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winkqu32

Files to delete:
C:\WINDOWS\System32\nsl1D.dll
C:\WINDOWS\System32\jkhhg.dll
C:\WINDOWS\system32\adrotate.dll
C:\WINDOWS\system32\heink.dll
C:\WINDOWS\system32\dbquery.dll
C:\WINDOWS\system32\hWl.dll
C:\Windows\system32\winkqu32.dll
Run The Avenger and click OK
Select Input script manually and click the magnifying glass icon
In the View/edit script box, right-click and choose Paste
Click Done. Press the button with a picture of a green light
Choose Yes when prompted to execute the script and click Yes when asked to reboot your computer
Post the contents of the file C:\Avenger.txt

Go to Start>>Run>>cmd. Type sc delete UpdateManager and press Enter
Type sc delete UpdateManagerTool and press Enter

Checkmark and Fix any of these that show up in HijackThis:
O2 - BHO: web compressor - {23FB5ADD-DA37-4a40-9FC0-B0E2384CDE92} - C:\WINDOWS\System32\nsl1D.dll
O2 - BHO: (no name) - {6786A6AD-28D4-4EC2-8F59-0E70CAFF1C08} - C:\WINDOWS\System32\jkhhg.dll
O2 - BHO: (no name) - {ADC205B0-2C68-408C-A22B-96AAD69B99FD} - C:\Program Files\SpeedTouch\hosekuz.dll (file missing)
O2 - BHO: Banner Rotator - {D117A61F-92C3-4450-A0C8-F425B14D4127} - C:\WINDOWS\system32\adrotate.dll
O4 - HKLM\..\Run: [adstart] "iexplore.exe" "-embedding http://iesettingsupdate"
O20 - Winlogon Notify: Explorer - C:\WINDOWS\system32\heink.dll (file missing)
O20 - Winlogon Notify: Extensions - C:\WINDOWS\system32\dbquery.dll (file missing)
O20 - Winlogon Notify: jkhhg - C:\WINDOWS\System32\jkhhg.dll
O20 - Winlogon Notify: RunOnceEx - C:\WINDOWS\system32\hWl.dll (file missing)
O20 - Winlogon Notify: winkqu32 - winkqu32.dll (file missing)
O23 - Service: Windows Update Manager (UpdateManager) - Unknown owner - C:\WINDOWS\update\updmgr.exe (file missing)
O23 - Service: Windows Update Manager Tool (UpdateManagerTool) - Unknown owner - C:\WINDOWS\update\updmangr.exe (file missing)
Then post a new HijackThis log
 

Dark Master

Thread Starter
Joined
Jul 14, 2006
Messages
19
Hi Brendan,



VundoFix V5.1.4

Checking Java version...

Java version is 1.5.0.3

Scan started at 20:59:07 18/07/2006

Listing files found while scanning....

C:\windows\system32\jkhhg.dll
C:\windows\system32\ghhkj.ini
C:\windows\system32\ghhkj.bak1
C:\windows\system32\ghhkj.bak2

Beginning removal...

The process smss.exe was successfully stopped

The process winlogon.exe could not be stopped
Vundofix may not be able to delete some files that were found.

The process explorer.exe was successfully stopped

The process iexplore.exe was successfully stopped

The process rundll32.exe was successfully stopped

Attempting to delete C:\windows\system32\jkhhg.dll
C:\windows\system32\jkhhg.dll Could not be deleted.

Attempting to delete C:\windows\system32\ghhkj.ini
C:\windows\system32\ghhkj.ini Has been deleted!

Attempting to delete C:\windows\system32\ghhkj.bak1
C:\windows\system32\ghhkj.bak1 Has been deleted!

Attempting to delete C:\windows\system32\ghhkj.bak2
C:\windows\system32\ghhkj.bak2 Has been deleted!

Performing Repairs to the registry.
Done!

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\^nsyalwe

*******************

Script file located at: \??\C:\WINDOWS\qyyqikwf.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\System32\nsl1D.dll deleted successfully.
File C:\WINDOWS\System32\jkhhg.dll deleted successfully.
File C:\WINDOWS\system32\adrotate.dll deleted successfully.


File C:\WINDOWS\system32\heink.dll not found!
Deletion of file C:\WINDOWS\system32\heink.dll failed!

Could not process line:
C:\WINDOWS\system32\heink.dll
Status: 0xc0000034



File C:\WINDOWS\system32\dbquery.dll not found!
Deletion of file C:\WINDOWS\system32\dbquery.dll failed!

Could not process line:
C:\WINDOWS\system32\dbquery.dll
Status: 0xc0000034



File C:\WINDOWS\system32\hWl.dll not found!
Deletion of file C:\WINDOWS\system32\hWl.dll failed!

Could not process line:
C:\WINDOWS\system32\hWl.dll
Status: 0xc0000034



File C:\Windows\system32\winkqu32.dll not found!
Deletion of file C:\Windows\system32\winkqu32.dll failed!

Could not process line:
C:\Windows\system32\winkqu32.dll
Status: 0xc0000034

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Explorer deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Extensions deleted successfully.


Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\jkhhg not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\jkhhg failed!
Status: 0xc0000034

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RunOnceEx deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winkqu32 deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Logfile of HijackThis v1.99.1
Scan saved at 22:01:29, on 18/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\ZoneLabs\isafe.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\Computer Maintenance\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
O1 - Hosts: // Created By BPS Popup Shield.
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {7667B560-6208-6A2B-7E17-6D86352EB927} - http://85.255.115.229/1/gdnFR1440.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{8F25DF78-E9F1-4656-BAF0-1BEFF945BABE}: NameServer = 83.146.21.6 212.158.248.5
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\System32\ZoneLabs\isafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

I have no idea what most of this stuff means and I am very glad that you do!(y) (y) :)
 
Joined
Jul 8, 2002
Messages
14,681
Yes, Windows updates should be installed.

Your log looks clean now, do a virus scan and let me know if you're still having any problems as well
Go to Kaspersky Online Scanner and click Accept
When the updates are finished downloading, click Next>>Scan Settings
Under Scan using the following antivirus database:, select extended
Make sure the Scan Archives and Scan Mail Bases options are selected as well. Click OK
Click My Computer and wait for the scan to finish
Click Save Report As. Under Save as type:, select Text file. Save this log to your Desktop and post a copy of it here
 

Dark Master

Thread Starter
Joined
Jul 14, 2006
Messages
19
Here it is Brendan.

The numbers here dont look good:confused:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Thursday, July 20, 2006 1:45:33 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 20/07/2006
Kaspersky Anti-Virus database records: 208490
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 104374
Number of viruses found: 30
Number of infected objects: 67
Number of suspicious objects: 0
Duration of the scan process: 02:07:54

Infected Object Name / Virus Name / Last Action
C:\!KillBox\updmangr.exe Infected: Backdoor.Win32.Agent.abc skipped
C:\!KillBox\updmgr.exe Infected: Trojan-Proxy.Win32.Agent.cv skipped
C:\avenger\backup.zip/avenger/jkhhg.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.cq skipped
C:\avenger\backup.zip/avenger/nsl1D.dll Infected: not-a-virus:AdWare.Win32.EZula.cc skipped
C:\avenger\backup.zip ZIP: infected - 2 skipped
C:\Documents and Settings\Owner\Local Settings\Temp\ICD1.tmp\USDR6_0001_D17M1107NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.l skipped
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll Infected: Trojan-PSW.Win32.Sinowal.v skipped
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll Infected: Trojan-PSW.Win32.Sinowal.v skipped
C:\Program Files\DAEMON Tools\SetupDTSB.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bo skipped
C:\Program Files\Internet Explorer\htjldmpk.exe Infected: Trojan-Downloader.Win32.Delf.aeu skipped
C:\System Volume Information\_restore{D259DBE9-6C03-44A8-AD91-3CEC679BF6E9}\RP333\A0090683.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.1007 skipped
C:\System Volume Information\_restore{D259DBE9-6C03-44A8-AD91-3CEC679BF6E9}\RP334\A0090728.dll Infected: not-a-virus:AdWare.Win32.404Search.l skipped
C:\System Volume Information\_restore{D259DBE9-6C03-44A8-AD91-3CEC679BF6E9}\RP334\A0090745.dll Infected: not-a-virus:AdWare.Win32.RXBar.f skipped
C:\System Volume Information\_restore{D259DBE9-6C03-44A8-AD91-3CEC679BF6E9}\RP334\A0090746.dll Infected: not-a-virus:AdWare.Win32.RXBar.f skipped
C:\System Volume Information\_restore{D259DBE9-6C03-44A8-AD91-3CEC679BF6E9}\RP334\A0090747.DLL Infected: not-a-virus:AdWare.Win32.MySearch.e skipped
C:\System Volume Information\_restore{D259DBE9-6C03-44A8-AD91-3CEC679BF6E9}\RP335\A0090776.dll Infected: not-a-virus:AdWare.Win32.MySearch.e skipped
C:\System Volume Information\_restore{D259DBE9-6C03-44A8-AD91-3CEC679BF6E9}\RP337\A0091722.exe Infected: Trojan.Win32.LowZones.y skipped
C:\System Volume Information\_restore{D259DBE9-6C03-44A8-AD91-3CEC679BF6E9}\RP341\A0091787.exe/stream/data0002 Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
C:\System Volume Information\_restore{D259DBE9-6C03-44A8-AD91-3CEC679BF6E9}\RP341\A0091787.exe/stream Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
C:\System Volume Information\_restore{D259DBE9-6C03-44A8-AD91-3CEC679BF6E9}\RP341\A0091787.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{FB6D66DA-525F-44D1-96F1-93C8106449BC}\RP138\A0044603.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.cq skipped
C:\System Volume Information\_restore{FB6D66DA-525F-44D1-96F1-93C8106449BC}\RP138\A0044604.dll Infected: not-a-virus:AdWare.Win32.EZula.cc skipped
C:\VundoFix Backups\jkhhg.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.cq skipped
C:\WINDOWS\amm06.ocx Infected: not-a-virus:AdWare.Win32.MediaMotor.p skipped
C:\WINDOWS\Downloaded Program Files\USDR6_0001_D17M1107NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.l skipped
C:\WINDOWS\Downloaded Program Files\UWA6P_0001_N85M0307NetInstaller.exe Infected: Trojan-Downloader.Win32.Agent.alr skipped
C:\WINDOWS\media_motor_bundle.exe/data0002/stream/data0002 Infected: not-a-virus:AdWare.Win32.SideFind.a skipped
C:\WINDOWS\media_motor_bundle.exe/data0002/stream Infected: not-a-virus:AdWare.Win32.SideFind.a skipped
C:\WINDOWS\media_motor_bundle.exe/data0002 Infected: not-a-virus:AdWare.Win32.SideFind.a skipped
C:\WINDOWS\media_motor_bundle.exe/data0003/stream/data0001 Infected: not-a-virus:AdWare.Win32.BHO.ao skipped
C:\WINDOWS\media_motor_bundle.exe/data0003/stream Infected: not-a-virus:AdWare.Win32.BHO.ao skipped
C:\WINDOWS\media_motor_bundle.exe/data0003 Infected: not-a-virus:AdWare.Win32.BHO.ao skipped
C:\WINDOWS\media_motor_bundle.exe NSIS: infected - 6 skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\7LVIK6EV\drsmartload46a[1].exe Infected: Trojan-Downloader.Win32.Adload.cw skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\7LVIK6EV\mc-110-12-0000228[1].exe/stream/data0005 Infected: not-a-virus:AdWare.Win32.Softomate.q skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\7LVIK6EV\mc-110-12-0000228[1].exe/stream Infected: not-a-virus:AdWare.Win32.Softomate.q skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\7LVIK6EV\mc-110-12-0000228[1].exe NSIS: infected - 2 skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\7LVIK6EV\thiselt[1].exe Infected: not-a-virus:AdWare.Win32.MediaMotor.o skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\EYCBQ85I\drsmartload849a[1].exe Infected: Trojan-Downloader.Win32.Adload.cw skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\EYCBQ85I\drsmartload[1].exe Infected: Trojan-Downloader.Win32.Adload.ct skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\EYCBQ85I\media_motor_bundle[1].exe/data0002/stream/data0002 Infected: not-a-virus:AdWare.Win32.SideFind.a skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\EYCBQ85I\media_motor_bundle[1].exe/data0002/stream Infected: not-a-virus:AdWare.Win32.SideFind.a skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\EYCBQ85I\media_motor_bundle[1].exe/data0002 Infected: not-a-virus:AdWare.Win32.SideFind.a skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\EYCBQ85I\media_motor_bundle[1].exe/data0003/stream/data0001 Infected: not-a-virus:AdWare.Win32.BHO.ao skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\EYCBQ85I\media_motor_bundle[1].exe/data0003/stream Infected: not-a-virus:AdWare.Win32.BHO.ao skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\EYCBQ85I\media_motor_bundle[1].exe/data0003 Infected: not-a-virus:AdWare.Win32.BHO.ao skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\EYCBQ85I\media_motor_bundle[1].exe NSIS: infected - 6 skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\GLCNBABP\drsmartload45a[1].exe Infected: Trojan-Downloader.Win32.Adload.cv skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\GLCNBABP\nwnmd_5[1].exe Infected: Trojan-Clicker.Win32.VB.fe skipped
C:\WINDOWS\system32\eltpower.exe Infected: Trojan-Downloader.Win32.VB.afa skipped
C:\WINDOWS\system32\i Infected: Trojan-Downloader.BAT.Ftp.ab skipped
C:\WINDOWS\system32\icon_mediamotor.exe/stream/data0001 Infected: not-a-virus:AdWare.Win32.BHO.ao skipped
C:\WINDOWS\system32\icon_mediamotor.exe/stream Infected: not-a-virus:AdWare.Win32.BHO.ao skipped
C:\WINDOWS\system32\icon_mediamotor.exe NSIS: infected - 2 skipped
C:\WINDOWS\system32\mc-110-12-0000141.exe/stream/data0005 Infected: not-a-virus:AdWare.Win32.Softomate.q skipped
C:\WINDOWS\system32\mc-110-12-0000141.exe/stream Infected: not-a-virus:AdWare.Win32.Softomate.q skipped
C:\WINDOWS\system32\mc-110-12-0000141.exe NSIS: infected - 2 skipped
C:\WINDOWS\system32\nodeipproc.dll Infected: not-a-virus:AdWare.Win32.BHO.ao skipped
C:\WINDOWS\system32\qghumeay.dll Infected: Backdoor.Win32.Agent.vc skipped
C:\WINDOWS\system32\spnsvc.dll Infected: Backdoor.Win32.Agent.vc skipped
C:\WINDOWS\system32\ts_mediamotor.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.SideFind.a skipped
C:\WINDOWS\system32\ts_mediamotor.exe/stream Infected: not-a-virus:AdWare.Win32.SideFind.a skipped
C:\WINDOWS\system32\ts_mediamotor.exe NSIS: infected - 2 skipped
C:\WINDOWS\system32\vturqrp.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.by skipped
C:\WINDOWS\system32\YazzleBundle-1125.exe/data0002 Infected: Trojan.Win32.Scapur.k skipped
C:\WINDOWS\system32\YazzleBundle-1125.exe NSIS: infected - 1 skipped
C:\WINDOWS\twink.exe Infected: Trojan-Downloader.Win32.Small.ddh skipped

Scan process completed.
 
Joined
Jul 8, 2002
Messages
14,681
Install CleanUp!

Run CleanUp! and go to Options>>Custom CleanUp!
Put a checkmark next to each of the following items:

Empty Recycle Bins
Delete Cookies
Delete Prefetch files
Cleanup! All Users
Click OK>>CleanUp!
Exit CleanUp!

Go to Start>>Run. Type msconfig and press Enter
Click Launch System Restore then click System Restore Settings
Put a checkmark next to Turn off system restore on all drives and click Apply>>OK
Close System Restore utility and the System Configuration Utility

Run KillBox and select Delete on Reboot
Copy this list of file locations to your clipboard:

C:\avenger\
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
C:\Program Files\Internet Explorer\htjldmpk.exe
C:\VundoFix Backups\
C:\WINDOWS\amm06.ocx
C:\WINDOWS\Downloaded Program Files\USDR6_0001_D17M1107NetInstaller.exe
C:\WINDOWS\media_motor_bundle.exe/data0002
C:\WINDOWS\media_motor_bundle.exe/data0003
C:\WINDOWS\media_motor_bundle.exe
C:\WINDOWS\system32\eltpower.exe
C:\WINDOWS\system32\i
C:\WINDOWS\system32\icon_mediamotor.exe
C:\WINDOWS\system32\mc-110-12-0000141.exe
C:\WINDOWS\system32\nodeipproc.dll
C:\WINDOWS\system32\qghumeay.dll
C:\WINDOWS\system32\spnsvc.dll
C:\WINDOWS\system32\ts_mediamotor.exe
C:\WINDOWS\system32\vturqrp.dll
C:\WINDOWS\system32\YazzleBundle-1125.exe
C:\WINDOWS\twink.exe
Go to File>>Paste from clipboard. Click All Files
Press the button with a red circle with an X in it, then Yes when prompted to restart your computer
WARNING: Your computer will be restarted. Any unsaved work in open applications will be lost.​
Go to Start>>Run. Type msconfig and press Enter
Click Launch System Restore then click System Restore Settings
Uncheck Turn off system restore on all drives and click Apply>>OK
Close System Restore utility and the System Configuration Utility


Find and delete this folder: C:\!KillBox\
 

Dark Master

Thread Starter
Joined
Jul 14, 2006
Messages
19
Brendan,

The computer wont reboot itself!

Here is the message im getting.

PendingFileRenameOperations Registry Data has been removed by External Process!

I thought this might be to do with being online (Noob) but disconnecting did nothing?
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top