1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: False GUI / False [email protected] HELP Needed

Discussion in 'Virus & Other Malware Removal' started by Dimi73, Dec 9, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. Dimi73

    Dimi73 Thread Starter

    Joined:
    Dec 9, 2005
    Messages:
    93
    Hello All

    I was browsing the internet when a window opened and it looked odd so I closed it.

    As soon as I did so, all my internet windows closed at once.

    I ran spybot, MS Antispyware Beta, AVG Anti virus, everything was of the latest update as of today Dec 9th. It found nothing.

    I searched the internet and found the Tech support guy website, and this is my last hope.

    My google.com homepage keeps being hijacked to this:

    http://www.yoursystemupdate.com/

    And invites me to download fishy Antyspyware: spy trooper, Spy Axe or TheSpyguard.

    I understand it is a painful process to remove this and I need someone who would help me by giving me a step by step guide of how to remove whatever it is that creates the hijacks of my hompage and allows pop ups.

    I sincerely hope someone can help.

    Thanks

    Dimi73
     
  2. brendandonhu

    brendandonhu

    Joined:
    Jul 8, 2002
    Messages:
    14,681
    • Run HijackThis and click Do a system scan and save a log file
    • Post the log here

    Did you download any of the antispyware programs from that site?
     
  3. Dimi73

    Dimi73 Thread Starter

    Joined:
    Dec 9, 2005
    Messages:
    93
    Hello Brendandonhu, And thanks for the fast response!

    Here is the log:

    Logfile of HijackThis v1.99.1
    Scan saved at 02:51:54, on 10/12/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\mssearchnet.exe
    C:\WINDOWS\system32\nvctrl.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
    C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\Program Files\Lexmark 5200 series\lxbtbmon.exe
    C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
    C:\WINDOWS\system32\CTHELPER.EXE
    C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
    C:\WINDOWS\system32\carpserv.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
    C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
    C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\WINDOWS\System32\lxbtcoms.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Dimitri\Local Settings\Temporary Internet Files\Content.IE5\07Y9ININ\HijackThis[1].exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.meshcomputers.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali Internet Access
    O2 - BHO: HomepageBHO - {724510c3-f3c8-4fb7-879a-d99f29008a2f} - C:\WINDOWS\system32\hpC1EE.tmp
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [LXBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,[email protected]
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
    O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
    O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [Lexmark 5200 series] "C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe"
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
    O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
    O4 - HKCU\..\Run: [InstantTray] C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
    O4 - HKCU\..\Run: [IW_Drop_Icon] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe /DropDisc
    O4 - Global Startup: BTTray.lnk = ?
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
    O16 - DPF: {483EB14D-AF1C-4951-81B0-4E2B41829FF6} (QOLCheck Control) - https://www.qwizonline.com/cabs/QOLCheck.ocx
    O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-18.cab
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (CwlscInstall Object) - https://scan.safety.live.com/resource/download/scanner/en-us/wlscbase2213.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4387/mcfscan.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{BEDAF8FF-4DAC-47CF-9FA8-A6102E9C0289}: NameServer = 212.23.6.100 212.23.3.100
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINDOWS\System32\lxbtcoms.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
     
  4. Dimi73

    Dimi73 Thread Starter

    Joined:
    Dec 9, 2005
    Messages:
    93
    PS: I did not download them, I mean i did click on them, but did not save them..

    Dimi73
     
  5. brendandonhu

    brendandonhu

    Joined:
    Jul 8, 2002
    Messages:
    14,681
    • Please save or print these instructions before beginning
    • Save SpyAxeFix to your Desktop. Run the program and click Start
    • Open the SpyAxeFix folder and run SpyAxeFix.bat
    • Your computer will restart when the tool is finished
    • A text file will be created in the SpyAxeFix folder. Post the contents here
    • Save smitRem to your Desktop and run smitRem.exe
    • Download and install Ewido Security Suite
    • During the installation, uncheck the following under Additional Options:

      Install background guard
      Install scan via context menu
    • Run Ewido and click OK when prompted to update the program
    • On the left side of the screen, click update>>Start
    • When the update is finished, exit Ewido
    • Open to smitRem folder and run RunThis.bat. Follow the onscreen prompts
    • Run Ewido Security Suite
    • Click scanner>>Complete System Scan
    • Click OK when prompted to clean the problems found
    • When the scan is finished, click Save Report and save a copy of this log to your Desktop
    • Exit Ewido
    • Go to Start>>Control Panel>>Internet Options>>Programs
    • Click Reset Web Settings>>Apply>>OK
    • Go to Start>>Control Panel>>Display>>Desktop
    • Click Customize Desktop>>Web
    • If you see an entry called Security info or something similar, select it and click Delete>>OK>>Apply>>OK
    • Restart your computer
    • Post the contents of the Ewido Security Suite report that you saved to your Desktop earlier
    • Run HijackThis and click Do a system scan and save a log file
    • Your HijackThis log will open in Notepad. Post the contents of the log here
     
  6. Dimi73

    Dimi73 Thread Starter

    Joined:
    Dec 9, 2005
    Messages:
    93
    Hi Brendan,

    the link to SpyAxeFix did not open anything.. Is it normal?

    Also when i do the self extracting for SmitRem it has 3 options:

    - Confirm overwrite
    - Don't overwrite
    - overwrite

    which one should i choose?

    thanks

    Dimi73
     
  7. brendandonhu

    brendandonhu

    Joined:
    Jul 8, 2002
    Messages:
    14,681
    Hit Confirm Overwrite...were you able to get SpyAxeFix?
     
  8. Dimi73

    Dimi73 Thread Starter

    Joined:
    Dec 9, 2005
    Messages:
    93
    Hi

    I was not able to get spyaxefix and i just ran SmitRem and Ewido, but forgot to do the safe mode, do I have to restart in safe mode?

    sorry its 4 am here and i am really not very good with computers..

    ewido found 8 infected objects, shall i hit ok for remove action as per ewido prompt, or shall i do nothing and restart my computer in safe mode and re-run smitrem and ewido?

    Please advise and sorry for being hopeless...

    :-(

    dimi73
     
  9. brendandonhu

    brendandonhu

    Joined:
    Jul 8, 2002
    Messages:
    14,681
    Do it in Safe Mode
     
  10. Dimi73

    Dimi73 Thread Starter

    Joined:
    Dec 9, 2005
    Messages:
    93
    ok.

    I do it all now and will be back in 20 minutes.

    Thanks so much for your patience!

    dmi73
     
  11. Dimi73

    Dimi73 Thread Starter

    Joined:
    Dec 9, 2005
    Messages:
    93
    I feel like a complete idiot.

    How do i go into safe mode?

    I did restart my computer and hit F8, but it seems it did not work..

    Please tell me how to do it..

    Dimi73
     
  12. Dimi73

    Dimi73 Thread Starter

    Joined:
    Dec 9, 2005
    Messages:
    93
    Brendan,

    It is getting worse Spyaxe just installed itself, Ms antyspyware prompted me that it was trying to install itself and i hit remove but it installed itself.

    I seriously need help.

    Please help me.

    Dimi73
     
  13. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
  14. Dimi73

    Dimi73 Thread Starter

    Joined:
    Dec 9, 2005
    Messages:
    93
    Hi Brendan, Hi Mark,

    Firstly thank you guys for all the advice.

    I just give you an overview of what i did:

    -1- I turned into Safe Mode.

    -2-I ran Smitrem

    -3- I ran Ewido and saved the report on my desktop [which i did not find later when i rebooted in normal mode, simply because I think of step -5- below]

    -4- I did the following:

    - Go to Start>>Control Panel>>Internet Options>>Programs
    Click Reset Web Settings>>Apply>>OK

    - Go to Start>>Control Panel>>Display>>Desktop
    Click Customize Desktop>>Web
    If you see an entry called Security info or something similar, select it and click Delete>>OK>>Apply>>OK

    I did not see the entry called Security Info.

    -5- I restarted my computer and did system Restore, I chose the date of Dec 8th (thursday) because I did not save any new file on Dec 9th (Firday).

    -> Since then everything seems to work fine, and I run the various scanners as described below, BUT they found some BUGS:

    A - I ran Kapersky online scanner and here is the log:

    -------------------------------------------------------------------------------
    KASPERSKY ON-LINE SCANNER REPORT
    Saturday, December 10, 2005 11:15:36
    Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
    Kaspersky On-line Scanner version: 5.0.67.0
    Kaspersky Anti-Virus database last update: 10/12/2005
    Kaspersky Anti-Virus database records: 164254
    -------------------------------------------------------------------------------

    Scan Settings:
    Scan using the following antivirus database: extended
    Scan Archives: true
    Scan Mail Bases: true

    Scan Target - My Computer:
    C:\
    D:\
    E:\
    F:\

    Scan Statistics:
    Total number of scanned objects: 56649
    Number of viruses found: 4
    Number of infected objects: 13
    Number of suspicious objects: 0
    Duration of the scan process: 2589 sec

    Infected Object Name - Virus Name
    C:\Program Files\Microsoft AntiSpyware\Quarantine\A5C61561-EE11-48B5-8457-6C9510\D420ABDF-4767-472F-B80C-F2D49A Infected: not-a-virus:Downloader.Win32.Spax.a
    C:\Program Files\Microsoft AntiSpyware\Quarantine\D97BDB5F-97A5-4795-BDE1-28BB2D\797F23FF-B41C-4E26-A610-93CFBD Infected: not-a-virus:Downloader.Win32.Spax.a
    C:\System Volume Information\_restore{2C502657-49AF-4D52-BE5C-D5FA6D579313}\RP377\A0047424.exe Infected: not-a-virus:porn-Dialer.Win32.GBDialer.d
    C:\System Volume Information\_restore{2C502657-49AF-4D52-BE5C-D5FA6D579313}\RP377\A0047432.tlb Infected: Trojan-Downloader.Win32.Zlob.br
    C:\System Volume Information\_restore{2C502657-49AF-4D52-BE5C-D5FA6D579313}\RP377\A0047437.exe Infected: not-a-virus:porn-Dialer.Win32.GBDialer.d
    C:\System Volume Information\_restore{2C502657-49AF-4D52-BE5C-D5FA6D579313}\RP378\A0047454.tlb Infected: Trojan-Downloader.Win32.Zlob.br
    C:\System Volume Information\_restore{2C502657-49AF-4D52-BE5C-D5FA6D579313}\RP378\A0047472.tlb Infected: Trojan-Downloader.Win32.Zlob.br
    C:\System Volume Information\_restore{2C502657-49AF-4D52-BE5C-D5FA6D579313}\RP378\A0047507.tlb Infected: Trojan-Downloader.Win32.Zlob.br
    C:\System Volume Information\_restore{2C502657-49AF-4D52-BE5C-D5FA6D579313}\RP378\A0047523.tlb Infected: Trojan-Downloader.Win32.Zlob.br
    C:\System Volume Information\_restore{2C502657-49AF-4D52-BE5C-D5FA6D579313}\RP378\A0047524.exe Infected: Trojan-Downloader.Win32.Zlob.cl
    C:\System Volume Information\_restore{2C502657-49AF-4D52-BE5C-D5FA6D579313}\RP378\A0047526.exe Infected: Trojan-Downloader.Win32.Zlob.br
    C:\System Volume Information\_restore{2C502657-49AF-4D52-BE5C-D5FA6D579313}\RP379\A0047705.exe Infected: not-a-virus:porn-Dialer.Win32.GBDialer.d
    C:\System Volume Information\_restore{2C502657-49AF-4D52-BE5C-D5FA6D579313}\RP379\A0047707.exe Infected: not-a-virus:porn-Dialer.Win32.GBDialer.d

    Scan process completed.

    B - I ran Hijack this, and here is the log:

    Logfile of HijackThis v1.99.1
    Scan saved at 11:49:46, on 10/12/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
    C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\Program Files\Lexmark 5200 series\lxbtbmon.exe
    C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
    C:\WINDOWS\system32\CTHELPER.EXE
    C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
    C:\WINDOWS\system32\carpserv.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
    C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
    C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Dimitri\Local Settings\Temporary Internet Files\Content.IE5\MX6P8VQD\HijackThis[1].exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.meshcomputers.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali Internet Access
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [LXBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,[email protected]
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
    O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
    O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [Lexmark 5200 series] "C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe"
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
    O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
    O4 - HKCU\..\Run: [InstantTray] C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
    O4 - HKCU\..\Run: [IW_Drop_Icon] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe /DropDisc
    O4 - Global Startup: BTTray.lnk = ?
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
    O16 - DPF: {483EB14D-AF1C-4951-81B0-4E2B41829FF6} (QOLCheck Control) - https://www.qwizonline.com/cabs/QOLCheck.ocx
    O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-18.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4387/mcfscan.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{BEDAF8FF-4DAC-47CF-9FA8-A6102E9C0289}: NameServer = 212.23.3.100 212.23.6.100
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINDOWS\System32\lxbtcoms.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

    C - I ran Active Scan and here is the log:


    Incident Status Location

    Spyware:spyware/searchcentrix Not desinfected Windows Registry
    Adware:Adware/SpyAxe Not desinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A5C61561-EE11-48B5-8457-6C9510\D420ABDF-4767-472F-B80C-F2D49A
    Adware:Adware/SpyAxe Not desinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\D97BDB5F-97A5-4795-BDE1-28BB2D\797F23FF-B41C-4E26-A610-93CFBD
    SO, I still need your help to DESTROY whatever remains, but I feel we have removed the most harmful Bugs so far..

    Please let me know what I need to do now.. ?

    Thanks very very much for your help!

    Dimi73
     
  15. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Why did you do a System Restore? That wasn't necessary! Running SmitRem etc... should have solved most of your problems. :confused:
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/423943

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice