1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Loads of undeleteable trojans, spyware, viruses etc

Discussion in 'Virus & Other Malware Removal' started by bigdavejob, Jan 21, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. bigdavejob

    bigdavejob Thread Starter

    Joined:
    Jan 21, 2007
    Messages:
    13
    Hello,

    Operating System: Windows XP

    I am receiving many messages from Norton Antivirus telling me that a certain file is infected with trojan.awax. Norton repeatedly tells me that they cannot repair, quarantine or delete this file. There are a few other things that it keeps coming up with too, but since the trojan.awax is the only one that I can tell you. I am a beginner at this kind of thing so idiot-proof help would be appreciated.

    Hijack v.1.99.0 log:

    Logfile of HijackThis v1.99.1
    Scan saved at 20:05:48, on 21/01/2007
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\WINDOWS\system\dllhost.exe
    C:\WINDOWS\system\icrss.exe
    C:\WINDOWS\system32\pctspk.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Google\Google Talk\googletalk.exe
    C:\Program Files\Google\Google Updater\GoogleUpdater.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
    C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
    C:\Program Files\Winamp\winamp.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\TEMP\7BE1.tmp
    C:\Program Files\Hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
    O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll (file missing)
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\System32\leakbqrp.dll",setvm
    O4 - HKLM\..\RunServices: [Microsoft Configurs12] msoftconfs2.exe
    O4 - HKLM\..\RunServices: [MS Domain Name Server Deamon] MSDNSD32.exe
    O4 - HKLM\..\RunServices: [System Service] servza.exe
    O4 - HKLM\..\RunServices: [msvcc25] svcchost.exe
    O4 - HKLM\..\RunServices: [Microsoft Telecoms Center] telcoms.exe
    O4 - HKLM\..\RunServices: [Windows Services Layer] C:\WINDOWS\System32\ctfnon.exe
    O4 - HKLM\..\RunServices: [blah services] ofkksasp.exe
    O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
    O4 - HKCU\..\RunServices: [Omni] omns.exe
    O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
    O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O15 - Trusted Zone: http://locator.cdn.imageservr.com
    O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
    O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/haphazard/raptisoftgameloader.cab
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
    O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://cdn.downloadcontrol.com/files/installers/cab/SystemDoctor2006FreeInstall.cab
    O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/bestfriends/miniclipGameLoader.dll
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://download.cdn.winsoftware.com/files/installers/cab/WinAntiVirusPro2006FreeInstall.cab
    O16 - DPF: {E cellSpacing=5 cellPadding=3 width=400} -
    O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by16fd.bay16.hotmail.msn.com/activex/HMAtchmt.ocx
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A57D1DD1-658D-4D3A-9FC9-23AB683B82E0}: NameServer = 212.9.0.135 212.9.0.136
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL
    O21 - SSODL: bestreak - {874443fe-aa33-4ebf-a6ac-73208787e62d} - (no file)
    O21 - SSODL: hemadynamometer - {6076d2b1-634c-4685-843b-f826045ea5dc} - C:\WINDOWS\System32\syycum.dll (file missing)
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Windows Host Services (DLLHOST32) - Unknown owner - C:\WINDOWS\system\dllhost.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: icrss manager 32bit (icrss) - Unknown owner - C:\WINDOWS\system\icrss.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Network Windows Service (MSWindows) - Unknown owner - C:\WINDOWS\System32\urdvxc.exe" /service (file missing)
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

    Thanks
     
  2. bigdavejob

    bigdavejob Thread Starter

    Joined:
    Jan 21, 2007
    Messages:
    13
    could someone please help? my computer is going really really slow.

    it is only 0.8 ghz and has 256 RAM (i think)
     
  3. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Hi, Welcome to TSG!!



    Please download (save) SmitfraudFix (by S!Ri) to your desktop.
    Extract the content (a folder named SmitfraudFix) to your Desktop. Select all of the contents and Extract them
    to a new folder called SmitfraudFix.
    Open the SmitfraudFix folder and double-click smitfraudfix.cmd
    Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
    Please copy/paste the content of that report into your next reply.

    Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
    http://www.beyondlogic.org/consulting/proc...processutil.htm
     
  4. bigdavejob

    bigdavejob Thread Starter

    Joined:
    Jan 21, 2007
    Messages:
    13
    Thanks, Idid as you said and this is the log:-

    SmitFraudFix v2.133

    Scan done at 21:51:43.90, 21/01/2007
    Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    The filesystem type is NTFS
    Fix run in normal mode

    »»»»»»»»»»»»»»»»»»»»»»»» C:\


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator\Application Data


    »»»»»»»»»»»»»»»»»»»»»»»» Start Menu


    »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ADMINI~1\FAVORI~1

    C:\DOCUME~1\ADMINI~1\FAVORI~1\Online Security Test.url FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» Desktop


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


    »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
    "Source"="http://www.digitalblasphemy.com/graphics/freeg/endlessblue.jpg"
    "SubscribedURL"="http://www.digitalblasphemy.com/graphics/freeg/endlessblue.jpg"
    "FriendlyName"=""


    »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "bestreak"="{874443fe-aa33-4ebf-a6ac-73208787e62d}"


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "{6076d2b1-634c-4685-843b-f826045ea5dc}"="hemadynamometer"

    [HKEY_CLASSES_ROOT\CLSID\{6076d2b1-634c-4685-843b-f826045ea5dc}\InProcServer32]
    @="C:\WINDOWS\System32\syycum.dll"

    [HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{6076d2b1-634c-4685-843b-f826045ea5dc}\InProcServer32]
    @="C:\WINDOWS\System32\syycum.dll"



    »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"="C:\\PROGRA~1\\Google\\GOOGLE~4\\GOEC62~1.DLL"


    »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "System"=""


    »»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


    »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


    »»»»»»»»»»»»»»»»»»»»»»»» End
     
  5. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

    Next, please reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, a menu with options should appear;
    • Select the first option, to run Windows in Safe Mode, then press "Enter".
    • Choose your usual account.
    Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
    Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

    You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

    The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

    The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

    A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.

    The report can also be found at the root of the system drive, usually at C:\rapport.txt

    Warning: running option #2 on a non infected computer will remove your Desktop background.



    Please post the C:\rapport.txt and a new HJT log in your next reply.
     
  6. bigdavejob

    bigdavejob Thread Starter

    Joined:
    Jan 21, 2007
    Messages:
    13
    ok did as you said but Norton still says:

    "Norton AntiVirus has detected a virus on your computer

    Object Name: C:\WINDOWS\system32\urqpnnm.dll
    Virus Name: Trojan.Awax
    Action Taken: Unable to repair this file / access to the file was denied"


    rapport.txt:-

    SmitFraudFix v2.133

    Scan done at 22:34:18.26, 21/01/2007
    Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    The filesystem type is NTFS
    Fix run in safe mode

    »»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "bestreak"="{874443fe-aa33-4ebf-a6ac-73208787e62d}"


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "{6076d2b1-634c-4685-843b-f826045ea5dc}"="hemadynamometer"

    [HKEY_CLASSES_ROOT\CLSID\{6076d2b1-634c-4685-843b-f826045ea5dc}\InProcServer32]
    @="C:\WINDOWS\System32\syycum.dll"

    [HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{6076d2b1-634c-4685-843b-f826045ea5dc}\InProcServer32]
    @="C:\WINDOWS\System32\syycum.dll"


    »»»»»»»»»»»»»»»»»»»»»»»» Killing process


    »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

    GenericRenosFix by S!Ri


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

    C:\DOCUME~1\ADMINI~1\FAVORI~1\Online Security Test.url Deleted

    »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


    »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "System"=""


    »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

    Registry Cleaning done.

    »»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    »»»»»»»»»»»»»»»»»»»»»»»» End

    _____________________________________________________________
    HJT log:-

    Logfile of HijackThis v1.99.1
    Scan saved at 23:04:19, on 21/01/2007
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\WINDOWS\system\dllhost.exe
    C:\WINDOWS\system\icrss.exe
    C:\WINDOWS\system32\pctspk.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
    C:\WINDOWS\System32\ctfnon.exe
    C:\Program Files\Google\Google Talk\googletalk.exe
    C:\Program Files\Google\Google Updater\GoogleUpdater.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
    C:\WINDOWS\System32\rasautou.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
    O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll (file missing)
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
    O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\System32\leakbqrp.dll",setvm
    O4 - HKLM\..\Run: [Windows Services Layer] C:\WINDOWS\System32\ctfnon.exe
    O4 - HKLM\..\RunServices: [Microsoft Configurs12] msoftconfs2.exe
    O4 - HKLM\..\RunServices: [MS Domain Name Server Deamon] MSDNSD32.exe
    O4 - HKLM\..\RunServices: [System Service] servza.exe
    O4 - HKLM\..\RunServices: [msvcc25] svcchost.exe
    O4 - HKLM\..\RunServices: [Microsoft Telecoms Center] telcoms.exe
    O4 - HKLM\..\RunServices: [Windows Services Layer] C:\WINDOWS\System32\ctfnon.exe
    O4 - HKLM\..\RunServices: [blah services] ofkksasp.exe
    O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
    O4 - HKCU\..\Run: [Windows Services Layer] C:\WINDOWS\System32\ctfnon.exe
    O4 - HKCU\..\RunServices: [Omni] omns.exe
    O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
    O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O15 - Trusted Zone: http://locator.cdn.imageservr.com
    O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
    O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/haphazard/raptisoftgameloader.cab
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
    O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://cdn.downloadcontrol.com/files/installers/cab/SystemDoctor2006FreeInstall.cab
    O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/bestfriends/miniclipGameLoader.dll
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://download.cdn.winsoftware.com/files/installers/cab/WinAntiVirusPro2006FreeInstall.cab
    O16 - DPF: {E cellSpacing=5 cellPadding=3 width=400} -
    O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by16fd.bay16.hotmail.msn.com/activex/HMAtchmt.ocx
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Windows Host Services (DLLHOST32) - Unknown owner - C:\WINDOWS\system\dllhost.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: icrss manager 32bit (icrss) - Unknown owner - C:\WINDOWS\system\icrss.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Network Windows Service (MSWindows) - Unknown owner - C:\WINDOWS\System32\urdvxc.exe" /service (file missing)
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
     
  7. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Go to add/remove programs & select messenger plus & then select uninstall sponsor.


    Please download ATF Cleaner by Atribune.
    This program is for XP and Windows 2000 only

    • Double-click ATF-Cleaner.exe to run the program.
      Under Main choose: Select All
      Click the Empty Selected button.
    If you use Firefox browser
    • Click Firefox at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser
    • Click Opera at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main menu to close the program.
    For Technical Support, double-click the e-mail address located at the bottom of each menu.





    Download and install AVG Anti-Spyware 7.5 AVG ANTI-SPYWARE IS ONLY FOR SYSTEMS RUNNING WIN 2K and XP
    (This is Ewdio 4.0 renamed. If you already have Ewido installed, please update to this version which has a special "clean driver" for removing persistent malware)
    1. After download, double click on the file to launch the install process.
    2. Choose a language, click "OK" and then click "Next".
    3. Read the "License Agreement" and click "I Agree".
    4. Accept default installation path: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5, click "Next", then click "Install".
    5. After setup completes, click "Finish" to start the program automatically or launch AVG Anti-Spyware by double-clicking its icon on your desktop or in the system tray.
    6. The main "Status" menu will appear. Select "Change state" to inactivate 'Resident Shield' and 'Automatic Updates'.
    7. Then right click on AVG Anti-Spyware in the system tray and uncheck "Start with Windows".
    8. Go to Start > Run and type: services.msc
    • Press "OK".
    • Click the "Extended tab" and scroll down the list to find AVG Anti-Spyware guard.
    • When you find the guard service, double-click on it.
    • In the Properties Window > General Tab that opens, click the "Stop" button.
    • From the drop-down menu next to "Startup Type", click on "Manual".
    • Now click "Apply", then "OK" and close the Services window.
    9. Select the "Update" button and click "Start update". Wait until you see the "Update succesfull message. If you are having problems with the updater, manually update with the AVG Anti-Spyware Full database installer from here. Exit AVG Anti-Spyware when done - DO NOT perform a scan yet.

    Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup [but before the Windows icon appears] press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

    Scan with AVG Anti-Spyware as follows:
    1. Launch AVG Anti-Spyware, click on the "Scanner" button and choose the "Settings" tab.
    • Under "How to act?", click on "Recommended actions" and choose "Quarantine" to set default action for detected malware.
    • Under "How to Scan?" check all (default).
    • Under "Possibly unwanted software" check all (default).
    • Under "What to Scan?" make sure "Scan every file" is selected (default).
    • Under "Reports" select "Automatically generate report after every scan" and UNcheck "Only if threats were found".
    2. Click the "Scan" tab to return to scanning options.
    3. Click "Complete System Scan" to start.
    4. When the scan has finished you will be presented with a list of infected objects found. Click "Apply all actions" to place the files in Quarantine.

    IMPORTANT! Do not save the report before you have clicked the Apply all actions button. If you do, the log that is created will indicate "No action taken", making it more difficult to interpret the report. So be sure you save it only AFTER clicking the "Apply all actions" button?

    5. Click on "Save Report" to view all completed scans. Click on the most recent scan you just performed and select "Save report as" - the default file name will be in date/time format as follows: Report-Scan-20060620-142816.txt. Save to your desktop. A copy of each report will also be saved in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports\
    6. Exit AVG Anti-Spyware when done, reboot normally.

    Note: Close all open windows, programs, and DO NOT USE the computer while AVG Anti-Spyware is scanning. If Explorer or other programs are open during the scan that means certain files will also be in use. Some malware will insert itself and hide in areas that are "protected" by Windows when the files are being used. This can hamper AVG Anti-Spyware's ability to clean properly and may result in reinfection.

    Note: If AVG Anti-Spyware "crashes" or "hangs" during the scan, try scanning again by doing this:
    1. Scan one sector of the system at a time by using the "Custom Scan" feature. To do this select Scanner > Custom Scan and click on Add drive/directory/file. Browse to C:\Windows > System, add this folder to the list and click on "Start Scan". When the scan is complete, repeat the Custom Scan but this time, browse to and add the System32 folder. Then keep repeating this procedure until all your folders have been scanned. Make sure you include the Documents & Settings folder.

    2. If this still does not help, then turn the ADS scanner off while making a Custom Scan. To do this select Scanner > Scan Settings and untick "Scan in NTFS Alternate Data Streams". Then repeat the steps above for performing a Custom Scan.


    Run Panda ActiveScan here

    Once you are on the Panda site click the "Scan your PC" button.
    A new window will open... click the "Check Now" button.
    Enter your Country.
    Enter your State/Province.
    Enter your e-mail address.
    Select either Home User or Company.
    Click the big "Scan Now" button.
    If it wants to install an ActiveX component allow it.
    It will start downloading the files it requires for the scan (Note: It may take a couple of minutes).
    When download is complete, click on "Local Disks" to start the scan.
    When the scan completes, if anything malicious is detected, click the "See Report" button; then "Save Report" and save it to a convenient location. Post the contents of the Panda scan report in your next reply.

    Post a new HiJack This log along with the results from ActiveScan and the log report from AVG Anti-Spyware in your next response
     
  8. bigdavejob

    bigdavejob Thread Starter

    Joined:
    Jan 21, 2007
    Messages:
    13
    i am doing as oyu said but panda scan is taking hours. does it always take so long? It has been going for a good 2 hours and has scanned about 40000 files

    in the mean time

    AVG log

    ---------------------------------------------------------
    AVG Anti-Spyware - Scan Report
    ---------------------------------------------------------

    + Created at: 17:59:53 22/01/2007

    + Scan result:



    C:\WINDOWS\Downloaded Program Files\MirarSetup.exe -> Adware.SaveNow : Cleaned with backup (quarantined).
    HKU\S-1-5-21-1202660629-1677128483-1343024091-500\Software\DNS -> Adware.Shorty : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{AD1CBA46-DA9A-427B-A2D5-92814A33CE05}\RP174\A0152693.dll -> Adware.Zango : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{AD1CBA46-DA9A-427B-A2D5-92814A33CE05}\RP173\A0148510.exe -> Backdoor.Agent.aew : Cleaned with backup (quarantined).
    C:\WINDOWS\system32\repcale.exe -> Backdoor.Hupigon.hk : Cleaned with backup (quarantined).
    C:\WINDOWS\security\winsecure.exe -> Backdoor.Iroffer.1227 : Cleaned with backup (quarantined).
    C:\WINDOWS\system32\TFTP3684 -> Backdoor.Rbot : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{AD1CBA46-DA9A-427B-A2D5-92814A33CE05}\RP172\A0139414.exe -> Backdoor.Rbot.bjx : Cleaned with backup (quarantined).
    C:\WINDOWS\Downloaded Program Files\3631382D2D2D.exe -> Downloader.Adload.az : Cleaned with backup (quarantined).
    C:\WINDOWS\Downloaded Program Files\CONFLICT.1\3631382D2D2D.exe -> Downloader.Adload.az : Cleaned with backup (quarantined).
    C:\WINDOWS\Downloaded Program Files\CONFLICT.2\3631382D2D2D.exe -> Downloader.Adload.bc : Cleaned with backup (quarantined).
    C:\WINDOWS\system32\config\systemprofile\My Documents\Τasks\winword.exe -> Downloader.PurityScan.bv : Cleaned with backup (quarantined).
    C:\WINDOWS\Downloaded Program Files\miniclipGameLoader.dll -> Downloader.Small : Cleaned with backup (quarantined).
    C:\WINDOWS\Downloaded Program Files\UERS_0001_NI57M1124NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.b : Cleaned with backup (quarantined).
    C:\WINDOWS\system32\cl4ss.exe -> Not-A-Virus.PSWTool.Win32.PassView.162 : Cleaned with backup (quarantined).
    :mozilla.42:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\eutlvllz.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
    :mozilla.44:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\eutlvllz.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
    :mozilla.94:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\eutlvllz.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
    :mozilla.128:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\eutlvllz.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
    :mozilla.129:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\eutlvllz.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
    :mozilla.130:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\eutlvllz.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
    :mozilla.131:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\eutlvllz.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
    :mozilla.132:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\eutlvllz.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
    :mozilla.95:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\eutlvllz.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.
    :mozilla.96:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\eutlvllz.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.
    :mozilla.79:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\eutlvllz.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
    :mozilla.80:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\eutlvllz.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
    :mozilla.81:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\eutlvllz.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
    :mozilla.82:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\eutlvllz.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
    :mozilla.99:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\eutlvllz.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
    :mozilla.142:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\eutlvllz.default\cookies.txt -> TrackingCookie.Bluestreak : Cleaned.
    :mozilla.49:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\eutlvllz.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
    :mozilla.90:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\eutlvllz.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
    :mozilla.143:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\eutlvllz.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
    :mozilla.144:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\eutlvllz.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
    :mozilla.145:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\eutlvllz.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
    :mozilla.146:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\eutlvllz.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
    :mozilla.147:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\eutlvllz.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
    :mozilla.159:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\eutlvllz.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
    :mozilla.160:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\eutlvllz.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
    :mozilla.64:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\eutlvllz.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
    C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt -> TrackingCookie.Myaffiliateprogram : Cleaned.
    :mozilla.73:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\eutlvllz.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
    :mozilla.74:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\eutlvllz.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
    :mozilla.75:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\eutlvllz.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
    :mozilla.76:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\eutlvllz.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
    :mozilla.77:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\eutlvllz.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
    :mozilla.41:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\eutlvllz.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned.
    C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWFX6_0001_N69M1503NetInstaller.exe -> Trojan.Fakealert : Cleaned with backup (quarantined).
    C:\WINDOWS\Downloaded Program Files\CONFLICT.2\UWFX6_0001_N69M1503NetInstaller.exe -> Trojan.Fakealert : Cleaned with backup (quarantined).
    C:\WINDOWS\Downloaded Program Files\UWFX6_0001_N69M0903NetInstaller.exe -> Trojan.Fakealert : Cleaned with backup (quarantined).
    C:\WINDOWS\Downloaded Program Files\UWFX6_0001_N69M1503NetInstaller.exe -> Trojan.Fakealert : Cleaned with backup (quarantined).
    C:\WINDOWS\system32\xn1ck5t -> Trojan.Irc.flood.dv : Cleaned with backup (quarantined).
    C:\WINDOWS\system32\xtf -> Trojan.LowJone.A.7 : Cleaned with backup (quarantined).
    C:\WINDOWS\security\FireDaemon.exe -> Trojan.Pakes : Cleaned with backup (quarantined).
    C:\WINDOWS\system32\niamx -> Worm.Randon.am : Cleaned with backup (quarantined).


    ::Report end
     
  9. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    The scan could take a while depending on the size of the drive, how much data you have etc...
     
  10. bigdavejob

    bigdavejob Thread Starter

    Joined:
    Jan 21, 2007
    Messages:
    13
    well the internet went down just now and lost the scan status. It aws about 10%$ of the way through after about 2.5 hours. Is this scan essential?
     
  11. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Please post your hijackthis log again.
     
  12. bigdavejob

    bigdavejob Thread Starter

    Joined:
    Jan 21, 2007
    Messages:
    13
    Logfile of HijackThis v1.99.1
    Scan saved at 19:45:05, on 23/01/2007
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\WINDOWS\system\dllhost.exe
    C:\WINDOWS\system\icrss.exe
    C:\WINDOWS\system32\pctspk.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\WINDOWS\System32\ctfnon.exe
    C:\Program Files\Google\Google Talk\googletalk.exe
    C:\WINDOWS\System32\rasautou.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
    O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\System32\jghjjefr.dll",setvm
    O4 - HKLM\..\Run: [Windows Services Layer] C:\WINDOWS\System32\ctfnon.exe
    O4 - HKLM\..\RunServices: [Microsoft Configurs12] msoftconfs2.exe
    O4 - HKLM\..\RunServices: [MS Domain Name Server Deamon] MSDNSD32.exe
    O4 - HKLM\..\RunServices: [Windows Services Layer] C:\WINDOWS\System32\ctfnon.exe
    O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
    O4 - HKCU\..\Run: [Windows Services Layer] C:\WINDOWS\System32\ctfnon.exe
    O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O15 - Trusted Zone: http://locator.cdn.imageservr.com
    O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
    O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/haphazard/raptisoftgameloader.cab
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
    O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://cdn.downloadcontrol.com/files/installers/cab/SystemDoctor2006FreeInstall.cab
    O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/bestfriends/miniclipGameLoader.dll
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://download.cdn.winsoftware.com/files/installers/cab/WinAntiVirusPro2006FreeInstall.cab
    O16 - DPF: {E cellSpacing=5 cellPadding=3 width=400} -
    O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by16fd.bay16.hotmail.msn.com/activex/HMAtchmt.ocx
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Windows Host Services (DLLHOST32) - Unknown owner - C:\WINDOWS\system\dllhost.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: icrss manager 32bit (icrss) - Unknown owner - C:\WINDOWS\system\icrss.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Network Windows Service (MSWindows) - Unknown owner - C:\WINDOWS\System32\urdvxc.exe" /service (file missing)
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
     
  13. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    You need to go here and install "Service Pack 1" This will patch numerous security holes in IE and Windows. As your machine stands now it is wide open to attack from all sorts of nasties. You need to get these updates before we proceed or we will be wasting our time.

    DO NOT install Service pack 2 yet. If you install SP 2 on an infected machine it will cause serious problems. Just get Service Pack 1 installed. After you get SP1 installed, restart your computer. Come back here and post the new Hijack This log.
     
  14. bigdavejob

    bigdavejob Thread Starter

    Joined:
    Jan 21, 2007
    Messages:
    13
    It won't let me install SP1 from there, it says something about an invalid key
     
  15. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Did you purchase the CD you installed from?
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/537197

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice