Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.

please check this log....

976 views 8 replies 2 participants last post by  khazars 
#1 ·
Logfile of HijackThis v1.99.1
Scan saved at 6:39:47 AM, on 08/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\NetAssistant\bin\mpbtn.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.arijkmqtqyahgqbbwqrevlsd...5vjHTnAAuDDAISh38MpAbLftr3iOAOwj_DgjBUKa.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: (no name) - {7D41F75B-EFB1-14C9-E1E0-B3DFF8D7711B} - C:\DOCUME~1\COMPAQ~1\APPLIC~1\SIXTHL~1\Itch save.exe
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [meow poke blah bias] C:\Documents and Settings\All Users\Application Data\bait meet meow poke\Gram Ford.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\TPT Registry_Cleaner (Trial)\regclean.exe"
O4 - HKCU\..\Run: [Drvbin] C:\DOCUME~1\COMPAQ~1\APPLIC~1\4BEEPL~1\Soft part hope.exe
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0000.1082\en-ca\bin\WindowsSearch.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1126783676296
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1126783659890
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
 
See less See more
#2 ·
hi, welcome to TSG.

you were getting help here from cheesy and you never went back with the active scan!

http://forums.techguy.org/showthread.php?p=3040525#post3040525

Before you proceed with the removal directions below you need to turn off MS
Anti-Spyware's realtime protection as it will interfere with the changes we
are trying to make.

Open MS Anti-Spyware and click on Options > Settings. Click on "Realtime
Protection" in the left pane.

Remove the check by these:

"Enable the Microsoft Security Agents on startup (recommended)"

"Enable real-time spyware threat protection (recommended)"

Click "Save"

Now right click the MS Anti-spyware icon in your system tray and choose
"Shutdown Microsoft Anti-Spyware"

You should re-enable these when we are finished here.

also turn off spysweepers real time protection as it can interfere with the fixes!

Download the lop uninstaller

http://www.thespykiller.co.uk/downloads.htm

Download the pocket killbox

http://www.bleepingcomputer.com/files/killbox.php

* Download the trial version of Ewido Security Suite here

http://www.ewido.net/en/

* Install ewido.
* During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
* Launch ewido
* It will prompt you to update click the OK button and it will go to the main screen
* On the left side of the main screen click update
* Click on Start and let it update.
* DO NOT run a scan yet. You will do that later in safe mode.

*Download Cleanup from Here

http://www.stevengould.org/software/cleanup/download.html

* A window will open and choose SAVE, then DESKTOP as the destination.
* On your Desktop, click on Cleanup40.exe icon.
* Then, click RUN and place a checkmark beside "I Agree"
* Then click NEXT followed by START and OK.
* A window will appear with many choices, keep all the defaults as set when the Slide Bar to the left is set to Standard Quality.
* Click OK
* DO NOT RUN IT YET

* Click here for info on how to boot to safe mode if you don't already know
how.

http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam

* Now copy these instructions to notepad and save them to your desktop. You
will need them to refer to in safe mode.

* Restart your computer into safe mode now. Perform the following steps in
safe mode:

have hijack this fix these entries. close all browsers and programmes before
clicking FIX.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.arijkmqtqyahgqbbwqrevlsd...wj_DgjBUKa.html
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [meow poke blah bias] C:\Documents and Settings\All Users\Application Data\bait meet meow poke\Gram Ford.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Drvbin] C:\DOCUME~1\COMPAQ~1\APPLIC~1\4BEEPL~1\Soft part hope.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/active...free/asinst.cab

Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill.
In the Full Path of File to Delete box, copy and paste each of the following
lines one at a time then click on the button that has the red circle with the
X in the middle after you enter each file. It will ask for confirmation to
delete the file. Click Yes. Continue with that same procedure until you have
copied and pasted all of these in the Paste Full Path of File to Delete box.

Note: It is possible that Killbox will tell you that one or more files do not
exist. If that happens, just continue on with all the files. Be sure you
don't miss any.

C:\Documents and Settings\All Users\Application Data\bait meet meow poke\Gram Ford.exe
C:\DOCUME~1\COMPAQ~1\APPLIC~1\4BEEPL~1\Soft part hope.exe

* Run Ewido:

* Click on scanner
* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop

* Run Cleanup:

* Click on the "Cleanup" button and let it run.
* Once its done, close the program.

Run an online antivirus check from

http://www.kaspersky.com/virusscanner

choose extended database for the scan!

Run ActiveScan online virus scan here

http://www.pandasoftware.com/products/activescan.htm

When the scan is finished, anything that it cannot clean have it delete it.
Make a note of the file location of anything that cannot be deleted so you
can delete it yourself.
- Save the results from the scan!

post another hijack this log, the ewido and active scan logs
 
#5 ·
i scanned with kaspersky, but it doesnt give me options to clen infected files, here is the log i saved from there....
do i just move on to active scan and leave the trojans for now?


heres the log

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Wednesday, November 09, 2005 14:15:52
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 9/11/2005
Kaspersky Anti-Virus database records: 149436
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics:
Total number of scanned objects: 57793
Number of viruses found: 3
Number of infected objects: 28
Number of suspicious objects: 0
Duration of the scan process: 3261 sec

Infected Object Name - Virus Name
C:\Documents and Settings\Compaq_Owner\Application Data\4 beep lite\signthemove.exe Infected: Trojan-Downloader.Win32.Swizzor.cb
C:\Documents and Settings\Compaq_Owner\Application Data\4 beep lite\warn bait bib bird.exe Infected: Trojan-Downloader.Win32.Swizzor.dv
C:\Documents and Settings\Compaq_Owner\Application Data\4 beep lite\xwxudldz.exe Infected: Trojan-Downloader.Win32.Swizzor.dv
C:\Documents and Settings\Compaq_Owner\Application Data\Sixthlicensehide\Itch save.exe Infected: Trojan-Downloader.Win32.Swizzor.bo
C:\Program Files\HijackThis\backups\backup-20051014-072459-852.dll Infected: Trojan-Downloader.Win32.Swizzor.bo
C:\Program Files\HijackThis\backups\backup-20051014-205003-990.dll Infected: Trojan-Downloader.Win32.Swizzor.bo
C:\System Volume Information\_restore{A3FE4697-A95B-4476-A0D8-DD1DBA8414B7}\RP22\A0006084.exe Infected: Trojan-Downloader.Win32.Swizzor.bo
C:\System Volume Information\_restore{A3FE4697-A95B-4476-A0D8-DD1DBA8414B7}\RP22\A0006153.exe Infected: Trojan-Downloader.Win32.Swizzor.dv
C:\System Volume Information\_restore{A3FE4697-A95B-4476-A0D8-DD1DBA8414B7}\RP22\A0006154.exe Infected: Trojan-Downloader.Win32.Swizzor.cb
C:\System Volume Information\_restore{A3FE4697-A95B-4476-A0D8-DD1DBA8414B7}\RP22\A0006187.exe Infected: Trojan-Downloader.Win32.Swizzor.dv
C:\System Volume Information\_restore{A3FE4697-A95B-4476-A0D8-DD1DBA8414B7}\RP22\A0006195.exe Infected: Trojan-Downloader.Win32.Swizzor.cb
C:\System Volume Information\_restore{A3FE4697-A95B-4476-A0D8-DD1DBA8414B7}\RP30\A0007690.exe Infected: Trojan-Downloader.Win32.Swizzor.bo
C:\System Volume Information\_restore{A3FE4697-A95B-4476-A0D8-DD1DBA8414B7}\RP34\A0011756.exe Infected: Trojan-Downloader.Win32.Swizzor.dv
C:\System Volume Information\_restore{A3FE4697-A95B-4476-A0D8-DD1DBA8414B7}\RP34\A0011757.exe Infected: Trojan-Downloader.Win32.Swizzor.cb
C:\System Volume Information\_restore{A3FE4697-A95B-4476-A0D8-DD1DBA8414B7}\RP34\A0011758.exe Infected: Trojan-Downloader.Win32.Swizzor.bo
C:\System Volume Information\_restore{A3FE4697-A95B-4476-A0D8-DD1DBA8414B7}\RP36\A0011971.exe Infected: Trojan-Downloader.Win32.Swizzor.bo
C:\System Volume Information\_restore{A3FE4697-A95B-4476-A0D8-DD1DBA8414B7}\RP36\A0011972.exe Infected: Trojan-Downloader.Win32.Swizzor.dv
C:\System Volume Information\_restore{A3FE4697-A95B-4476-A0D8-DD1DBA8414B7}\RP36\A0011973.exe Infected: Trojan-Downloader.Win32.Swizzor.cb
C:\System Volume Information\_restore{A3FE4697-A95B-4476-A0D8-DD1DBA8414B7}\RP36\A0011990.exe Infected: Trojan-Downloader.Win32.Swizzor.bo
C:\System Volume Information\_restore{A3FE4697-A95B-4476-A0D8-DD1DBA8414B7}\RP36\A0011991.exe Infected: Trojan-Downloader.Win32.Swizzor.dv
C:\System Volume Information\_restore{A3FE4697-A95B-4476-A0D8-DD1DBA8414B7}\RP36\A0011992.exe Infected: Trojan-Downloader.Win32.Swizzor.cb
C:\System Volume Information\_restore{A3FE4697-A95B-4476-A0D8-DD1DBA8414B7}\RP36\A0012001.exe Infected: Trojan-Downloader.Win32.Swizzor.dv
C:\System Volume Information\_restore{A3FE4697-A95B-4476-A0D8-DD1DBA8414B7}\RP36\A0012002.exe Infected: Trojan-Downloader.Win32.Swizzor.cb
C:\System Volume Information\_restore{A3FE4697-A95B-4476-A0D8-DD1DBA8414B7}\RP36\A0012003.exe Infected: Trojan-Downloader.Win32.Swizzor.bo
C:\System Volume Information\_restore{A3FE4697-A95B-4476-A0D8-DD1DBA8414B7}\RP37\A0012018.exe Infected: Trojan-Downloader.Win32.Swizzor.dv
C:\System Volume Information\_restore{A3FE4697-A95B-4476-A0D8-DD1DBA8414B7}\RP37\A0012050.exe Infected: Trojan-Downloader.Win32.Swizzor.bo
C:\System Volume Information\_restore{A3FE4697-A95B-4476-A0D8-DD1DBA8414B7}\RP37\A0012051.exe Infected: Trojan-Downloader.Win32.Swizzor.dv
C:\System Volume Information\_restore{A3FE4697-A95B-4476-A0D8-DD1DBA8414B7}\RP37\A0012052.exe Infected: Trojan-Downloader.Win32.Swizzor.cb

Scan process completed.
 
#6 ·
ok heres my active scan log

Incident Status Location

Adware:Adware/Lop No disinfected C:\!KillBox\Soft part hope.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{A3FE4697-A95B-4476-A0D8-DD1DBA8414B7}\RP22\A0006077.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{A3FE4697-A95B-4476-A0D8-DD1DBA8414B7}\RP22\A0006084.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{A3FE4697-A95B-4476-A0D8-DD1DBA8414B7}\RP22\A0006151.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{A3FE4697-A95B-4476-A0D8-DD1DBA8414B7}\RP22\A0006152.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{A3FE4697-A95B-4476-A0D8-DD1DBA8414B7}\RP22\A0006153.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{A3FE4697-A95B-4476-A0D8-DD1DBA8414B7}\RP22\A0006154.exe
Spyware:Spyware/Media-motor No disinfected C:\System Volume Information\_restore{A3FE4697-A95B-4476-A0D8-DD1DBA8414B7}\RP22\A0006186.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{A3FE4697-A95B-4476-A0D8-DD1DBA8414B7}\RP22\A0006187.exe
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{A3FE4697-A95B-4476-A0D8-DD1DBA8414B7}\RP22\A0006188.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{A3FE4697-A95B-4476-A0D8-DD1DBA8414B7}\RP22\A0006189.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{A3FE4697-A95B-4476-A0D8-DD1DBA8414B7}\RP22\A0006190.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{A3FE4697-A95B-4476-A0D8-DD1DBA8414B7}\RP22\A0006191.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{A3FE4697-A95B-4476-A0D8-DD1DBA8414B7}\RP22\A0006192.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{A3FE4697-A95B-4476-A0D8-DD1DBA8414B7}\RP22\A0006193.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{A3FE4697-A95B-4476-A0D8-DD1DBA8414B7}\RP22\A0006194.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{A3FE4697-A95B-4476-A0D8-DD1DBA8414B7}\RP22\A0006195.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{A3FE4697-A95B-4476-A0D8-DD1DBA8414B7}\RP30\A0007690.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{A3FE4697-A95B-4476-A0D8-DD1DBA8414B7}\RP33\A0010743.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{A3FE4697-A95B-4476-A0D8-DD1DBA8414B7}\RP34\A0011755.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{A3FE4697-A95B-4476-A0D8-DD1DBA8414B7}\RP36\A0011970.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{A3FE4697-A95B-4476-A0D8-DD1DBA8414B7}\RP36\A0011981.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{A3FE4697-A95B-4476-A0D8-DD1DBA8414B7}\RP36\A0012000.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{A3FE4697-A95B-4476-A0D8-DD1DBA8414B7}\RP37\A0012016.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{A3FE4697-A95B-4476-A0D8-DD1DBA8414B7}\RP37\A0012017.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{A3FE4697-A95B-4476-A0D8-DD1DBA8414B7}\RP37\A0012018.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{A3FE4697-A95B-4476-A0D8-DD1DBA8414B7}\RP37\A0012026.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{A3FE4697-A95B-4476-A0D8-DD1DBA8414B7}\RP37\A0012028.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{A3FE4697-A95B-4476-A0D8-DD1DBA8414B7}\RP37\A0012029.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{A3FE4697-A95B-4476-A0D8-DD1DBA8414B7}\RP37\A0012030.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{A3FE4697-A95B-4476-A0D8-DD1DBA8414B7}\RP37\A0012102.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{A3FE4697-A95B-4476-A0D8-DD1DBA8414B7}\RP37\A0012103.exe
Adware:Adware/ClockSync No disinfected C:\System Volume Information\_restore{A3FE4697-A95B-4476-A0D8-DD1DBA8414B7}\RP47\A0015988.exe
Adware:Adware/Comet No disinfected C:\System Volume Information\_restore{A3FE4697-A95B-4476-A0D8-DD1DBA8414B7}\RP50\A0020104.dll
Adware:Adware/Comet No disinfected C:\System Volume Information\_restore{A3FE4697-A95B-4476-A0D8-DD1DBA8414B7}\RP60\A0022375.dll
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{A3FE4697-A95B-4476-A0D8-DD1DBA8414B7}\RP61\A0023462.exe
Adware:Adware/Lop No disinfected C:\System Volume

so the lop is still not gone... i dont know why it wont uninstall

here is the ewido report

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 1:04:44 PM, 09/11/2005
+ Report-Checksum: 831CBBF2

+ Scan result:

C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@as1.falkag[1].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@casalemedia[2].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@fastclick[1].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@findwhat[1].txt -> Spyware.Cookie.Findwhat : Cleaned with backup
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@image.masterstats[1].txt -> Spyware.Cookie.Masterstats : Cleaned with backup
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@lop[1].txt -> Spyware.Cookie.Lop : Cleaned with backup
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@revenue[2].txt -> Spyware.Cookie.Revenue : Cleaned with backup
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@servedby.advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@server.iad.liveperson[2].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@statcounter[1].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@trafficmp[1].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@twci.coremetrics[1].txt -> Spyware.Cookie.Coremetrics : Cleaned with backup
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Program Files\Screensavers.com\Installer\bin\ScreensaversInst.dll -> Spyware.Comet : Cleaned with backup
C:\WINDOWS\SoftwareDistribution\Download\77495dabb3d23980860e874027902150202a4f21/mrt.exe -> Heuristic.Win32.AVKiller : Cleaned with backup
C:\WINDOWS\SoftwareDistribution\Download\77495dabb3d23980860e874027902150202a4f21/mrt.exe -> Heuristic.Win32.AVKiller : Cleaned with backup

::Report End

And my new hijack

Logfile of HijackThis v1.99.1
Scan saved at 3:49:33 PM, on 09/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\NetAssistant\bin\mpbtn.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: (no name) - {7D41F75B-EFB1-14C9-E1E0-B3DFF8D7711B} - C:\DOCUME~1\COMPAQ~1\APPLIC~1\SIXTHL~1\Itch save.exe
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\TPT Registry_Cleaner (Trial)\regclean.exe"
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0000.1082\en-ca\bin\WindowsSearch.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1126783676296
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1126783659890
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe

AHHHHHHHHHHHHHHHHHHHHHHH
:mad: ..... lol ..
 
#7 ·
Before you proceed with the removal directions below you need to turn off MS
Anti-Spyware's realtime protection as it will interfere with the changes we
are trying to make.

Open MS Anti-Spyware and click on Options > Settings. Click on "Realtime
Protection" in the left pane.

Remove the check by these:

"Enable the Microsoft Security Agents on startup (recommended)"

"Enable real-time spyware threat protection (recommended)"

Click "Save"

Now right click the MS Anti-spyware icon in your system tray and choose
"Shutdown Microsoft Anti-Spyware"

You should re-enable these when we are finished here.

Download the pocket killbox

http://www.bleepingcomputer.com/files/killbox.php

* Now copy these instructions to notepad and save them to your desktop. You
will need them to refer to in safe mode.

* Restart your computer into safe mode now. Perform the following steps in
safe mode:

have hijack this fix these entries. close all browsers and programmes before
clicking FIX.

O2 - BHO: (no name) - {7D41F75B-EFB1-14C9-E1E0-B3DFF8D7711B} - C:\DOCUME~1\COMPAQ~1\APPLIC~1\SIXTHL~1\Itch save.exe
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe

Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill.
In the Full Path of File to Delete box, copy and paste each of the following
lines one at a time then click on the button that has the red circle with the
X in the middle after you enter each file. It will ask for confirmation to
delete the file. Click Yes. Continue with that same procedure until you have
copied and pasted all of these in the Paste Full Path of File to Delete box.

Note: It is possible that Killbox will tell you that one or more files do not
exist. If that happens, just continue on with all the files. Be sure you
don't miss any.

C:\DOCUME~1\COMPAQ~1\APPLIC~1\SIXTHL~1\Itch save.exe
C:\Program Files\NetAssistant\bin\matcli.exe
C:\Documents and Settings\Compaq_Owner\Application Data\4 beep lite\signthemove.exe
C:\Documents and Settings\Compaq_Owner\Application Data\4 beep lite\warn bait bib bird.exe
C:\Documents and Settings\Compaq_Owner\Application Data\4 beep lite\xwxudldz.exe
C:\Documents and Settings\Compaq_Owner\Application Data\Sixthlicensehide\Itch save.exe

post another log
 
#8 ·
Logfile of HijackThis v1.99.1
Scan saved at 7:24:14 PM, on 09/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\TPT Registry_Cleaner (Trial)\regclean.exe"
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0000.1082\en-ca\bin\WindowsSearch.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1126783676296
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1126783659890
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
 
#9 ·
clean log

how's your computer running now any better?

you should now turn off system restore to flush out the bad restore points and
then re-enable it and make a new clean restore point.

How to turn off system restore

http://service1.symantec.com/SUPPOR...2001111912274039?OpenDocument&src=sec_doc_nam

http://support.microsoft.com/default.aspx?scid=kb;[LN];310405

here's some free tools to keep you from getting infected in the future.

to stop reinfection get these two tools, spywareguard and spywareblaster
from

http://www.javacoolsoftware.com/downloads.html

get the hosts file from here.

http://www.mvps.org/winhelp2002/hosts.htm

put it into :

Windows XP = C:\WINDOWS\SYSTEM32\DRIVERS\ETC
Windows 2K = C:\WINNT\SYSTEM32\DRIVERS\ETC
Win 98\ME = C:\WINDOWS

ie-spyad.Puts over 5000 sites in your restricted zone so you'll be protected

when you visit innocent-looking sites that aren't actually innocent at all.

https://netfiles.uiuc.edu/ehowes/www/resource.htm

prevX: it stops spyware

http://www.prevx.com/prevxhome.asp

Use spybot's immunize button and use spywareblaster' enable
protection once you update it. you can put spybot's hosts file into
your own and lock it.

I would also suggest switching to Mozilla's firefox browser, it's safer, has
a built in pop up blocker, blocks cookies and adds. Mozilla Thunderbird is also a good
e-mail client.

http://www.mozilla.org/

Read here to see how to tighten your security:

http://forums.techguy.org/t208517.html

A good overall guide for firewalls, anti-virus, and anti-trojans as well as
regular spyware cleaners.

http://www.firewallguide.com/anti-trojan.htm

you can mark your own thread solved through thread tools at the top of
the page.
 
Status
Not open for further replies.
You have insufficient privileges to reply here.
Top