1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: PSw.x-Vir Spyware Popup Problems - HJT incl.

Discussion in 'Virus & Other Malware Removal' started by tashaq, Nov 11, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. tashaq

    tashaq Thread Starter

    Joined:
    Apr 5, 2007
    Messages:
    98
    THe yellow "security" dialog has been flashing for the past day or two directing to several suuposed malware/spywares the most common of which being the PSW.x-Vir trojan alert. These are leading to ie popups sporadically appearing at will and also significantly slowing down my computer.

    There are also two additional icons now on my desktop "Security Troubleshooting" and "online security guide".

    I have included a HJT Log to give some idea of what is going on. Any help would be much appreciated.

    Tashaq
     
  2. tashaq

    tashaq Thread Starter

    Joined:
    Apr 5, 2007
    Messages:
    98
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:12:05, on 11/11/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\Program Files\Video Add-on\icthis.exe
    C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
    C:\PROGRA~1\WinTV\EPGSER~1\System\EPGCLI~1.EXE
    C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
    C:\Program Files\Video Add-on\icmntr.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Messenger\MSMSGS.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\BigFix\BigFix.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
    C:\PROGRA~1\WinTV\EPG Services\System\EPGService.exe
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    C:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\PROGRA~1\SPEEDB~1\VideoAccelerator.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\iTunes\iTunes.exe
    C:\Program Files\DAP\DAP.EXE
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\MSN Messenger\usnsvc.exe
    C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\User\Application Data\SopCast\adv\SopAdver.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\System32\wbem\wmiprvse.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.co.uk
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.lexmark.com/MD/?func=newreg&lang=0&prtr=4476005&ctry=00000809&os=5&src=1
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
    O3 - Toolbar: IE Custom Tools - {6CA49FDD-4AEB-4F08-A394-C0A1F82CAA16} - C:\Program Files\Video Add-on\ictmdl.dll
    O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
    O4 - HKLM\..\Run: [Lexmark 1200 Series] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
    O4 - HKLM\..\Run: [EPGServiceTool] C:\PROGRA~1\WinTV\EPGSER~1\System\EPGCLI~1.EXE /Minimize
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [UVS11 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe
    O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKLM\..\Policies\Explorer\Run: [some] C:\Program Files\Video Add-on\icthis.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
    O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.msn.co.uk
    O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1189017671718
    O17 - HKLM\System\CCS\Services\Tcpip\..\{73AC06D6-C5A9-47EF-81E1-CC810F619568}: NameServer = 85.255.115.22,85.255.112.196
    O17 - HKLM\System\CCS\Services\Tcpip\..\{90FB4B47-49E3-467D-8354-F508A03F690A}: NameServer = 85.255.115.22,85.255.112.196
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.22 85.255.112.196
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.22 85.255.112.196
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.22 85.255.112.196
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
    O22 - SharedTaskScheduler: exegeses - {1817ab5d-25bf-4d5e-ba90-6e5fe658fc5f} - C:\WINDOWS\system32\bubbj.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
    O23 - Service: EPGService - Hauppauge Computer Works - C:\PROGRA~1\WinTV\EPG Services\System\EPGService.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
    O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    O23 - Service: VideoAcceleratorEngine - Speedbit Ltd. - C:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

    --
    End of file - 11591 bytes
     
  3. tashaq

    tashaq Thread Starter

    Joined:
    Apr 5, 2007
    Messages:
    98
    Ive just run ad-aware thinking it may help but instead i found some other spyware which has now been deleted - the main problem still persists.

    IF someone could get back to me it would really mean a lot
    Tashaq

    NB
    I have attached the ad-aware log file if it helps at all
     

    Attached Files:

  4. tashaq

    tashaq Thread Starter

    Joined:
    Apr 5, 2007
    Messages:
    98
    Bump! Anyone have any advice?

    Thanks in advance
    Tashaq
     
  5. tashaq

    tashaq Thread Starter

    Joined:
    Apr 5, 2007
    Messages:
    98
    any ideas?
     
  6. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Hi, Welcome to TSG!!



    Please download (save) SmitfraudFix (by S!Ri) to your desktop. SmitfraudFix runs under W2K, XP only.

    Extract the content (a folder named SmitfraudFix) to your Desktop. Select all of the contents and Extract them
    to a new folder called SmitfraudFix.
    Open the SmitfraudFix folder and double-click smitfraudfix.cmd
    Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
    Please copy/paste the content of that report into your next reply.

    Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
    http://www.beyondlogic.org/consulting/proc...processutil.htm
     
  7. tashaq

    tashaq Thread Starter

    Joined:
    Apr 5, 2007
    Messages:
    98
    Thanks for the reply.

    Here is the report as follows:

    SmitFraudFix v2.252

    Scan done at 21:25:32.34, 11/11/2007
    Run from C:\Documents and Settings\User\My Documents\Unzipped\SmitfraudFix\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    The filesystem type is NTFS
    Fix run in normal mode

    »»»»»»»»»»»»»»»»»»»»»»»» Process

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
    C:\PROGRA~1\WinTV\EPGSER~1\System\EPGCLI~1.EXE
    C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Messenger\MSMSGS.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\BigFix\BigFix.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
    C:\PROGRA~1\WinTV\EPG Services\System\EPGService.exe
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    C:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\PROGRA~1\SPEEDB~1\VideoAccelerator.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\iTunes\iTunes.exe
    C:\Program Files\DAP\DAP.EXE
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\MSN Messenger\usnsvc.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\User\Application Data\SopCast\adv\SopAdver.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Aware2007.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\system32\cmd.exe
    C:\WINDOWS\System32\wbem\wmiprvse.exe

    »»»»»»»»»»»»»»»»»»»»»»»» hosts


    »»»»»»»»»»»»»»»»»»»»»»»» C:\


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\User


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\User\Application Data


    »»»»»»»»»»»»»»»»»»»»»»»» Start Menu

    C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND !
    C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\User\FAVORI~1

    C:\DOCUME~1\User\FAVORI~1\Online Security Test.url FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» Desktop

    C:\DOCUME~1\ALLUSE~1\Desktop\Online Security Guide.url FOUND !
    C:\DOCUME~1\ALLUSE~1\Desktop\Security Troubleshooting.url FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

    C:\Program Files\Video Add-on\ FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
    "Source"="About:Home"
    "SubscribedURL"="About:Home"
    "FriendlyName"="My Current Home Page"


    »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "{1817ab5d-25bf-4d5e-ba90-6e5fe658fc5f}"="exegeses"

    [HKEY_CLASSES_ROOT\CLSID\{1817ab5d-25bf-4d5e-ba90-6e5fe658fc5f}\InProcServer32]
    @="C:\WINDOWS\system32\bubbj.dll"

    [HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{1817ab5d-25bf-4d5e-ba90-6e5fe658fc5f}\InProcServer32]
    @="C:\WINDOWS\system32\bubbj.dll"



    »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=""


    »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "System"="kduwd.exe"

    kduwd.exe detected !


    »»»»»»»»»»»»»»»»»»»»»»»» Rustock



    »»»»»»»»»»»»»»»»»»»»»»»» DNS

    Your computer may be victim of a DNS Hijack: 85.255.x.x detected !

    Description: Intel(R) PRO/100 VE Network Connection - Packet Scheduler Miniport
    DNS Server Search Order: 85.255.115.22
    DNS Server Search Order: 85.255.112.196

    HKLM\SYSTEM\CCS\Services\Tcpip\..\{73AC06D6-C5A9-47EF-81E1-CC810F619568}: DhcpNameServer=194.168.4.100 194.168.8.100
    HKLM\SYSTEM\CCS\Services\Tcpip\..\{73AC06D6-C5A9-47EF-81E1-CC810F619568}: NameServer=85.255.115.22,85.255.112.196
    HKLM\SYSTEM\CCS\Services\Tcpip\..\{90FB4B47-49E3-467D-8354-F508A03F690A}: DhcpNameServer=85.255.115.22,85.255.112.196
    HKLM\SYSTEM\CCS\Services\Tcpip\..\{90FB4B47-49E3-467D-8354-F508A03F690A}: NameServer=85.255.115.22,85.255.112.196
    HKLM\SYSTEM\CCS\Services\Tcpip\..\{9E92CB6E-FB9D-43A5-B8B5-974738070AD9}: DhcpNameServer=85.255.115.22,85.255.112.196
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{73AC06D6-C5A9-47EF-81E1-CC810F619568}: DhcpNameServer=194.168.4.100 194.168.8.100
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{73AC06D6-C5A9-47EF-81E1-CC810F619568}: NameServer=85.255.115.22,85.255.112.196
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{90FB4B47-49E3-467D-8354-F508A03F690A}: DhcpNameServer=85.255.115.22,85.255.112.196
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{90FB4B47-49E3-467D-8354-F508A03F690A}: NameServer=85.255.115.22,85.255.112.196
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{9E92CB6E-FB9D-43A5-B8B5-974738070AD9}: DhcpNameServer=85.255.115.22,85.255.112.196
    HKLM\SYSTEM\CS2\Services\Tcpip\..\{73AC06D6-C5A9-47EF-81E1-CC810F619568}: DhcpNameServer=194.168.4.100 194.168.8.100
    HKLM\SYSTEM\CS2\Services\Tcpip\..\{73AC06D6-C5A9-47EF-81E1-CC810F619568}: NameServer=85.255.115.22,85.255.112.196
    HKLM\SYSTEM\CS2\Services\Tcpip\..\{90FB4B47-49E3-467D-8354-F508A03F690A}: DhcpNameServer=85.255.115.22,85.255.112.196
    HKLM\SYSTEM\CS2\Services\Tcpip\..\{90FB4B47-49E3-467D-8354-F508A03F690A}: NameServer=85.255.115.22,85.255.112.196
    HKLM\SYSTEM\CS2\Services\Tcpip\..\{9E92CB6E-FB9D-43A5-B8B5-974738070AD9}: DhcpNameServer=85.255.115.22,85.255.112.196
    HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=194.168.4.100 194.168.8.100
    HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: NameServer=85.255.115.22 85.255.112.196
    HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=194.168.4.100 194.168.8.100
    HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: NameServer=85.255.115.22 85.255.112.196
    HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=194.168.4.100 194.168.8.100
    HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: NameServer=85.255.115.22 85.255.112.196


    »»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


    »»»»»»»»»»»»»»»»»»»»»»»» End
     
  8. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

    Next, please reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, a menu with options should appear;
    • Select the first option, to run Windows in Safe Mode, then press "Enter".
    • Choose your usual account.
    Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
    Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

    You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

    The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

    The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

    A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.

    The report can also be found at the root of the system drive, usually at C:\rapport.txt

    Warning: running option #2 on a non infected computer will remove your Desktop background.



    Please post the C:\rapport.txt and a new HJT log in your next reply.
     
  9. tashaq

    tashaq Thread Starter

    Joined:
    Apr 5, 2007
    Messages:
    98
    Once again thanks, Below are the consequent rapport and HJT logs.

    SmitFraudFix v2.252

    Scan done at 21:52:56.28, 11/11/2007
    Run from C:\Documents and Settings\User\My Documents\Unzipped\SmitfraudFix\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    The filesystem type is NTFS
    Fix run in safe mode

    »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "{1817ab5d-25bf-4d5e-ba90-6e5fe658fc5f}"="exegeses"

    [HKEY_CLASSES_ROOT\CLSID\{1817ab5d-25bf-4d5e-ba90-6e5fe658fc5f}\InProcServer32]
    @="C:\WINDOWS\system32\bubbj.dll"

    [HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{1817ab5d-25bf-4d5e-ba90-6e5fe658fc5f}\InProcServer32]
    @="C:\WINDOWS\system32\bubbj.dll"


    »»»»»»»»»»»»»»»»»»»»»»»» Killing process


    »»»»»»»»»»»»»»»»»»»»»»»» hosts

    127.0.0.1 localhost

    »»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

    S!Ri's WS2Fix: LSP not Found.


    »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

    GenericRenosFix by S!Ri

    C:\WINDOWS\system32\bubbj.dll -> Hoax.Win32.Renos.gen.o
    C:\WINDOWS\system32\bubbj.dll -> Deleted


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

    C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted
    C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted
    C:\DOCUME~1\ALLUSE~1\Desktop\Online Security Guide.url Deleted
    C:\DOCUME~1\ALLUSE~1\Desktop\Security Troubleshooting.url Deleted
    C:\DOCUME~1\User\FAVORI~1\Online Security Test.url Deleted
    C:\Program Files\Video Add-on\ Deleted

    »»»»»»»»»»»»»»»»»»»»»»»» DNS

    HKLM\SYSTEM\CCS\Services\Tcpip\..\{73AC06D6-C5A9-47EF-81E1-CC810F619568}: DhcpNameServer=194.168.4.100 194.168.8.100
    HKLM\SYSTEM\CCS\Services\Tcpip\..\{73AC06D6-C5A9-47EF-81E1-CC810F619568}: NameServer=85.255.115.22,85.255.112.196
    HKLM\SYSTEM\CCS\Services\Tcpip\..\{90FB4B47-49E3-467D-8354-F508A03F690A}: DhcpNameServer=85.255.115.22,85.255.112.196
    HKLM\SYSTEM\CCS\Services\Tcpip\..\{90FB4B47-49E3-467D-8354-F508A03F690A}: NameServer=85.255.115.22,85.255.112.196
    HKLM\SYSTEM\CCS\Services\Tcpip\..\{9E92CB6E-FB9D-43A5-B8B5-974738070AD9}: DhcpNameServer=85.255.115.22,85.255.112.196
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{73AC06D6-C5A9-47EF-81E1-CC810F619568}: DhcpNameServer=194.168.4.100 194.168.8.100
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{73AC06D6-C5A9-47EF-81E1-CC810F619568}: NameServer=85.255.115.22,85.255.112.196
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{90FB4B47-49E3-467D-8354-F508A03F690A}: DhcpNameServer=85.255.115.22,85.255.112.196
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{90FB4B47-49E3-467D-8354-F508A03F690A}: NameServer=85.255.115.22,85.255.112.196
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{9E92CB6E-FB9D-43A5-B8B5-974738070AD9}: DhcpNameServer=85.255.115.22,85.255.112.196
    HKLM\SYSTEM\CS2\Services\Tcpip\..\{73AC06D6-C5A9-47EF-81E1-CC810F619568}: DhcpNameServer=194.168.4.100 194.168.8.100
    HKLM\SYSTEM\CS2\Services\Tcpip\..\{73AC06D6-C5A9-47EF-81E1-CC810F619568}: NameServer=85.255.115.22,85.255.112.196
    HKLM\SYSTEM\CS2\Services\Tcpip\..\{90FB4B47-49E3-467D-8354-F508A03F690A}: DhcpNameServer=85.255.115.22,85.255.112.196
    HKLM\SYSTEM\CS2\Services\Tcpip\..\{90FB4B47-49E3-467D-8354-F508A03F690A}: NameServer=85.255.115.22,85.255.112.196
    HKLM\SYSTEM\CS2\Services\Tcpip\..\{9E92CB6E-FB9D-43A5-B8B5-974738070AD9}: DhcpNameServer=85.255.115.22,85.255.112.196
    HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=194.168.4.100 194.168.8.100
    HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: NameServer=85.255.115.22 85.255.112.196
    HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=194.168.4.100 194.168.8.100
    HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: NameServer=85.255.115.22 85.255.112.196
    HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=194.168.4.100 194.168.8.100
    HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: NameServer=85.255.115.22 85.255.112.196


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


    »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "System"="kduwd.exe"

    »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

    Registry Cleaning done.

    »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    »»»»»»»»»»»»»»»»»»»»»»»» Reboot

    C:\WINDOWS\system32\kduwd.exe Deleted

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "System"=""


    »»»»»»»»»»»»»»»»»»»»»»»» End
     
  10. tashaq

    tashaq Thread Starter

    Joined:
    Apr 5, 2007
    Messages:
    98
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 21:59:09, on 11/11/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\notepad.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
    C:\PROGRA~1\WinTV\EPGSER~1\System\EPGCLI~1.EXE
    C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Messenger\MSMSGS.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\Program Files\BigFix\BigFix.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
    C:\PROGRA~1\WinTV\EPG Services\System\EPGService.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    C:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Alwil Software\Avast4\setup\avast.setup

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.lexmark.com/MD/?func=newreg&lang=0&prtr=4476005&ctry=00000809&os=5&src=1
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
    O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
    O4 - HKLM\..\Run: [Lexmark 1200 Series] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
    O4 - HKLM\..\Run: [EPGServiceTool] C:\PROGRA~1\WinTV\EPGSER~1\System\EPGCLI~1.EXE /Minimize
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [UVS11 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe
    O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
    O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.msn.co.uk
    O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1189017671718
    O17 - HKLM\System\CCS\Services\Tcpip\..\{73AC06D6-C5A9-47EF-81E1-CC810F619568}: NameServer = 85.255.115.22,85.255.112.196
    O17 - HKLM\System\CCS\Services\Tcpip\..\{90FB4B47-49E3-467D-8354-F508A03F690A}: NameServer = 85.255.115.22,85.255.112.196
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.22 85.255.112.196
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.22 85.255.112.196
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.22 85.255.112.196
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
    O23 - Service: EPGService - Hauppauge Computer Works - C:\PROGRA~1\WinTV\EPG Services\System\EPGService.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
    O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    O23 - Service: VideoAcceleratorEngine - Speedbit Ltd. - C:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

    --
    End of file - 10850 bytes
     
  11. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Run HJT again and put a check in the following:

    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

    Close all applications and browser windows before you click "fix checked".


    Please print these instructions for reference, as you will have to restart your computer during the fix.

    Please download FixWareout from Here or Here.

    Note: You will need to run this tool while having an Internet Connection. The tool will download other files while running.
    1. Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
    2. The fix will begin; follow the prompts.
    3. If your firewall gives an alert, (because this tool will download an additional files from the internet), please don't let your firewall block it, but allow it instead.
    4. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
    5. Once the desktop loads a text file will open (report.txt).
      Please post the C:\fixwareout\report.txt ), along with a new HijackThis log into this thread.
     
  12. tashaq

    tashaq Thread Starter

    Joined:
    Apr 5, 2007
    Messages:
    98
    Thanks, below are both reports.

    Username "User" - 12/11/2007 18:45:20 [Fixwareout edited 9/01/2007]

    ~~~~~ Prerun check

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    "nameserver"="85.255.115.22 85.255.112.196" <Value cleared.
    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{73AC06D6-C5A9-47EF-81E1-CC810F619568}
    "nameserver"="85.255.115.22,85.255.112.196" <Value cleared.
    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{90FB4B47-49E3-467D-8354-F508A03F690A}
    "nameserver"="85.255.115.22,85.255.112.196" <Value cleared.
    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{90FB4B47-49E3-467D-8354-F508A03F690A}
    "DhcpNameServer"="85.255.115.22,85.255.112.196" <Value cleared.
    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{9E92CB6E-FB9D-43A5-B8B5-974738070AD9}
    "DhcpNameServer"="85.255.115.22,85.255.112.196" <Value cleared.

    Successfully flushed the DNS Resolver Cache.


    System was rebooted successfully.

    ~~~~~ Postrun check
    HKLM\SOFTWARE\~\Winlogon\ "System"=""
    ....
    ....
    ~~~~~ Misc files.
    ....
    ~~~~~ Checking for older varients.
    ....

    ~~~~~ Current runs (hklm hkcu "run" Keys Only)
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CHotkey"="zHotkey.exe"
    "Lexmark 1200 Series"="\"C:\\Program Files\\Lexmark 1200 Series\\lxczbmgr.exe\""
    "EPGServiceTool"="C:\\PROGRA~1\\WinTV\\EPGSER~1\\System\\EPGCLI~1.EXE /Minimize"
    "SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_03\\bin\\jusched.exe\""
    "UVS11 Preload"="C:\\Program Files\\Ulead Systems\\Ulead VideoStudio 11\\uvPL.exe"
    "GrooveMonitor"="\"C:\\Program Files\\Microsoft Office\\Office12\\GrooveMonitor.exe\""
    "AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
    "TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
    "QuickTime Task"="\"C:\\Program Files\\QuickTime\\QTTask.exe\" -atboottime"
    "iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
    "avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"
    "MSMSGS"="\"C:\\Program Files\\Messenger\\MSMSGS.EXE\" /background"
    "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdobeUpdater]
    ....
    Hosts file was reset, If you use a custom hosts file please replace it...
    ~~~~~ End report ~~~~~
     
  13. tashaq

    tashaq Thread Starter

    Joined:
    Apr 5, 2007
    Messages:
    98
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 18:57:48, on 12/11/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
    C:\PROGRA~1\WinTV\EPG Services\System\EPGService.exe
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    C:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\WINDOWS\system32\notepad.exe
    C:\WINDOWS\zHotkey.exe
    C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
    C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
    C:\PROGRA~1\WinTV\EPGSER~1\System\EPGCLI~1.EXE
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Messenger\MSMSGS.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\BigFix\BigFix.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.lexmark.com/MD/?func=newreg&lang=0&prtr=4476005&ctry=00000809&os=5&src=1
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
    O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
    O4 - HKLM\..\Run: [Lexmark 1200 Series] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
    O4 - HKLM\..\Run: [EPGServiceTool] C:\PROGRA~1\WinTV\EPGSER~1\System\EPGCLI~1.EXE /Minimize
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [UVS11 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe
    O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
    O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.msn.co.uk
    O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1189017671718
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
    O23 - Service: EPGService - Hauppauge Computer Works - C:\PROGRA~1\WinTV\EPG Services\System\EPGService.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
    O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    O23 - Service: VideoAcceleratorEngine - Speedbit Ltd. - C:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

    --
    End of file - 10027 bytes
     
  14. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    You have two anti-virus programs running, which will cause trouble. Uninstall one of them.

    Please download ATF Cleaner by Atribune.
    This program is for XP and Windows 2000 only

    • Double-click ATF-Cleaner.exe to run the program.
      Under Main choose: Select All
      Click the Empty Selected button.

    Click Exit on the Main menu to close the program.



    Download and scan with SUPERAntiSpyware Free for Home Users
    • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
    • An icon will be created on your desktop. Double-click that icon to launch the program.
    • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
    • Under "Configuration and Preferences", click the Preferences button.
    • Click the Scanning Control tab.
    • Under Scanner Options make sure the following are checked (leave all others unchecked):
      • Close browsers before scanning.
      • Scan for tracking cookies.
      • Terminate memory threats before quarantining.
    • Click the "Close" button to leave the control center screen.
    • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
    • On the left, make sure you check C:\Fixed Drive.
    • On the right, under "Complete Scan", choose Perform Complete Scan.
    • Click "Next" to start the scan. Please be patient while it scans your computer.
    • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
    • Make sure everything has a checkmark next to it and click "Next".
    • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
    • If asked if you want to reboot, click "Yes".
    • To retrieve the removal information after reboot, launch SUPERAntispyware again.
      • Click Preferences, then click the Statistics/Logs tab.
      • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
      • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
      • Please copy and paste the Scan Log results in your next reply with a new hijackthis log.
    • Click Close to exit the program.
     
  15. tashaq

    tashaq Thread Starter

    Joined:
    Apr 5, 2007
    Messages:
    98
    Thanks. here are the logs:

    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 11/13/2007 at 01:19 AM

    Application Version : 3.9.1008

    Core Rules Database Version : 3342
    Trace Rules Database Version: 1343

    Scan type : Complete Scan
    Total Scan Time : 05:01:47

    Memory items scanned : 521
    Memory threats detected : 0
    Registry items scanned : 6417
    Registry threats detected : 10
    File items scanned : 119855
    File threats detected : 7

    Trojan.Media-Codec/V4
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Information Center
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Information Center#DisplayName
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Information Center#UninstallString
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Audio-Video Enhance
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Audio-Video Enhance#ProductionEnvironment
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Audio-Video Enhance#DisplayName
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Audio-Video Enhance#UninstallString
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Audio-Video Enhance#DisplayIcon
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Audio-Video Enhance#DisplayVersion
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Audio-Video Enhance#Publisher

    Adware.180solutions/Seekmo
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{790B697C-E72F-4BFA-9B95-AFA2829E72CD}\RP189\A0014767.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{790B697C-E72F-4BFA-9B95-AFA2829E72CD}\RP189\A0014768.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{790B697C-E72F-4BFA-9B95-AFA2829E72CD}\RP189\A0014769.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{790B697C-E72F-4BFA-9B95-AFA2829E72CD}\RP189\A0014770.DLL

    Trojan.SmitFraud-Variant
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{790B697C-E72F-4BFA-9B95-AFA2829E72CD}\RP212\A0016170.DLL

    Trojan.Unknown Origin
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{790B697C-E72F-4BFA-9B95-AFA2829E72CD}\RP212\A0016179.ICO
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{790B697C-E72F-4BFA-9B95-AFA2829E72CD}\RP212\A0016180.ICO
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Solved Spyware Popup
  1. jennys95
    Replies:
    1
    Views:
    661
  2. rjay13
    Replies:
    0
    Views:
    290
  3. dano_61
    Replies:
    14
    Views:
    921
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/650490

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice